This year’s Black Hat was one for the books — beginning with a call to action for all of us in the community to realign our thinking around security outcomes while spreading information security culture to more stakeholders. We’ve reached a point of diminishing returns where traditional security offerings aren’t cutting it anymore — no matter how many expensive resources are thrown at the problem. Yet, the show floor was still filled with point solutions aiming to solve just one of the many threats we face on a daily basis.
The security paradigm of the past isn’t effective at protecting applications and data against the constant barrage of threats we see every second. A study Citrix commissioned with the Ponemon Institute found that 37 percent of businesses do not feel they are effectively controlling access, and multi-factor authentication isn’t doing enough by itself to protect information on devices, servers or in the cloud. And while the show this year encouraged us all to think differently about our culture, we also need to reevaluate our notions of the attack surface. What are attackers after? Data. In mass quantities for mining. They’re after interesting organizations in any and all industries — whomever will yield that biggest payday. Damaging breaches have seemingly forced organizations to excessively shift focus to pressing concerns — devoting substantial time and our very limited resources mainly reacting to immediate threats. Is this sustainable? No.
But all is not lost — there were some great conversations at Black Hat about digging our way out of the current security abyss by leveraging newly formulated strategies and insights. As a community, we first need to focus on security outcomes, leveraging a results-oriented and risk-based approach to prioritize architectures, activities, time management, technology spend and response. Note that this is in direct contrast to the reactive posture that is constantly throwing technology and people at evolving security challenges. And, evolved strategies and insights that focus businesses on outcomes are a wakeup call for those who are underwhelmed by yesterday’s security results.
To think differently today and improve the outcomes of our security investments, there are a few key areas businesses need to prioritize.
Here’s an initial set we suggest focusing on:
- Revisit your patching strategy. Companies have been experiencing downtime due to ransomware, often due to delayed application of patches across operating systems, infrastructure and applications. Patching should be one of the highest priorities, as known vulnerabilities present one of the easiest ways for attackers to get in. Don’t let a simple patch be the reason your data is at risk! And, if patching is stretching your limited resources, investigate cloud-based solutions that keep your critical systems up-to-date.
- Develop a Cloud Endpoint Strategy. The endpoint — whether it’s a desktop, laptop, tablet, smartphone or another device — is essential to maintaining end-to-end security. While the risk of data being stolen off of a device can be minimized with virtualization, containerization and application-specific security policies, the risks presented by endpoints should not be forgotten — especially for those that go directly to cloud. Note that cloud apps and administration position the browser as a critical security control — and yesterday’s approach to browser security is definitely not up to the task. What’s your cloud endpoint strategy?
- Integrate artificial intelligence and machine learning. These are great tools to show the correlation and progression of security events. But AI and machine learning shouldn’t just be seen as “Logging++”. These emerging technologies can help automate low-risk tasks, so security and IT teams can focus on more complex events and strategic outcomes. Distilling the information provided by AI and machine learning to make more informed businesses decisions focuses business resources and staff where they will be most effective. These tools can provide greater visibility and context into the overall business and fuel more intelligent conclusions.
- Automate the mundane. Combining the insights of AI and ML with business workflows allows automation to assist in tackling some of the staffing challenges we’re facing in the security industry. A report from the Center for Cyber Safety and Education found that by 2022, there will be 1.8 million unfilled positions in security. To address this shortfall, we can look to automation as an assistant that handles the mundane and lets us know what’s truly important. Increased automation enables experts to focus on meaningful security outcomes and make intelligent decisions that require human insights, such as resource allocation and proactive threat management. Humans are still the smartest technology – with automation promising to make security careers even more attractive and rewarding!
- Respond as a Stakeholder. Breach response and remediation must extend outside of IT to involve all stakeholders of the affected application, system or service. Stage a mock breach (or use a recent example) to highlight how the organization responds and what needs to be optimized to achieve desired outcomes. This exercise often highlights outdated policies and procedures (such as the patch management example, above) that need to be modernized to align organizational commitments and IT mandates. And a focus on critical organization threats, risks and priorities often brings IT back into discussions that they may have been excluded from due to past security postures.
The 20th anniversary of Black Hat has shown clearly that the security community extends way outside of IT. Now is a great time to align all key stakeholders around security outcomes and continue to expand security cultures across organizational boundaries, as we’re all in this together!