When I was in school, one of the biggest topics of conversation around test time was the “Curve”. For some students, it was a blessing raising their probability of passing. For others, the Curve meant that their final grade may or may not be affected so it didn’t impact their study habits. For those that were challenged in statistics, ‘grading on the curve’ was a mystery to begin with so it meant nothing. There was a moment in almost all of our academic careers that this magical curve resulted in a passing grade in instances where we had failed to make the grade. Whether it was due to a late night football game, the school night date or a dog-ate-my-textbook incident, this enchanted thing called “the Curve” swooped in and saved the day by measuring us relative to everyone else taking the exam. We are facing a bit of a curve in the Security industry these days. Unfortunately, this curve isn’t a lifesaver. In fact, this curve is a reflection of an industry facing a serious challenge. Evidenced by what I saw at BlackHat 2013 and DefCon 21 last week, we are faced with a series of hockey sticks rather than the smooth, attractive slope of a bell curve.
The impact of security breaches is sharply rising. I remember the old days where the ‘hacker’ stories included rigged radio show call-in contests, social engineering a conference room phone to be forwarded to dial outside lines or merely a good old website defacement. Today, reports are breaking constantly of serious data incidents. Some reports say the number of breaches is down. Some reports say they are up. However, it is easy to see that the impacts of modern day security breaches are considerably higher than in the past given the regulatory fines, intellectual property loss and pure business damage we see today.
The breadth of computing surface (read “attack surface”) of a modern company is approaching infinity. We thought distributed computing was a challenge compared to the mainframe days. Today’s BYODs are just the tip of the iceberg as the perimeter and infrastructure dissolve into a mixture of growing internal infrastructures, cloud services, end user mobile devices and an app for everything.
The sophistication of adversaries is accelerating. This isn’t just a mild increase in velocity. It is more like a full open throttle on a Ferrari…with a CO2 thrust…going downhill…loaded with explosives…riding on a newly invented friction-less Star Wars-like Landspeeder suspension system. That may be a little of an exaggeration and too fear-inducing but the point is – it is a scary world out there.
I am not one to play the FUD (Fear, Uncertainty & Doubt) factor. I believe security professionals today make up a hardworking, passionate, talented community. But I cringe when I hear anecdotes from other security professionals of how a criminal element social engineered a key system administrator for months posing as an employment recruiter, speaking with him on the phone even at one point just to spearphish him into compromising his machine.
Organizations have always been chasing the curve of security risk. It really hasn’t been a level playing field since the mainframe walls cracked and the data center door was opened up wider and wider. The good news is the security and technology industry has kept a continuous flow of innovations to keep that curve in check. Conscious efforts in improving computing platforms (Microsoft’s Trustworthy Computing effort, for instance) plus continuous advancements in security technology (Think RSA) have combined to keep the gap arguably manageable historically, but not with today’s advanced threats.
My next series of blogs will focus on three areas that are necessary to keep that gap in check: Visibility , Context and Expertise. While it would be nice (although lead to poor job security) if the curve of security risk turned into a bell curve and began decreasing, the probability of this happening is essentially zero. Therefore, security professionals must think about how their strategies to manage the gap between the rapidly rising risk and their security control environment evolves. I know that the CEO and the board will not be willing to grade the security organization on a curve when that big data breach hits and the company’s name is front page news.