TOM FIELD: Cisco is out with its 2015 Annual Security Report. What are the highlights and what are the key takeaways for security leaders? Hi, this is Tom Field, Vice-President of Editorial with Information Security Media Group. I'm talking today with Jason Brvenik. He's Principal Engineer with Cisco Security Business Group. Jason, thanks so much for joining me today.
JASON BRVENIK: Thank you for having me.
FIELD: So Jason as you review the report, what do you find to be the most intriguing findings from this year's addition?
BRVENIK: You know there's a number of things that were intriguing in the report. For me, the most intriguing is around browser versions. That 10% of the internet exploring countered in our observation was the latest version and that the rest was, you know, not, which meant that 90% of your interactions will be inherently risky. That was rather surprising to me.
FIELD: Jason, one thing I find intriguing, the report calls out spam as becoming more dangerous although volumes are down from eight or ten years ago. What do you see as being behind this malicious shift in spam?
BRVENIK: I liken it to the industrialization of hacking becoming complete. Our observations are that the adversary is seemingly working towards managing KPIs for their business. They found in an approach we called 'snowshoe spam' the ability to get higher penetration rates. So some of the spam systems out there aren't as up to the challenge of managing that and so the IP-based education systems are failing there. That ability ultimately found out, being able to deliver content to users who has proven pretty effective and so we saw a big uptick where the adversaries recognized the stability and started leveraging.
FIELD: The report indicates that exploit kits have decreased considerably along with some shifts in web exploits. Can you speak to what we're seeing please?
BRVENIK: Certainly, that to me is an extension of the attackers managing their business and managing towards their effective penetration systems. So we saw in 2014 a decrease in the air. You know the exploits surface for Java there's been some significant improvements made. I think it was 24% or 28% decrease, I can't remember correctly off my head here. And so that was, a hit to the business for the attacker. So we saw them shift their approach a bit and start leveraging Silver Light introducing some new approaches to penetrating machines, and the fundamental trend is that they're intense on maintaining their presence and their operational capability until we need to be aware and capable of responding in those areas.
FIELD: It's something of a statement of the obvious, but it appears that many users are not using the latest versions of the respective browsers. So what sort of impact does that have on the security posture of the organizations?
BRVENIK: That has an incredible impact on the security posture of an organization. You know we can deploy defensive technologies and update gateways and Next Generation firewalls and intrusion prevention systems and all kinds of manner in filtering but we can't control where a user is at any given point in time. So when they're not on the corporate network or by chance they encounter something that hasn't been seen before and isn't blocked by technologies, they are guaranteed that they're going to become compromised. Ultimately, that level of risk when you think about it 90% of the users interacting with the internet are subject to compromise as a result from known solvable problems means that it doesn't matter how much we train users and it doesn't matter how much effort we put in configurations. Ultimately, you're running around with a knife in both hands.
FIELD: Jason, what is your take on the disconnect between network defender's intense interactions? As I recall, something like 90% of companies said in the survey that they were confident about their security policies. What does that tell you?
BRVENIK: You know, I think I would have been surprised if we didn't see 90% confidence in their policies. They were clearly developed and thoughtfully implemented and you know obviously people are doing what they believe to best. The challenge for defenders is at the market on the attacker's side moves so quickly. And the defenders are burdened with a number of operational challenges and implementing things. Take for example the browser security issues. When we looked at an auto-updating browser we saw you know greater than 50% penetration for updates and that was a no user action required. But for systems that require older versions that creates the disconnect by policy alone, then you have the operational burden of implementing it. You know there is definitely a disconnect between intents and action, I think that disconnect deserves a bit of focus and revisit. Maybe we need to adjust our policies you know more often, but certainly there is opportunity there for organizations to improve.
FIELD: Now the reported highlights that security practitioners are not necessarily leveraging many core security technologies or practices. I'm thinking about patching for instance. And you go on to say that 56% of open SSL protocols on the net are older than four and a half years old. So what's that tell us about the security practitioner's approach to security?
BRVENIK: That tells us a couple of things, especially when you consider the prior data 90% of companies being confident in their policies. It was surprising to me, although perhaps it shouldn't have been given the browser updates, that only 39% of the security practitioners admitted to using patching and configuration management as a security control. You know that's kind of like the number one thing you can get done. It suggests there's organizational challenges. It suggests that there are practical limits to the security team's ability to impose a change or perhaps if that they're not as involved in the business process as they need to be to elevate the other level of risk here that 56% of open SSL systems deployed and greater than four and a half years old, I think that underscores greatly kind of a two-fold challenge. Maybe even a three-fold if we think about it. The first is, the challenge of updating systems where they are kind of running in place. They've been there and nobody bothers with them. We not have the visibility into their configurations. It may be that the vendor is no longer is available to provide patches that may be a certified configuration that we can't update. That underscores the need for other mitigative technologies and approaches. Further though I think it underscores that visibility into the operational state of your systems is paramount so that you can react to these things in the event that something occurs. It's, you know it's pretty sad that greater than 50% of systems out there are still you know greater than four and a half years old given all of the attention that was given to Heartbleed this past year.
FIELD: Well we've hit on a lot of different topics here today. Jason, bottom-line, what can organizations do to better protect themselves in light of some of the findings we've discussed today?
BRVENIK: Wow there's a lot they can be doing, but we propose two approaches. The first is a security manifesto for the real world. It talks about user-behaviors, organizational roles, how they can work together to improve a posture that works in business. And the second is taking a holistic view at your ability to respond. The data showed us that the majority of respondents focused on the immediate challenge that would be a compromise or a worm-outbreak. It did not focus on the two other areas. All right so we talk in the context of before, during, and after an attack. There was very little focus on before as evidence by the patching statistic that the greatest opportunity for an attack that had an impact. And there was little focus on after, which is, you know recognizing that a compromise is at some point inevitable especially giving the statistics from last year, and what you're going to do. Are you prepared and do you have the information? Taking an assessment of that full life cycle and bringing it to bear you know to help the organization move forward and be prepared when a compromise occurs would probably be the best thing you could do. Ask yourself in the morning when you wake up, what am I going to do if I'm compromised today? And that will shed a lot of light on how you're going to handle things today and on the next year.
FIELD: Well Jason, that's an excellent analysis. Thank you so much for taking time to go over the survey findings with us today and sharing your insights.
BRVENIK: Thank you very much for having me.
FIELD: The topic has been Cisco's 2015 Annual Security Report. I've been talking with Jason Brvenik. He's Principal Engineer with Cisco Security Business Group. For Information Security Media Group, I'm Tom Field. Thank you very much.