My name is Carey Nachenberg and I’m a Symantec Fellow and Vice President in our CTO organization. I’ve been with Symantec a whopping 23 years (if you count both my internships and full-time employment at the company) and have seen the company go through many changes over the years. However, I believe that the biggest changes are yet to come.
Over the past two years, I’ve been working with technical leaders around the company on a new vision for the future of cyber-security – a vision that will finally address the targeted threat challenge, and one that promises to fundamentally change the way corporations implement and manage their security. Now that we have reached clarity on this vision, I’d like to share it with you in this three-part blog.
I look forward your candid feedback and thoughts.
Part 1: The As-is State of Cyber-security
Whitelisting, virtual execution, hypervisor sandboxes, next-gen firewalls – it seems that every security vendor has their own silver-bullet “solution” for targeted attacks. The problem is that each of these solutions pose their own management challenges – they each generate their own unique classes of false alarms, they each require specially-trained (and expensive) security staff to manage them, and many of these solutions are so invasive that they can only be deployed in “monitoring” mode lest they disrupt mission-critical systems and employees. And most importantly, these products still fail to detect many targeted attacks. Why? Because we’re fighting an asymmetric battle - the attackers can simply buy and reverse engineer the very products that we use to defend your enterprise. They know their holes and blind spots intimately. And how about integration? Many corporations dedicate huge amounts of resources to doing their own manual integration of their siloed security offerings; this yields an improvement in protection, but at unacceptable cost. Finally, the reality is that none of these solutions is foolproof – since each solution takes only a myopic view of the security problem, no one solution has the global visibility required to detect many targeted attacks.
Yet you’ve deployed these security products. They’re on every endpoint. On every network and every gateway. And they have a huge amount of visibility into what’s going on in your environment. But they’re under-utilized. And they’re myopic. They don’t take a worldview.
Perhaps we simply need to just pump all those point-product alerts into a SIEM system? That would help, wouldn’t it?
SIEM systems are actually quite myopic as well – their event correlation typically only considers events seen within a limited window of time (often just a few hours), meaning that low and slow attacks – a staple of the targeted attacker – will evade detection. And, for that matter, SIEM systems are only as good as the rules authored by their administrators. If an administrator doesn’t have a detailed understanding of their adversary’s MO, they can’t begin to create rules to discover their attack activity; how many security admins have the bandwidth to investigate all the major attacker networks on a daily basis and profile their evolving techniques? And, finally, even with all of the marketing claims, today’s security point products are often blind to targeted attacks, and if the products don’t generate alerts, the SIEM system will have nothing to correlate to detect an in-progress attack. Garbage in, garbage out.
In those cases where an enterprise does determine that they’re under attack, figuring out the whos, whats, whens, wheres and hows are a tedious, imperfect process. Often, artifacts of an attack are long-gone by the time the investigation takes place, meaning that the enterprise may never know the scope of an intrusion. And of course, it goes unsaid that such an investigation will be extremely expensive and disruptive as an army of trained consultants swoop in to investigate.
Finally, today, security practitioners operate largely in a vacuum, or, at best, in limited ad-hoc professional networks. If you want to know who else in your industry has encountered a particular suspicious file, or which other corporations have machines communicating with a suspected C&C server, you’re out of luck. Ditto for finding out what techniques your peers are using to defend against these attacks.
So to summarize – the attackers are winning. The defenses we have are ill suited to today’s targeted threat environment. They’re not integrated. Corporations can’t afford the highly trained staff required to manage their dozens of security products and keep up with the attackers. And even when we detect attacks, our ability to determine the scope of an intrusion and remediate is expensive and fraught with difficulties. Finally, security practitioners operate largely in isolation, further limiting their ability to defend their enterprises.
This is the as-is state of the world and it has reached critical mass.
This concludes the first installment of my blog on The Future State of Cyber-security. Next week, I’ll be posting part two. I look forward to your thoughts on this topic.