….two friends are walking through the woods. As they round a corner on the trail, they spot a big, agitated grizzly bear getting ready to charge. One of the friends grabs his running shoes out of his pack and starts to put them on. The other says to him, ‘Are you crazy, what are you doing? You can’t outrun a bear!’ His friend says, ‘I don’t have to outrun the bear… I just have to outrun you!’
When my career in the information security industry started back in the mid-to-late 1990s, I was listening to some of the top security experts in the telecom industry discuss their strategies for protecting their organizations. As the discussion concluded, one of the panelists pointed to the others on stage and said, “Listen. I don’t need to be better than the attackers. I just need to be better than these two guys.”
In the days of opportunistic nuisance attacks, that well-known industry metaphor resonated, and even made for an arguably effective strategy. Like the bear, those attackers charged after the easiest target. In other words, they reached for the lowest-hanging fruit they could find. Unfortunately, strategies that evolved from such simple metaphors have outlived their usefulness for cyber security. Time and again I’ve heard customers tell me their security is “good enough,” and that they are better than most organizations in their industry. The truth is “good enough” is not good at all.
Things have changed. In today’s world of advanced targeted attacks, attackers are motivated by what you have rather than by how accessible what you have might be. They want specific customer lists, product designs and other intellectual property that they can’t get anywhere else. Someone else can worry about attacking your competitors. They want YOU.
In the age of Advanced Persistent Threat (APT) and other targeted attacks, simply being a little better or a little faster than the person next to you no longer works. So, forget about the running shoes; a pair of jet-powered roller skates might be more appropriate. Because as it turns out, in today’s untamed cyber wilderness, you actually DO have to outrun the bear.
I snapped this picture during a family vacation at Yosemite Valley. Thankfully, I did not need to put my running shoes to the test, as I'm sure my wife and two daughters can easily outrun me.
It’s that time of year again! Time for the 2012 predictions – and the security industry is chock-full of them. They’ve all been written before, but we thought we’d highlight a few of our favorites, and of course, we couldn’t resist tossing a few of our own into the mix. Do you agree, disagree or have your own security predictions to share? Leave us a comment and let us know what you think.
1. An At-Risk Society
It’s probably safe to bet that the majority of Americans today check their smart phones before going to sleep each night, and then again before jumping out of bed to face the new day. As our daily lives become increasingly and inextricably linked to technology, the associated risks for individuals – and our society as a whole – are also growing. We’re seeing more and more headlines on targeted attacks threatening the very pillars of our society – from threats against our electronic voting systems to attackers remotely opening prison cell doors to aid and abet prisoners – and expect to see more in the year ahead.
2. Cyber Defense: A Joint Effort
Public and private collaboration to defend against cyber attacks will continue to increase, as evidenced by newly proposed legislation that would enable information sharing between the government and companies. According to Wall Street Journal’s John Bussey, “We may be closer than ever to a battle plan that finally links the arsenals of the U.S. government with the serious needs of business in the fight against global cyber hacking.” This proposed legislation is certainly an important step in building out the global intelligence layer. However, it’s critical that enterprise organizations do not wait for government aid to become reality before taking action to defend their own IT environments. Organizations must learn to approach network security in a completely different way.
3. Cyber Attacks – Moving Beyond the Enterprise
In 2011, we began to see more cyber attacks targeting small businesses – and unfortunately, can expect to see this trend grow in the year ahead. Focusing attacks on small businesses is a logical choice for many cyber criminals, USA Today’s Byron Achohido recently reported, as they often don’t have the resources to fend off even the most basic of attacks. In the year ahead, small businesses will increasingly seek ways to mitigate malicious attacks – and the market must be prepared to respond by offering scalable, cost-effective solutions.
4. 2012: Time for a New Approach
Organizations are coming to terms with the indisputable fact that perimeter defenses are no longer enough to protect against today’s sophisticated cyber threats. Motivated attackers WILL find a way to penetrate layered defenses, getting beyond the “front door” and into the “house”. But today’s advanced cyber attacks take place over a period of time and have multiple, distinct phases – attackers know exactly what they want and are willing to be patient. In most cases, there is plenty of time, from the initial breach of the “front door” to the exfiltration of sensitive data and intellectual property, to take proactive steps to stop or minimize the impact of the attack. By facing this new reality, industry focus will shift from preventing hypothetical breaches to responding to inevitable attacks – by monitoring, gathering and acting on real-time, local intelligence.
5. Increased M&A in Cyber Security
Growing cyber threats will continue to drive sharp increases in cyber security M&A activity in 2012. According to a new Cyber M&A report from PricewaterhouseCoopers, global spending on cyber security deals is expected to grow approximately 10 percent every year for the next three to five years. According to the report, deal values have increased six-fold in 2011 alone, with the U.S. accounting for more than half of all M&A activity. Many large enterprises today are finding themselves behind the curve when it comes to effectively mitigating risk and protecting against advanced cyber threats, causing many to scramble to either build new solutions to address them – or, more oftentimes, acquire businesses that can address current and emerging issues.
