Mike Rothman of Securosis Discusses Threat Detection with Jaime Blasco
Mike Rothman, Analyst/President at Securosis, takes part in an interesting conversation with AlienVault’s Jaime Blasco. They discuss IoT, BYOD, threat intelligence sharing, the attackers’ advantage and how midmarket companies can be better at threat detection.
[How do you see the security Landscape changing over the next few years?]
Jaime Blasco: I think that we’re going to have more and more devices connected to our networks such as televisions, cars, so this whole internet of things is going to be a big change. So we have to start thinking “How are we going to protect those devices, and especially how are we going to do that in the same way we are protecting traditional technologies?” Because in the end we need the same framework and the same technologies to protect every single device. Not only PCs, but all of these new devices that are going to be connected to the same network.
Michael Rothman: And I would add, and I’ll take a little bit of a different perspective on that, is that I expect a lot more of the applicable security budget to shift from what had been traditionally preventative technologies that, by the way, didn’t do a real good job at preventing much of anything, to detection, and then ultimate investigation because I think there’s a general acknowledgement in the industry now that you can’t stop all of the attacks, you’re going to have to get better at really shortening the window between when you get compromised and when you discover and understand that you’re compromised, and ultimately how quickly you can remediate them, so that type of evolution I think will be very positive for the entire security business.
[How is BYOD affecting the threat landscape?]
Michael Rothman: BYOD? You know, it really isn’t because it, to me anyway, it’s a financial equation, right. A lot of companies don’t want to have to deal with messing around with customers or their employees’ devices anymore. “Hey, you want to buy your own device? Great. I’ll support it, it needs to be this kind of device.” I mean obviously you have to have a greater level of control over that device so that you can wipe it if you need to, but ultimately I think it really is, as Jaime talked about before, we’ve got a lot more of these devices, and who owns them is inconsequential, it’s “What data is on them, how much control do I have over them, and ultimately what do I think my attack surface is and how it changes as a result of all of these devices?”
Jaime Blasco: The problem I see there is that in some of these devices, we don’t have the capability of having the same degree of security that you have in PCs or network devices because they are still not ready for that. So you’re going to plan detection capabilities in mobile devices in some of them, but in others you cannot do that. So it has to change because we really have to integrate the technologies that we already have in those kind of devices?
[What are the benefits of crowdsourced threat intelligence?]
Jaime Blasco: The benefit is clear, and of course we have been doing that for 4 years, especially in the security industry. We have been sharing data for many, many years. But we are starting to standardize the way we share, and especially to officially share data, because until now we were sharing data in a personal basis. So “I trust you, and I’m going to share data with you”. But right now we are starting to see companies, starting to share data amongst them in an official way. But in the end it’s the same, we have been doing that for years.
Michael Rothman: Well yes and no, right. I mean I think that there have been a number of vendors that have been out there sort of kind of sharing information, but what we’re starting to see now are actual enterprises in other organizations that are being much more willing to 1: Talk about the attacks that they’ve had, 2: Really start to share and analyze some of the remediations, workarounds and malware samples that they’ve been attacked with, and that makes everybody smarter, right, because part of the problem has always been the reality that “Hey, it hit me, so I’m not going to tell anybody else”, and then the same stuff hits everybody else. So being able to crowdsource, being able to share that information, being able to populate indicators and then have folks looking in their own environment for those attacks that they may not have known about right, that makes everybody smarter, and I think that’s very positive for the business.
Jaime Blasco: Yeah, that happens when we talk about big companies, but what happens with the small and medium business, they don’t have the knowledge, they don’t have the resources to really get value from that data. So that’s also important. I mean chk 4.25 start making projects and technologies that allow people that don’t have the knowledge to automatically share that data that they are able to produce. So that’s why, I mean chk 4.38 is one of those initiatives that we are trying to launch. It’s basically “Okay, you have small and medium and companies, they don’t know about security, they don’t know how to get value from this data, but you give them the technology that is already using that data and is doing that for them, and also is sharing data with their peers an automatic way.”
[Do you see shifts in the threat origin landscape and threat vector?]
Michael Rothman: Yeah, obviously. I mean what we’re seeing are a lot more proficient attackers using a lot more professional development techniques to more effectively extract data from organizations, right. They’re better at pretty much every level that we see, from how it is that they get and gain presence and a foothold within a customer’s environment, how they move laterally to the target of whatever it is that they’re looking for, and ultimately how they exfiltrated that data, it’s just improved on, and I guess that’s kind of a weird thing to say when you’re talking about attackers right, but it’s improved on pretty much every level. So that means that the technologies that we use as defenders and monitors and folks that are really focused on trying to detect what’s going on and ultimately remediate these situations, we have to get better too, and I think there’s been a huge lag in terms of, at least for many years, a huge lag in terms of our ability to detect the attacks that have been really launched at us. And we’re starting to make progress, we see a lot of innovative things here at the RSA conference, but it’s been a long time coming. I mean, this business has been in the dark for many years before probably the last year and a half that we’ve really started to see some progress.
Jaime Blasco: Yeah, I agree with everything, but I have to add that I see a shift in. Because we have many, many companies where the attackers have more money and more resources than the actual companies, so they are spending much more money in attacking you than you can even spend in a hundred years to protect your systems. So at some point, I mean there is a big chance there. The same guys that are attacking big government companies or big government contractors are also attacking small and medium companies. So we should be able to build something that, and I think threat sharing is one of those tools that will be able to allow small and medium businesses to protect against the same guys that are attacking big government contractors.
Michael Rothman: I was just going to add that, and again, we like to say around Securosis that security and the capabilities to secure your stuff is not evenly distributed. So you’ve got a lot of very large companies that spend a lot of very big budgets to protect their stuff, by the way not real well, and then you have a lot of other people that don’t have the ability to spend that. And by the way, they’re not attacked by the same kind of stuff, right. We spend all of our time and everybody wants to feel special and think that they get attacked by advanced threat actors, and “The government wants to get into my stuff”. No they don’t, they don’t care about you right, and that’s hard for some people to accept. But what they do, and what threat sharing and a lot of the threat intelligence has added is the ability to learn what attacks are being launched at those large organizations so that when that makes it down the value chain to be packaged up as a way for attackers to get after the mass market, you’re ready at that point because somebody has already dealt with that, somebody already has an answer for it, and then you can benefit from that kind of intelligence.
[How can a mid-market company be better at threat detection?]
Michael Rothman: I would start with: actually do something to detect your threats, right. Don’t depend on these preventative controls that have been sold as a bill of goods to a lot of these folks that says “Yeah, yeah, yeah, just put AV on my endpoints, put my firewall on the edge of my network and I’m good”. You’re not good, right. So you’ve got to invest in some of these detection technologies just to figure out what’s happening in your environments. So if there’s one thing I would say, it’s actually do something as opposed to just hope that your security is going to take care of it.
Jaime Blasco: Yeah, I completely agree. I mean don’t make the same mistakes that the big guys have been doing for years. So spend your money I mean properly in technologies that can really help you to detect and prevent those threats, even if your prevention capabilities are not working. But at least you have tools that let you detect that something is going on and let you perform incident response and contain that threat once that is in your networks.