5 Secrets to Security SuccessBlack Hat Europe: Surprising Ways to Get - and Feel - More Secure
If there was a self-help book for the information security community, the title might be: "What Got You Here Won't Get You There."
See Also: 2016 State of Threat Intelligence Study
Of course, that title has already been taken - it's the name of Marshall Goldsmith's 2007 business-focused, self-help bestseller - noted Haroon Meer, founder of South African applied research firm Thinkst, during his opening keynote at the Black Hat Europe 2015 briefings Nov. 12 in Amsterdam (see Black Hat Europe: Hot Sessions).
Some past opening keynotes at the conference have focused on cutting-edge attacks or cybercrime (see Black Hat Keynoter: Beware of Air Gap Risks). But this year's opening keynote took a more introspective turn, with Meer picking up the theme of Goldsmith's book, which details the top self-defeating behaviors that so often sabotage individuals' advancement in the workplace.
Meer says many of Goldsmith's observations, including the proclivity to make excuses and pass the buck whenever something goes wrong, remain far too applicable to the information security community. Unfortunately, such behaviors continue to undermine the effectiveness of information security programs at a time when they're needed more than ever.
But help is at hand, provided information security professionals take a long, hard look in the mirror. "The first step is to admit that your security sucks," Meer says. "The second step? Do something, because doing something is better than doing nothing."
To avoid bad behaviors and make information security programs more relevant, Meer offers these five recommendations:
1. Solve 2003's Challenges First
Many security professionals self-identify as "techies," and many techies love experimenting with and adopting the latest and greatest gadgets and tools.
As an example, Meer cited RSA President Amit Yoran's opening keynote at April's RSA 2015 conference in San Francisco, in which Yoran argued that all organizations need better threat intelligence to know who's attacking them, as well as full visibility into their networks to spot for signs of emerging attacks that may have affected others.
But Meer cautions that the focus on these types of technologies misses more big-picture challenges. "On their own, these technologies are not horrible. You can make a perfectly good argument for threat intelligence and having full pcap [packet capture] visibility into your organization," he says.
The problem, however, is that 95 percent of organizations at large "still have 2003's problems," he says, referring to their having much more basic information security challenges than real-time threat intelligence or full network visibility is designed to address.
Serious Question: How many networks have you seen, where if I broke in, I wouldn't be able to own/laterally move/ persist like it was 2003?ï¿½ haroon meer (@haroonmeer) November 9, 2015
"Take OPM, Target, Sony - you think those guys needed threat intelligence? Um, no," he says. "What they needed was someone to say, 'Segment your network, so the first time your network gets owned, it doesn't mean everything [connected to it] gets owned.'"
2. Master the Data Breach Playbook
Meer says that many organizations would benefit most from applying the lessons learned from previous data breaches and ensuring they won't fall victim to copycat attacks.
"How about six-year learning, instead of real-time learning?" Meer says. "Because I'm willing to bet that I can take any big breach from six years ago and read it like a playbook, and see how would your network hold up to the same attack."
In fact, many data breaches result from remarkably simple - and preventable - mistakes. At U.S. retailer Target, a third-party business partner fell victim to a phishing attack, giving the attackers remote access to Target's network, after which they were able to move laterally through the network until they found and exfiltrated payment card data.
Or take the case of the former employee at Deloitte who joined Sony Pictures Entertainment, bringing with them a document that detailed sensitive information on Deloitte employees' annual incomes. After Sony was breached in 2014 and its PCs ransacked for data, the Deloitte document was leaked (see Sony Hacking Is a Hollywood Blockbuster).
3. Avoid Perfection
Meer asked for a show of hands as to how many people in the Black Hat Europe audience - half of whom say they are responsible for network defense - are running the Microsoft Enhanced Mitigation Experience Toolkit, which is designed to prevent software vulnerabilities in Windows from being exploited. Only a handful of audience members raised their hands.
Meer says that one of his clients, which has experienced reverse-engineers on staff, recently "schooled him" in EMET, saying the organization wasn't using it because it could be bypassed by attackers. While this is theoretically possible, Meer argues that the vast majority of attacks are relatively simple, and that using EMET dramatically reduces the overall "attack landscape" facing any Windows-using organization.
Too often, however, IT departments are seeking some type of "network utopia," when all they need is something acceptable. "We both know you have boxes on your network that haven't been patched since 2008, you've got NT boxes, and what you're worried about is whether this will introduce flaws onto your network?" he says. "We often require a complex solution, when simple ones will do."
4. Make Good Things Happen
Many employees see the information security department as a group devoted to telling them what they cannot do. But Meer notes that like the famous John Gilmore aphorism - "The Net interprets censorship as damage and routes around it" - users have become adept at doing what they need to do, even if it isn't secure.
Meer's takeaway is that security teams must work with employees to help them realize their crazy ideas, but in a secure fashion, no matter how difficult or insurmountable related obstacles might seem. "If your security engineers don't like hard problems and novel solutions, you have the wrong ones," he says. "The reason the obstacles are there is the reason you have a job - your job is to make things secure, despite having all of those obstacles."
5. Buy Talent, Then Technology
To build and maintain a successful security program, it helps to hire the right people. And Meer recommends an approach promulgated by "Google Security Princess" Parisa Tabriz, who advocates first hiring the best people for the job and then asking them which tools they need, rather than just taking a tool-centric approach.
If you're planning on buying something you heard about from #RSAC, don't. Take that money, hire some smart engineers, and listen to them.ï¿½ Security Princess (@laparisa) April 25, 2015
That message seems tailor-made for the attendees at Black Hat Europe, many of whom are information security professionals. But Meer didn't spare them some criticism as well, warning that until they can eliminate some of their own self-defeating behaviors, many security programs will continue to be second-rate.
"If you are a defender, my one takeaway would be: make sure the stuff that you're aiming at matters," Meer says. "If there's one thing that I've seen from organizations that are doing defense wrong, lots of them are spending time on busywork."