For the past six weeks, I have been listening to the rumbles and fallout of the RSA conference.
No, that's not quite correct. It's not been the fallout from the conference itself, but of the gauntlet thrown by RSA's new president, Amit Yoran.
In his keynote address, Yoran called out the security industry for its "dark ages" approach to the problem of security, laying out five tenets for navigating the terrain of today's new security battlefield.
While I was not in attendance at RSA this year (San Francisco for a conference or the Caribbean for my wife's birthday? Hmm...), I read both the RSA press release and a transcript of the address in the days after the event.
I am wholeheartedly supportive of Yoran's overall message regarding the need for both the security industry and the security profession to adjust their thinking regarding the problem and the fight. Should we fail to make such an adjustment, we will continue to be viewed as an obstacle to success and an impediment to revenue. And, should we continue to fail in our perceived mission, we risk being viewed as an ineffective drag on profitability.
That being said, as the profession reaches to pick up the gauntlet that Yoran has thrown, it is important to understand the full context of the battlefield on which we fight. Yoran pulls upon his experience as a West Point graduate and former military officer. As another graduate and former military officer, allow me to continue the analogy by doing some old-fashioned "intelligence preparation of the battlefield (IPB)" and take a deeper look at some of the battlefield conditions we face daily.
1. We need to preach to the masses, not to the choir.
"Let's stop believing that even advanced protections work. No matter how high or smart the walls, focused adversaries will find a way over, under, around, and through."
My first thought when I read this statement was, "Preach it, brotha!" Every board member and every executive I meet when I take a new job wants to know that they are "safe." I spend much of my time during the first 30 days of any new gig reminding executives that as long as they are open for business they will never be completely invulnerable.
My next thought around this point, though, was to hope that members of the security industry (those professionals who create and market the wonderful tools, technologies, and services we all use) and not just the security profession (in-house personnel currently working to protect an organization's resources) heard what Yoran was saying. While it remains true that any professional who thinks they can make an enterprise invulnerable needs a wake-up call, it is equally true that members of the security industry also need to stop making promises of nirvana and panacea—and not just to us, but to those around us who can influence purchasing.
How many of us continue to have to address the CFO, CIO, or CEO who "just talked to XYZ Vendor and they said we can't be compliant/secure/grow hair/stop global warming without their product"? Indeed, as C-level security professionals are increasingly weaving a story of managed risk and potential vulnerability, the security industry has begun to find points of entry into the enterprise that do not involve us. Yoran alludes to such promises being made during his address, but this point should not be glossed over, as it is a contributor to some of the challenges we face daily while attempting to secure the enterprise.
2. There is a cost associated with visibility - and that cost exists outside of the security budget.
Yoran advocates for "a deep and pervasive level of true visibility everywhere—from the endpoint to the network to the cloud." He goes on to describe true visibility as including things such as full packet capture; endpoint compromise assessment visibility; and a detailed understanding of which systems are communicating with which, and what's being communicated.
Many security professionals are faced with the every-present quandary of obtaining complete, detailed, and accurate data flow diagrams within older, multi-faceted enterprises. In many cases (except in heavily regulated spaces), these diagrams do not exist until security personnel ask for them, and when provided, their accuracy levels tend to be suspect. Further, assuming the data flows exist, the level of potential increase in bandwidth and horsepower on the network and the systems themselves in order to provide "true visibility" may be punitive and/or force systems upgrades and unexpected costs within the IT organization. (Think I'm kidding? How many of you reading this article have been told that "turning auditing on for <insert system here> will kill the server/bog down the application/consume too much bandwidth"?)
3. You can't ignore the rest of the I-AAA equation.
Yoran rightfully discusses the importance of Identity and Access "[i]n a world with no perimeter and fewer security anchor points." Let us remember, though, that there are two other As to the I-AAA equation, and at least one of them is of equally (if not more) critical importance in the current terrain: Authorization.
Pop quiz, everyone: Raise your hand if you can, with 100% certainty, guarantee that you know exactly the privileges and roles for absolutely every system and person in your organization AND that they are 100% complete, accurate, and appropriate. I'm not talking about the quarterly sign-offs that organizations do in lieu of the in-depth visibility that Yoran is referring to, but rather a detailed role mining and mapping of every system and every application in the enterprise to a meticulous level of detail that ensures entitlements are tight and accurate.
Most mature enterprises struggle with I-AAA over time. Unless the organization has either (a) taken the opportunity to maintain entitlement and role accuracy throughout its life cycle, or (b) invested the time (and not insignificant dollars) to do the detailed analysis and mapping, the result is a level of blindness to entitlements which is a (if not the) major contributor to security professionals maintaining a border-centric outlook.
If I don't know who you are and/or whether where you are allowed to go is appropriate, then the easiest solution is to build a wall and limit the entries/egresses to the castle. Cleaning up the authorization problem requires a level of (expensive) buy-in from IT and the organization as a whole. Many organizations do not see the criticality of such an expense yet still wish for the flexibility of a borderless environment, placing the security professional in the awkward position of appearing to be a Luddite and an inhibitor to the business or weakening (if not eliminating) the ROI associated with borderless cloud-based operations.
4. Asset categorization, to be useful, requires a depth of understanding of the enterprise and data flows.
In most organizations, at least part of the assets considered to be critical and/or high value would be data. Strongpointing your defenses around critical assets which house the data is a good start, but it also means controlling who has access to that data and the systems which communicate to/from that critical asset. In other words, in order to effectively accomplish Point 5 of Yoran's five-point plan, Points 2 (deep visibility) and 3 (strong identity and access) need to be accomplished first. Again, these objectives will require buy-in and expense outside of security's bailiwick in order to succeed.
Amit Yoran's call to arms is one that is timely, accurate, and well needed—as far as it goes. Yes, security professionals need to look at the problem differently and more holistically, but I would also contend that many (most?) C-level security professionals already do this and are actively educating our teams and constituents appropriately. The challenge, however, in operating in a manner reflective of a proper mindset is to change the conditions of the battlefield upon which we engage.
The security profession continues to refine our language and our metrics to discuss the causal relationships between incomplete data flow analysis, I-AAA concerns, and the increased risks of tearing down borders—with mixed success. The border is effectively dead, yes, but security professionals cannot maintain comparable levels of risk to the enterprise if we tear down the borders without addressing the areas in Yoran's five-point treatise. This requires those we serve to (a) prioritize the efforts necessary to allow the depth of insight into the enterprise necessary to manage risk in a borderless world, and (b) accept the fact that regardless of this level of detail we will be compromised to some extent.
(Let's not forget, either, that the security industry will need to continue evolving its toolset and its message, to include delivering this same message to the Boards of Directors and chief technologists whom we serve, and eschewing discussions about security which do not include members of the security team.)
Understand that I offer this analysis not as an excuse for inaction, but rather as a completion of the treatise offered by Yoran. Throwing away the old maps, as he suggests, is important, but equally important is acknowledging the limitations of the terrain upon which we Warriors of the Light do battle every single day (even as we struggle to modify the terrain to suit our needs).
Yoran has thrown down a gauntlet to the security industry and the security profession alike; however, I believe what he will find is that many of us picked up this gauntlet many moons ago and are already fighting the good fight. Welcome to the line, Brother Amit. Your shield, your sword arm, and your voice are more than appreciated.
My two cents.
