The annual RSA security show was recently held in San Francisco. RSA is always a great show and it’s a chance to go see the latest and greatest in the ever-changing, fast-moving world that is security. There’s no question security is as hot as it’s ever been, with the show drawing over 30,000 attendees and over 500 exhibitors. It’s worth noting that there were 140 first-time exhibitors to the show as well. A few of the first-time exhibitors were larger companies that decided to come to RSA for the first time, but the majority of that 140 were start-ups.
Why so much start-up activity? The answer is, because security is broken and everyone knows it and all of these start ups are looking to build a better, albeit more secure, mousetrap. To believe it is broken, one must accept a few truths about security. These are as follows:
- The perimeter is disappearing. The concept of having a single point of ingress/egress to a network is going the way of the BlackBerry. In actuality, a secure perimeter has always been a myth, as there have always been back doors or alternative ways of entering networks that weren’t secured. These could be VPN links, connections to business partners, or a number of other points of entry. The change in the market is that businesses used to believe these were secure, but now understand they are not. In addition, the problem is being exacerbated by the rapid migration to hybrid WANs / SD-WANs, where every branch office potentially could have a direct connection to the Internet. It’s time to kiss the nice, tidy, controlled network goodbye.
- Users are a bigger threat than hackers coming through the firewall. Most firewalls are built well today and it takes a very sophisticated hacker to break through one. Instead, more and more nefarious characters are choosing to gain entry through the user by sending e-mails with embedded phishing links or even e-mailing attachments to people with malware in them. I talked to one CSO who told me the HR department had received a resume via email with malware that sat dormant for a couple of weeks. Eventually, the software activated and enabled a hacker to gain entry into the network. No matter how careful users are and how much training is done, an internal breach will eventually occur.
- Protecting the enterprise is getting too complicated. In my interviews with security professionals I try and get a sense of the environment. Once question I ask is how many security vendors the company is using. It’s hard to find a business of any size that has less than ten, and I’ve talked to some organizations that have as many as 40. With that many moving parts, is it realistic to expect all of the products to work together to protect the business? Absolutely not. Having to rely on that many vendors drives up complexity, which drives up risk.
- Trying to stop all attacks is a fool’s game. The hacker community today is more advanced than it’s ever been and businesses are finding themselves under constant attack. Also, users do crazy things like unknowingly download malware at home and then come into the workplace behind the security infrastructure and attach to the network. No matter how much money an organization spends or how many people they throw at the problem, it’s impossible to stop all attacks. Don’t get me wrong, I’m not advocating giving up. It’s very important to try and maximize the protection of the company data and infrastructure. However, organizations should accept the fact that a breach will happen, and have a plan to deal with it when it does.
These truths seem to be well understood now by security professionals. What’s not well understood is what to do about it. Many of the start-ups in security today are focused on threat resolution — or even threat isolation — more than threat protection, which is where the focus should be. However, there are many approaches being taken to find and remove threats from the environment. There are host-based solutions that quarantine traffic, network devices that can create isolated zones, log file analytic tools to help find the infection, new security monitoring tools, packet flow products… and the list goes on and on. It almost feels like the 140 new vendors brought 140 different approaches to security.
This is the primary reason I believe that security complexity is at an all-time high. Before businesses invest in more security tools they should do what they can to simplify the environment as much as possible. There’s no way any business should have a dozen or more vendors to solve any problem. It’s more important to keep the number of solution providers to a manageable amount, which will optimize the protection of the business. I also believe that businesses should invest in solutions that find threats quickly and then quickly isolate the traffic to minimize the damage.
This strategy requires a mindset change for security professionals. Don’t spend diminishing dollars on more and more systems to keep the back guys out. Instead, understand they will get in but minimize the damage they can do. There are plenty of security vendors focused on this now. The key is to ensure that whatever is being put it doesn’t further add to the complexity of the environment. With the shift to software-defined networks and hybrid WANs, the simplification of security is something security professionals must focus on immediately.