15 May Threat Evolution and the Economics of Cybersecurity [Q&A with John Pirc, Author and Security Expert]
Note: John Pirc’s thoughts and comments are his own and are not representative of Secureworks.
The refrigerator was internet-enabled, a recent evolution of the internet of things (IoT). Unfortunately, the product was rushed to market and security was merely an afterthought. That’s how a refrigerator winds up as the weakest link in enterprise network security.
The malware got in through that device the night before and spread to other devices in the home, including the home office. When the remote worker logged into the corporate network through a VPN the next day, the malicious code has successfully gained entry to the enterprise, and it began to spread laterally.
That’s the nightmare scenario that keeps folks like John Pirc up at night. It hasn’t happened yet, but he thinks it’s coming and he’s doing everything he can to help businesses prevent it.
The co-author of three books on cybersecurity and the director of product management for the Managed iSensor IPS product for Secureworks, he’s put a lot of thought into the economics of security, threat forecasting and the adaptability of cybersecurity products.
We had the good fortune of catching up with him for an interview by phone and posed several questions we think will be of interest to the community here.
1) From an enterprise perspective, what are the biggest challenges security today?
There are many challenges, but three stand out for me:
a) The move to hybrid infrastructures
Many enterprises are shifting from an on-premise IT infrastructure to cloud like AWS or hybrid solutions. This is especially true for email. Microsoft Office 365 is a popular solution and I am seeing many organizations in the education vertical going to the Google G Suite
This is a challenge from architectural-security perspective. The cloud creates a broader attack surface, and security professionals don’t have the visibility into the infrastructure.
b) Attacks are truly more sophisticated
I know we hear that every year, but it’s true. You can only see so much on the endpoint and the bigger concern is shifting to the network. We have malware today that lives in memory and fileless attacks are on the rise. The security tools developed yesterday weren’t designed for this and so we need better detection capabilities and open security systems.
c) Hiring and staffing are cost prohibitive
Many large enterprises are invested in specialized environments – virtualized with VMware for example. This requires security experts in that specialty and it’s very costly. In addition, security has become an operation that runs 24 hours a day – and seven days a week. To find, hire and staff specialists at that pace is even more expensive.
This is why I think what Bricata is doing is so interesting. It’s providing the ability for someone who is not an expert, but who has some insight into what they are looking for, to easily pivot from detection into threat hunting – and without the time and cost it usually takes to train them. This is the sort of user experience (UX) the security community needs.
2) You co-wrote a book on the economics of cybersecurity. It reminded me of an article in Fortune that said, “a penny of offense can defeat a dollar’s worth of defense.” Do you think that’s true? If so, how do you fight that?
It’s an arms race. Certainly, you have to add additional means of detection – machine learning, artificial intelligence and predictive intelligence all show promise. But it is expensive.
On the other hand, hacking-as-a-service or ransomware-as-a-service is just the threat of the day. It’s cheap and it scales well, but it’s not that sophisticated. I’d venture that the really sophisticated attacks by nation states are probably funded by similar amounts of money as what enterprises spend in defense.
Still, the majority of attacks still come through email – someone clicks a link and downloads malware – and it’s on. People tend to think of hackers as breaking down the door to get in, but really, most of them merely initiate attacks by getting people to invite them in.
When we think about trends like bring-your-own-device (BYOD), that elevates the risk and the surface area of attack substantially. The remote worker is at home on their Wi-Fi, downloads something bad and then goes to the office and pops on the corporate network. At that moment, they have bypassed all the traditional perimeter protections and the infection moves east and west to spread laterally. This is why the placement of network security instruments is something security operations should be thinking about carefully.
It’s always going to be an arms race. Security has to be right 100% of the time and the bad actors just have to be right once.
3) Economics is one of those pressing issues: security keeps going back to the CFO with outstretched hands looking to buy more tools. And the CFO is saying, ‘what’s wrong with the tool you bought last year?’ Does security really need more tools?
The tools and abilities to defend against threats change because the threats themselves change – and fast. You definitely can and should be smarter about what you buy.
