Security Experts: We're Being Outplayed, But It's Not Game Over

The security industry needs an attitude adjustment, or at least a strategic adjustment.

That theme was echoed in keynotes and sessions throughout the RSA Conference 2015 in San Francisco this week. Executives and security experts agreed that the industry needs to make a drastic shift away from simply building up higher and higher perimeter defenses if it wants to have any hope of protecting organizations from more advanced attacks.

"The reality is, for all of us, we cannot continue to confuse hard work with results. The reality is we're being outplayed in our industry. The good news is, it's not game over for us," said Chris Young, senior vice president and general manager of Intel Security, in a keynote address Tuesday.

[Related: DHS Secretary On Cybersecurity: Public, Private Sectors Need To Work Together]

Driving that need for a new strategy is a 176 percent jump in the number of attacks and a 96 increase in the cost per breach despite a drastic increase in research and security spending, HP Senior Vice President and General Manager of Enterprise Security Products Art Gilliland said in a Wednesday keynote. The shift will have to come through traditional people and process defenses as well as "new school" collaborative and interactive security.

"If you think about the security game, there's an old school game that’s the heart of what we need to do every day. Then there's the new school game that’s how we need to adopt and adopt it because, candidly, the security game has changed," Gilliland said.

Young compared the change needed to the Oakland Athletics, who were featured in Michael Lewis' book "Moneyball" for their success in applying data analytics to professional sports. By challenging assumptions around which statistics mattered and putting data insight into action, the Athletics were able to turn from a losing team to one that could compete. Young said this is a strategy the security industry needs to model itself after.

"I think we have a huge opportunity in security. We've got more dollars, we've got more smart people, more important people are paying attention to our problem than we've ever had in our industry," Intel Security's Young said. "But, we have a real challenge, that's for sure. But, if we think differently about the information that we have and data differently than we do today ... if we operate differently, not just thinking and getting smarter but putting new practices in place and then having the courage to see that through, I believe that we can write our 'Moneyball' story for the security industry. I believe we can change the game for our industry if we do things differently than we've ever done to get the success we're looking for."

To do that, RSA President Amit Yoran said security professionals will have to increase visibility, put more emphasis on identity and access management, and focus on threat intelligence around external threats and mission-critical information.

"The perimeter mind-set is still with us. We're clinging to our old maps hoping the terrain is wrong," Yoran said. "It's time to realize that things are different," he continued.

Solution providers and chief information security officers at the event agreed that strategies need to change.

Dom Glavach, principal IS security engineer at Johnstown, Pa.-based Concurrent Technologies, said he "absolutely" sees a shift toward a new strategy in security. The challenge comes, he said, in breaking from the technical controls of the past to apply more big-picture administrative controls.

"I don't think you can build that in a quick road map. I think it's an evolutionary process, a journey of a thousand steps. In order to get there, you have to do that in manageable pieces ... with respect to operational budget and risk," Glavach said.

Espen Otterstad, IT manager at Larvik, Norway-based ABAX, said he already has seen the security industry starting to think differently.

"In our business, it has really been building up walls and we continue to do that, but maybe we should change focus and see how we can not stop defending but defend in another way, a smarter way, because we're losing the battle," Otterstad said.

Erik Wilson, owner and IT architect of Palatine, Ill.-based Auryn Technology, said he sees the industry shifting to focus on more continuous security instead of a "piecemeal approach to detection." Some clients already are starting to demand that sort of approach, he said, particularly in industries that have more stringent security concerns. Vendor conversations around interoperability and cooperation among vendors will help facilitate that shift, according to Wilson.

Jonathan Grier, principal at Grier Forensics, said one way he sees companies dealing with this challenge is automating incident detection and defense. While the strategy of old was to try to stop all threats through perimeter defenses, Grier said time has proven that attackers will still get in and security professionals will have to investigate, respond and remediate the problem.

"It definitely requires a different strategy because it's not just about how do we make it harder to get in. We know some people are going to get in anyway. How do we do a good job of very efficiently and effectively finding out who they are, where they are, isolating them, preventing them from going further and learning from them?" Grier said. "I think the change in strategy has been to realize that we don't have a perimeter. They're getting in. Let's respond rapidly, effectively, decisively," he continued.

PUBLISHED APRIL 23, 2015