Bring the Noise: Shellshock, Heartbleed and the InfoSec Struggle Not to Fall Behind
Is Shellshock worse than Heartbleed? Is the Home Depot breach worse than the Target breach? Is on-prem safer than public cloud?
These are all examples of wrong questions. Their answers are irrelevant.
Last month, notable infosec journalist, Violet Blue, wrote about the growing risk to enterprise as the IT security talent pool becomes increasingly shallow. A widening gap between the threats growing in number and sophistication, and the resources needed to merely keep pace with what’s happening in the hacker world means most organizations are falling behind.
Conversely, it is staggering to consider the scalability and agility needed both by IT and business units to adopt the cloud, migrate, rapidly scale and harness the myriad of new technologies that are emeging from this movement to create new stack infrastructures.
While DevOps teams are heralded as champions of modernization, IT security organizations are stretching thinner and finding it hard to keep pace with change. And since the infosec cavalry isn’t riding over the hill with new recruits any time soon, we have two choices: darken our blinders or do something about it.
Part of the problem with current staffing is that mission creep has resulted in a lack of focus, and that lack of focus means no one can distinguish actual threats from out of all the worrisome turmoil. As a result, information security has become like the SETI project where massive radar antennae gather as much noise as possible from the vast emptiness of space in hopes that something, someday, will be a signal generated by some form of intelligent life.
More succinctly, when the Target breach was announced earlier this year, the news was abuzz when it was revealed that Target’s security team was alerted to the fact that the POS malware had been detected on its network. However, deeper investigation revealed that Target’s security team received hundreds of such alerts on a daily basis, which would have made it nearly impossible to have singled out that threat as being particularly malicious, especially since the alert was a “generic” malware alert without much additional information about the attackers or their attack vector.
In fact, speak to any member of an enterprise security operations team and they will tell you that they are bombarded with alerts. They get so many that they just don’t respond to everything. They will likely sympathize with the Target security team because it’s completely understandable how the miss happened.
In his keynote at this year’s Blackhat USA conference, infosec luminary Dan Geer stated:
When younger people ask my advice on what they should do or study to make a career in cyber security, I can only advise specialization. Those of us who were in the game early enough and who have managed to retain an over-arching generalist knowledge can’t be replaced very easily because while absorbing most new information most of the time may have been possible when we began practice, no person starting from scratch can do that now. Serial specialization is now all that can be done in any practical way.
This need for specialization is bad news for enterprise security because it means hiring more people with very specific skillsets. People who are capable of identifying and triaging internal vulnerabilities as well as external threats.
When your IT security skeleton crew doesn’t know what it’s looking for, chances are it will miss whatever it is they should have noticed when it happens—even if it’s obvious in hindsight. Consider this article from Salon that followed in the wake of the iCloud compromise story in which a London software developer reportedly told Apple about the vulnerability that allowed hackers to access private, nude images of celebrity users six months before the photos were made public.
The best way to address this situation is to first recognize that all data is not created equal, and while a compromise in one area might well be tolerated, another could put the company at grave risk – meaning the company must adopt some risk appetite for data loss (in other words, design for breach, and assume breach), and invest in relevant compensating controls. Of equal importance, it requires organizational acceptance of the fact that adoption of external services, such as enterprise SaaS applications, likely improves (rather than deteriorate) your corporate security posture because those vendors are better equipped to maintain and recruit security teams with the specialized security skill sets necessary to keep up with today and tomorrow’s threats.
Feature image via Flickr Creative Commons
Adallom is a sponsor of The New Stack.