For example, I think security should look for tools that have multiple detection capabilities baked in, which is what Bricata is doing with Bro, Suricata and Cylance all built on a single box. Buyers also need to look for open platforms and tools that play well with others in order to adapt to new threats.
The 2011 RSA hack is a good example. Someone downloaded a spreadsheet infected with malicious code…and at that point, they were owned. The traditional signature-based perimeter defense couldn’t stop this and that’s when sandboxing technology like those offered by FireEye and Fidelis went mainstream.
At that time, I worked for another company and managed an intrusion prevention system (IPS). The market wanted us to add sandboxing capability but we couldn’t. That particular technology was a closed platform. It wasn’t designed to share data, so we couldn’t simply plug sandboxing technology in, we’d have to build it and it would take 18-to-24 months to complete.
I’d estimate there are some 14,000 to 16,000 common vulnerabilities and exposures (CVE) reported every year, but there are millions of malware variants. So, yes, the market has to go look at new tools to defend against emerging new threats.
4) What security professionals look for in new cybersecurity tools?
Buyers should look for platforms that are open, those that offer multiple APIs, adapt to new threat intelligence, or integrate with a SIEM easily, for example.
I’ll give you a non-security example. Apple is a closed platform. The company controls everything that happens around its technology. By contrast, Google supports an open platform and it allows them to foster an ecosystem that allows them to serve the enterprise, SMB and consumer markets.
Security vendors need to think more like this and how they can work better together. What Bricata is doing with Cylance and other technologies is a good example because it allows you to evolve with the threats. You have the focus to be a network security control point that provides good detection and prevention, but then because you are open, you have the flexibility to pivot to threat hunting.
Sure, if you only have signature-based detection, your product is dead. But you are open and can adapt to new conditions, then you remain relevant. The IPS market is in the neighborhood of a $1.4 billion market, but by 2020, analysts predict some 30% of the IPS deployments will be in the cloud. This is how security products should evolve.
5) In the opening of an RSA session where you presented, you mention you’ve done some product testing, that is making sure vendor products do what they say they can do. There are so many products on the market today, what are some tips for a customer trying to figure out what they need?
Customers are fairly dependent on third-party testing by analysts or benchmarking organizations where it exists. Gartner, of course, is reputable and useful for looking at vendor strength and weaknesses.
It’s also worth your while to examine the claims vendors make in the product collateral during the review phase. When it comes to network intrusion detection and prevention, I recommend looking at two very important measures of performance: throughput and latency.
It’s important to look at these in a mobile environment as well because mobile traffic has small packets that can increase latency 10-fold. When it comes to voice and video, which are applications the business needs, this can lead to dropped calls.
6) You co-wrote a book on threat forecasting which examines in part, preparation. What should we be doing to be better prepared for threats?
Threat forecasting is going to be big and we lay out a manifesto in the book. Doing this effectively has a lot to do with data sharing among security vendors and the ability visualize the information from a high level in order to make threat predictions.
I like to make an analogy to weather forecasting, and specifically, tornados since these are prone to happen where I live in Austin, TX. If we get a tornado watch, that means there’s a potential for a tornado to occur. I might tie down the lawn chairs, but there isn’t anything specifically that I can do.
If we get a tornado warning, however, I now know a twister has touched down and these things have a specific path. I can see if my home is in the forecasted path and take immediate action – like taking shelter.
We need to get cybersecurity to this level of predictability. Right now, we have general threats, for example, banks are a target, so the banks might tie down the lawn chairs. But we need to put little satellites out there like we do for the weather, so we can predict the path – that these banks, in these cities are a target.
Predictions aren’t 100% but if I know there is a good chance a specific threat is about to roll up to my doorstep, I can do something about it. I started working on that book in 2012 and people called me crazy, but that’s where things are headed.
If you think about that in the context of IoT and the remote worker in the previous example I gave above, we are talking about the risks and predictability of threats in a connected world. These threats can come in through your refrigerator at home, and then you fire up your VPN for work and then bad guys get in because you and your device are trusted.
* * *
Thank you for a fantastic interview! Readers can find more from John Pirc here:
If you enjoyed this post, you might also like:
Healthcare Security Expert: The Top Cyberthreat in Healthcare is Finance