The attackers have won.
This fact is at the center of a major paradigm shift in computer security. Hackers and security professionals have known forever that a sufficiently motivated attacker will always breach a system, but business leaders and the public thought that walls could keep attackers out.
No one is deluded anymore, Even Symantec has admitted that Anti Virus software doesn’t work. Though that is because they don’t think it will sell anymore and they are pushing a new solution. 😉
A real reason for this shift is that executives are now being held responsible for security; people getting fired and sued are big motivating factors. The CEO of Target was fired after their very public security breach.
We used to naively believe that security was actually possible, and that with firewalls and code reviews we could keep most attackers out.
Back at @Stake, we used to use the onion and the egg metaphor to explain defense in depth. An egg has a hard protective shell, but once it is broken, the inside is soft and gooey, like the network behind a firewall.
An onion has several protective layers. Try dropping both from six feet and the point is obvious.
So we promoted security audits, code reviews, and defense in depth. But all of these solutions assumed that a secure system could be built, that given enough layers a site would be secure.
We are now learning that it is a process for both security and response; moving faster than your attackers, not just building roadblocks in front of them.
So what’s next?
The future involves detection and response. If an attack can’t be prevented, we need to minimize the cost of losses and remediation. We should be able to quarantine and clean bad machines in seconds. “Big data” should tell us which machines have been compromised. Cloud File storage should allow us to actually protect important files since they only reside in one place, as opposed to having a copy on every laptop.
I’m thinking about three legs to the stool:
- Detection: their are multiple ways a system breach can be detected after the fact, this will bring down the time an attacker controls a machine.
- Remediation: the tools of forensics aren’t tuned to the quick quarantine and cleanup of a machine.
- Data Loss Protection: DLP has always sucked, but perhaps now that files are all stored in a single central spot we can make this really work. Perhaps we can prevent our IP from being sent out even if a machine is breached.
The attackers have won; now we may finally get secure systems.