By Bob Seeman
At the annual Wall Street Journal invitation-only CIO Network Conference yesterday in San Diego, Richard Bejtlich, Chief Security Strategist of FireEye and Shuman Ghosemajumder of Shape Security discussed what have we learned about cybersecurity from hacks into Sony, Target and the federal government.
In response to the Sony hack, Bejtlich became an independent expert consultant to Sony to correct the situation. “In the 17 years of incident detection, I have never seen anything like it,” he said.
“North Koreans were there,” he firmly declared.
“North Korea has a history of working with inside agents so we can’t rule that out,” he added. The techniques that were used, however, were not that sophisticated and did not require a state actor.
“Not all ‘hacks’ are equal. 100% of organizations will suffer compromise of some kind, but the impact varies,” he explained. “No company can stop it, even the United States government.”
“If you’re a sufficiently interesting target, you will be breached,” he said. However, you can and must mitigate and respond to attacks rapidly.
Bejtlich has written that an “understanding of ‘risk’ requires a great deal of understanding about the assets in question. Not only must you understand the nature of the compromised asset (its function, normal usage patterns, its inputs, its processes, its outputs), but you must understand the means by which the asset interacts with the network, any trust relationships, and many other factors.”
“In most cases the only way to gain a real appreciation of these real-world conditions is to either 1) observe the intruder in action, seeing what he can do or get, or 2) red-team the system yourself to see what you can do or get,” he explains.
“Modern systems and enterprises are far too complex for anyone to sit back like Mycroft Holmes [Sherlock Holmes’ smarter, but lazy, elder brother] and truly understand the ‘risk of a compromise,” he explains.
Eighty-six percent of the CIOs here at the conference say that their investments in security technology have paid off. However, 62% say governments and business are losing the battle against security breaches. 43% do not know how many network breaches their company has had, how long it took between the breach and the start of mitigation, and what information their company considers the top priority to keep secure.
Recently, Bejtlich gave testimony to the US Senate Committee on Homeland Security and Governmental Affairs stating that “the median amount of time from an intruder’s initial compromise, to the time when a victim learns of a breach, is currently 205 days. This number is better than our 229 day count for 2013, and the 243 day count for 2012. Unfortunately, it means that, for nearly seven months after gaining initial entry, intruders are free to roam within victim networks.”
“Two-thirds of the time, it’s someone outside the company who tells executives about it,” he said.
Bejtlich said that “there is no purely technical solution to information security. The best strategy is to prevent as many intrusions as possible, quickly detect attackers who evade defenses, and respond appropriately, before the adversary accomplishes his mission. Strategically significant intrusions do not happen at “the speed of light.” It takes intruders time, from hours to weeks, to move from an initial foothold to the information they seek.”
Ghosemajumder of Shape Security said it bluntly, “there is something insecure about the login page – it exists.”
Bob Seeman is Chairman of The RIWI Corporation.
Image via http://goo.gl/TJM0O4