6. BYOD Nightmares
Of course, we couldn’t write about 2012 security predictions without mentioning mobile. Today’s “bring-your-own-device” craze has opened Pandora’s Box – ushering in a new wave of enterprise security challenges. Ellen Messmer of Network World predicts that the rapid adoption of mobile devices will be a “huge disruptive force” in the year ahead, as “known malware samples for the new generation of devices are now starting to pile up, especially for Android.” We can expect to see a surge in attacks targeting – and taking over – employees’ personal devices to wreak havoc on their organizations.
Time is of the essence when it comes to cyber crime, and according the latest numbers, determined cyber criminals are willing to take plenty of it – patiently waiting, watching, finding, and ultimately, compromising your assets. In fact, according to Verizon’s 2011 Data Breach Investigations Report, the company indicates more than 60 percent of 2011 breaches happened over a span of “months or longer before discovery.” That’s a long while for an intruder to spend casing the joint. By the time he’s ready to move on, no doubt he’s had enough time to uncover your organization’s most critical assets.
Verizon points to the most common types of breaches investigated by the National Hi-Tech Crime Unit (part of Great Britain’s Serious Organized Crime Agency) as falling primarily within the Servers category. This is exactly why visibility into your network is so critical and why virtual machine introspection is such an important innovation in global cyber security. Although a breach may happen in an instant, the resulting attack is very often prolonged. There’s much intelligence to be gained by watching your intruders once they’re inside your network walls. By seeing what comes and goes through the host, you can determine the target of the attack, the identity of the attacker and the appropriate response.
As noted in the report, a lack of data can be your worst enemy and a community of decision-makers and practitioners and responsible sharing can go a long way toward containing a breach. But, what about zero-day attacks? Communal knowledge doesn’t address the exploits of the criminally focused and determined, since the community can’t tell you how targeted customizations to known malware might interact with your organization’s specific IT environment.
Thanks to advances in virtualization technology and security intelligence, even unknown custom malware can be deconstructed, while its movement is contained and IDS/IPS signatures are created on the fly. Just as timing is everything to a zero-day attacker, live visibility and technical improvisation are critical to turning the tables.
Today’s most damaging cyber attacks are nothing like “hit and run” attacks of the past. They take place over a period of time and have multiple, distinct phases. Since there are many parallels between a home burglary and a cyber attack, we’ve developed this infographic (click to enlarge) to help illustrate each phase of an attack, while tracking current worldwide spending on security products that address each phase.
Although the initial breach is only the first step in an attacker’s agenda – just like picking the lock on the front door or getting past the watch dog is simply a burglar’s first move – our research shows that a staggering majority – 97.5 percent – of worldwide security budgets focus solely on keeping intruders out of the network, using everything from endpoint security solutions to identity and access management products to secure messaging tools. But as countless attacks in 2011 alone have showed us, this “walled fortress approach” to network security is outmoded and ineffective and sophisticated, highly motivated attackers will find a way to circumvent even the most advanced perimeter security solutions out there today. In fact, 90 percent of organizations have indicated that they’ve experienced a breach – and industry research shows that each breach costs organizations more than $7 million on average.
Once an organization is breached, the entire focus of activity goes to trying to figure out what was stolen and how. More money – 1.4 percent of worldwide security spending – is allotted to dissecting attacks that have already happened than is spent on monitoring attacks that are still in progress. Worthwhile? Certainly. But your data is already gone.
Once inside your house, a burglar needs to poke around to find your most valuable items – the silver in the dining room and the jewelry in the bedroom – before he can stuff them into a bag and make a run for it. Similarly, once an intruder’s inside your network, the attacker still needs to find and package your organization’s critical and sensitive information before the real damage is done. Most often, there is plenty of time, from the initial breach of the “front door” to the exfiltration of the data, to take proactive steps to stop or minimize the impact of the attack. Despite that, only 1.1 percent of all security budgets are spent “inside the house,” actively watching the attack as it is happening and responding to the intrusion to minimize the impact.
Anyone else see something fundamentally wrong with this picture?
Earlier this month, the members of the CounterTack Board of Directors convened to select additional members. Today, we are pleased to announce the addition of two newly appointed members to our Board – Dmitri Alperovitch and Alex Doll:
- Dmitri Alperovitch is a renowned computer security researcher, thought-leader on cyber security policies and issues and president of Asymmetric Cyber Operations LLC. Read his full bio here.
- Alex Doll is an acclaimed serial entrepreneur and investor with a solid track record of building and leading high performance teams. Read his full bio here.
The far-reaching industry experience and stellar reputations of both Dmitri and Alex made their addition to the board an easy decision, and we’re thrilled to have them on board.
The full CounterTack Board of Directors now includes:
- Retired Admiral William J. Fallon, chairman
- Neal Creighton, chief executive officer
- Alen Capalik, founder and chief architect
- Mark Hatfield, partner at Fairhaven Capital
- Christopher Boies, partner at Boies, Schiller & Flexner LLP
- Dmitri Alperovitch, president at Asymmetric Cyber Operations LLC
- Alex Doll, entrepreneur in residence at Khosla Ventures
On behalf of the Board and the executive leadership team, we look forward to working with the infosec community as we enter 2012, a year sure to bring many new and exciting developments from CounterTack.