Monday, March 10, 2014

Here a box. There a box. Everywhere a breach. Notes from RSA 2014

TL;DR - More of the same, and security is still a 1U 'solution' that fails every time, eventually.

Hey everyone, I’m writing you from the settled dust of RSA Conference 2014. It typical fashion I made grandiose plans to meet up with people I’d not seen in years, and meet people I only knew by a handle over Twitter or some other online forum … and it all went to hell. Best laid plans and all that, right? Every year RSA Conference is the same. You show up in San Francisco and hit the ground in a fast sprint. Although I don’t feel like I was sprinting so much as the ground underneath me was moving so fast I could only keep up by running my hardest. Analogies aside, I ended up with a talk, a panel and some booth time and of course time with our often very interesting client base. Then I made the mistake of walking the showroom floors. That’s right, there’s an s at the end of that word because there were in fact two sides of Moscone this year that were used for exhibition.

Wow. Let me tell you – it’s clear that anyone with even a half-baked idea that can throw the word security on it can get VC funded and launched. Let me be totally honest, if you didn't go this year I can sum it up for you quite succinctly: “Buy this box, it’s the solution.”

To be fair, there were two sides of the exhibition- the “big booth” side where all the big boys had these massive booths, and the “everyone else” space that was on the other side of the street. Not to take anything away from any organization that had a booth on the smaller side because there were a few gems over there, you know who you are, which didn’t feel the need to hire nearly obscene ‘models’ to stand and hawk their wares, but rather settled for a modest space to lure prospective customers in with the promise of help.

Let’s face it – the industry has a ‘box problem’, and everyone will sell you a solution to what ails you, no joke. The real problem from the perspective of anyone who’s been in this industry’s trenches long enough to know is that none of these solutions actually solve a problem completely on their own, and a few of them create entirely new problems you didn't have before installing their box.
Her are my take-aways from RSA 2014 San Francisco-
  • Key theme(s)
    •  Main theme: “Threat intelligene” – I almost laughed as I went down the showroom floor at how many organizations were pitching threat intelligence without actually having any idea of what that is, how to package it up, and how to get it to a consumable format for your customers. It sort of felt like we were back to the “speeds and feeds” days … oh wow I’m feeling old right about now. Seriously though, the problem I have with all this threat intelligence is that much of it confuses threat vs. relevant threat, and intelligence isn’t worth a damn if it doesn’t easily convert to action on the end-user side of the equation. Case in point, I felt like every stand and booth could have had a sticker not unlike you see on your grocery store shelves that read “Now with threat intelligence!” Come on, really? Threat intelligence, the real kind, is meant to help you make a decision or answer a question. Randomly throwing in a dashboard or a component into your dashboard that says “Oh no captain, the threat level is high!” isn’t helpful and often time does worse – it wastes an analyst’s time and hurts their security overall. So in effect, many of you vendors were actually making security at your customers worse. Congratulations.
    • Minor themes: “encryption” and “X-as-a-Service” – As expected, everything is going to the ‘as-a-Service’ model. Whether it’s mobility, software security, threat and vulnerability management, whatever – not to say that there’s anything wrong with going as-a-Service in many cases … it’s just an observable trend that again, like with the threat intelligence silliness, marketing folks just seemed to take what we used to call “outsourcing” and rebrand it something more sexy sounding and now it’s new again.
  • Marketing hype: over-promise, under-deliver – I may be off in left field but I read one sign (and I won’t mention the vendor” that was hocking an endpoint protection agent that, quote “Is a hidden process, invisible to the attacker”. Who are they kidding? That’s almost as good as the booth that promised endpoint security without hardware or software… I know how they do it – vapor-ware! (or maybe snake oil?) It seems that everyone is the ‘leading provider’ …which is weird because how can everyone be leading? And by whose standards? I suspect there is a healthy dose of buyer beware out there, and a lot of companies buying the hype are going to be really surprised, and not in a good way. Since my badge wasn’t readable by the scanners (shucks, must have been a malfunction) I stood at many of the more outrageous booths and talked up the sales people. Most of them had bought the hype marketing was pushing, and had their feet so far off the ground it’s not even funny. It’s sad, actually.
  • Continued focus on prevention – It would appear as though we haven’t made our peace, as an industry, with the fact that the breach is almost an inevitability. Being breached is not the failed result of your security program. If that was the case, everyone would have failed and it would all be just fooey. Repeat after me, everyone gets hacked. The products I did like, and some of the services, re-focused attention on what you do next. Detection, response and recovery are so important yet so completely unexplored it’s ridiculous. We’re all still hoping to find that magical thing that’ll keep our company from getting popped…yet when we no (not if) we have very little operational capability to detect the attacker within our perimeter, disrupt their actions and resolve the issue and ensure that the same avenue is not exploited again. As an industry we’re just bad at that. Terrible, in fact. We need more products and services that take advantage of the fact that everything generates logs…and helps organizations large and small make sense of the “Oh God, now what?” inevitability. On that front, I saw signs of life but it’s all very immature and slow-moving.
  • Hint: INTEGRATION – Your box and mine don’t integrate, in fact they don’t even log in the same format or using the same ‘standards’ and this means that we’re both collectively screwing our customer. How does the industry not get that? Proprietary ‘standards’ (isn’t that an oxymoron?) and no attempts at inter-operability are one of the key reasons the industry is in the crap condition it’s in today. OK, if you don’t integrate because it’s not your best interest to enable your competitor at your customer (umm, whose priority is that?) then at least be inter-operable! Your tried-and-tested IPS (let’s face it, many of you vendors were just selling the IPS all over again, in a new sexy box) and your prevention thingamabob, and that APT advanced defender box should all be able to work together to actually identify threats and help the analysts figure out what to do about them – and maybe just maybe stop some of the basic ones. Yet we continue to be mired in interoperability issues. This is unforgivable, from the perspective of the customer.
  • And now the real problem – Operationalizing. All of the boxes and ‘solutions’ on the RSA exhibit floor had a similar flaw…they were very difficult to operationalize. Most didn’t provide a roadmap for much past getting the PO signed and getting the kit dropped off at your loading dock. That kind of stuff drives me nuts. Working day in and day out with clients large and small who have the same challenges – you’d figure someone out there came to the same conclusion and said “Boy you know what would set us apart from the competition, if we had a pre-developed plan for going from loading dock to functional, operationalized process. Nope … I only caught the faint glimmer of hope in a few of the booths, but nothing really stood out.

My advice to you, the CISO, CSO, Security Manager or whatever your job title is – stop buying the hype and forget the boxes and ‘solutions’ until you’ve figured out how to make the things you have today work well together, and work to their full potential. Otherwise you’re wasting your company’s time and money, and you’re setting yourself up for failure. I feel like I say this way too often and no one really listens because they’re busy being wooed by a slick-talking vendor salesman who promises to solve all your security issues for the low, low cost of a cool half-million in 1U boxes.

Folks, if it was that easy it would have been done and tagged by now. But it’s not. Threats change, you have adversaries and the dynamic nature of your business and the world around you ensures that there is no one solution. You have to operationalize, be interoperable, and get over prevention. Or we can continue to circle the drain … your call I guess.

No comments: