The Maturing of Breach NotificationBlue Coat's Thompson on Policy, Technology and Investments
This is part II of an interview released in two parts. You can read part I of this discussion here.
It is a much quoted phrase in security today to say that getting compromised is inevitable. However, the value of having the right processes and technologies in place cannot be understated - and the lack of which can cause even bigger problems. Focusing on the right technologies will put certainty in your corner, says Hugh Thompson , VP and CTO of security vendor Blue Coat.
"We are experts at failing. We are experts at getting hacked," he says. "We have created this core competency of the business. We are experts because when we get hacked, we are experts at recovering and getting back to business as usual."
But this is much harder to do when you don't know the extent of the damage. This is where the right investments in security can help you. Imagine what value some high-profile breached entities would place in actually being able to know in time the extent of the compromise, he says.
In the second half of this two-part interview with Information Security Media Group, Thompson takes a broad look at the security landscape and shares his insights on issues ranging from where to invest in security to his opinions and recommendations on breach disclosure and liability. He also places his bets on what he sees as the next big game changer in security. The first part of this two-part interview may be read here.
Thompson is Chief Technology Officer and Senior Vice President at Blue Coat. Also Blue Coat's CMO, he has been with Bluecoat for three years. He has more than a decade of experience creating methodologies that help organizations build more secure systems and has co-authored three books on the topic. For the past five years, Dr. Thompson has served as the program committee chairman for RSA Conference, the world's largest information security gathering, where he is responsible for guiding the technical content at both the U.S. and European RSA Conferences. He also sits on the Editorial Board of IEEE Security and Privacy Magazine. Has written several technical books on computer security and has taught computer security at Columbia University for five years.
Edited excerpts from the conversation follow.
On Security Investments
VARUN HARAN: Give me four things that enterprises need to focus on in security. With the dynamic nature of the security landscape, where change is continuous, where do enterprises need to park that security dollar? What are the constants in security that they can safely invest in?
DR. HUGH THOMPSON: Organizations need to invest in an infrastructure that allows performing inspection; and "gatekeeping checks" [emphasis added]. What you will check, how you will inspect it is a different answer today than it probably will be two months from now. The idea that you want stop, inspect, and allow to proceed or not, is a fundamental concept - one which existed 10 years ago, one that exists today, and one that I think will exist 10 years from now. The mechanisms, technologies and vendors you use for this may change overtime, but the premise of being able to do that is constant.
The other constant is the idea that data can be protected through encryption. I think the premise of doing that makes sense. Again the implementation and the mechanism of doing this when your data sits in the cloud or on premise are going to be different. But the idea that you want to build a competency in key management and encryption is going to remain consistent.
The next thing that the industry has not been very successful in implementing is the idea of "least privilege." The idea is sound, but the implementation has been bad, and this is something that we are now revisiting. The concept of doing this will become more and more important. So there are things that you can invest in that can help further those constants, but I do think that you should expect uncertainty in the mechanisms.
There is going to be an architecture that demands inspection, and I don't think it's going to be possible to do security without that. The last piece, of course, is that idea that people are going to make mistakes, and that is a constant that I am convinced is not going to change, no matter how great a job we do. And if we believe it is a constant, we need to bake in the ability to failure.
On Breach Disclosure
HARAN: What are your views on breach disclosure? While U.S. breaches see a high degree of public attention, the lack of breach disclosure in Asia means that the level of awareness at the consumer level remains low. There are statistics that say that 75 percent of all breaches take place in the U.S., I find that hard to believe in this day and age.
THOMPSON: There is a preponderance of evidence that suggests that no matter how many blinking boxes you buy off a security expo floor, you are still going to get compromised if you are an interesting target. So it is an accepted fact that breaches will/are happening. That said, I agree that outside of the U.S. we don't get to hear much about breaches. But I believe that breach notification maturity in Asia is happening quickly though. [Please see: India Needs New Laws to Fight Fraud]
There is interesting stuff going on in Australia, some very interesting stuff happening in South Korea. It is fascinating how those laws are written. The first one that ever came out was in the U.S. It was a state bill in California in 2003 called California senate bill 1386 - 46 other states went on to adopt similar laws. This was only for personally identifiable information, which has a very specific definition. [Also see: California Bolsters Breach Notification]
Then you have HIPAA and HITECH for healthcare information, and the third is an SEC regulation that says that if you are a publicly traded company and have suffered a breach that can cause a material risk to the business, then you need to disclose it.
Now the truth is that there are a lot of breaches that don't fall into any of these three categories and those are still not being disclosed in the U.S. too.
HARAN: What are some of the lessons for legislators in other parts of the world when they are writing breach notification laws for their region?
THOMPSON: I think one of the most important things is that make sure that criteria you define are clear. Secondly, make sure that you involve security professionals and that it is not done in the isolation of government.
A big problem that the U.S. had, that in hindsight could have been done differently, is protection for the disclosing entity against liability. Right now there is huge civil liability against companies for disclosing breaches. Especially if they don't have to, under the three categories previously mentioned. I think the ease of disclosing breaches and making it cohesive with the business is important.
There is also the question of a shift in liability. One of the problems in the U.S. is that when there is a credit card breach, the card holder liability is really low - around $50 - and even that is rarely enforced. The entity that ends up losing money is the merchant bank, which is caught in the middle when the card information is misused. As the liability starts to shift with the understanding that maybe the financial burden should be on the organization that lost the data and had the fiduciary responsibility to safeguard it - this would cause a whole other set of practices to happen.
There are some interesting nuances of who takes responsibility, and there are some bad trends that are happening right now, to push out decisions to the user around security - who has no idea, capability or background to make these choices. The industry has chosen to push some of these decisions to users who are not competent or certified to make these choices.
Game Changers in Security
HARAN: What's the next big thing in security? We have so many new business paradigms in security today: Bug bounty, security as a service, professional incident response services, cloud access security broker, and many others, trying to cater to the changing needs in security today. What do you as a security thought leader see as the next big thing?
THOMPSON: I think there are two, if I had to hedge my bets. One, and I hate to say it because it is an overused term today - but it is real, thoughtful analytics. It is the crafting not of the mechanisms to collect and share data, but of the brilliant ways to associate data from different places, tie them together, and make a conclusion out of that data. Surprisingly, with all the discussions around analytics, there has not been the data science discipline and rigor that has happened in some other areas like medicine. [Also See: Tapping Analytics In CyberSec, Fraud]
I think the intelligence of this science and correlational algorithms are going to be a game changer. The second thing that's going to be huge is human behavior analysis. And that is the ability to understand which people inside the organizations are going to make mistakes. This is different from the insider issue. It is a weird area that brings up questions like what kind of data about a person can be monitored and how can we act based on that data. But I think there are amazing amount of breakthroughs that we can make in this space by understanding who will make bad choices at some point - the human element of security.