Keynotes: How to Combat The 20 Percent Rise in Successful Data Breaches
Another interesting keynote I attended during the 2014 RSA Conference in San Francisco was given by the Senior Vice President of HP Software Enterprise Security, Art Gilliland, entitled Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy. He made a blanket statement that the entire ecosystem of data breaches is monetization, that is, to facilitate a marketplace of stolen goods, including identity and intellectual property.
This is arguable, as another category that breaches fall under is hacktivism, the type of attacks that are politically or socially motivated, examples include the high-profile attacks by the Syrian Electronic Army (SEA) or Anonymous.
Art explained how these attackers conduct research on people and systems in order to create profiles, then sells these profiles online. Hackers then buy these profiles in order to figure out what toolkits they need to use, or figure out how to trick people at the companies they’re targeting to breach.
He also explained how attackers use multiple access points in order to gather intel and figure out where sensitive data is stored, countermeasures, a map of systems and how they function. These maps are also sold online, along with the profiles to enable others.
Globally, we spent 46 billion on cyber security last year. We block most of what comes at us. However, the number of breaches continue to rise, increasing 20 percent last year, while the damage caused by breaches has increased 30 percent.
For our adversaries, to define success, they only need to be right once, while we need to be right every time, meaning we must defend against numerous types of attacks from every direction, and from many different attackers.
Ultimately we spend 86 percent of our IT budgets on blocking attackers, but the question is, where should we allocate the rest of our budget? Art claimed that by spending money on people, processes and technology (otherwise known as a comprehensive IT defense system), you get 21 percent more ROI.
Art explained how HP has conducted research and assessments on this type of security defense system in order to gather data to inform their company on how to make their defenses better. Surprisingly, the retail industry was the most mature security industry.
They also found that 24 percent of companies failed to meet the minimum security requirements set for themselves, mainly because they were aspiring to the lowest bar of compliance. Another 30 percent failed to meet industry compliance requirements.
So what should we do? Art outlined a few ways to improve actual security:
- Invest in people and processes. Art believes we’re not investing enough in people and processes we implement, while being over-invested in product. We need to start thinking more holistically instead of trying to match our adversaries weapon for weapon. Tools alone won’t save us - we need to invest in education.
- Align with business. Security isn’t to protect enterprises, it’s to protect the business. We should focus on apps, and stop trying to protect everything. Nine out of 10 enterprise apps had security vulnerabilities while another 86 percent misused encryption. There should be a balance between speed vs. security.
- Build in and share more actionable threat intelligence. This information needs to be fast, and real-time - the only way to do that is to systematize it. It must be shared as fast and as broadly as possible. We need to make it actionable, and to focus on open standards to share information with everyone, including developers.
With all of these aspects combined, Art claims, we may be able to win.
Learn more about the other keynotes and RSA in:
2014 RSA Keynotes: Juniper, Microsoft & RSA on Security Today
Duo Security to Exhibit and Present at the 2014 RSA Conference