Negative Unemployment

I recently attended a gathering of Wall St CISOs, one of whom referred to the “negative unemployment” in our industry.  I thought this was a great phrase, and I’ve found it’s a quick way to get across some quite deep points about current security.

At first, it just sounds cute, but in practice, it’s about as cute as the Oil Crisis.  Bad guys have figured out how to make money by attacking our weak defenses.  We’re scrambling to catch up.  The C-Suite and the board are more accommodating than they have ever been – something to do with the recent dismissal of the Target CEO, I shouldn’t wonder.  We know we need people, so we go to hire them, and what do we find?  Bad resumes.

knowledgegapHave you found it easy to hire the talent you need?  If so, lucky you – feel free to drop hints in the comments section (or just gloat – your peers tell me they aren’t having it so easy).

It makes for an ugly choice.  Do we hold standards high, waiting for people with the right skills to come along?  Or do we hope to train people new to the field?  As I look around, I can see our discipline soaking up some people of – how should I put it? – marginal aptitude.  I’ve seen this before – I remember the go-go days of the late 90’s, when Silicon Valley start-ups sucked in all kinds of people with no business working in such environments.  When that went all pear-shaped, it wasn’t so bad – sure, some stock options suddenly lost a zero or two in value, but it’s not really fair to whine about that.  Watching the same thing happen in corporate IT security is a much scarier proposition.

Defending Against Botnets

Botnets have been around for many years, but Distil Networks’ recently-released research shows that their use not only continues to grow dramatically, but that use is becoming more sophisticated. In having the bots focus their attacks during off-hours, the attackers may have a greater window of opportunity for damage before discovery.

This underscores the need to expand security analytics beyond the reactive focus of IPS/IDS to also include complete proactive analysis of what could happen. For example, analyzing all of the possible paths into and through an enterprise network–including from vendors and partners–within the overall context of the complete, complex network, allows the enterprise to ensure limited access before any paths are probed by a bot.

The botnets are a primary contributor to the distributed denial of service attacks, for instance, which are reported to have volumes up to 300Gbps.

As we have seen from widespread and newsworthy breaches over the past few years, it is very difficult to react quickly to an attack in progress. While such defenses are critical, equally vital are analytics that determine and monitor the effectiveness of the entire network as a system including all of its security controls and system vulnerabilities in context. This is one of the reasons RedSeal’s analytics include the complete set of possible network paths and not simply flows currently active in the network.

The key to winning the game is leverage. Knowing more, being more proactive, being certain that your intentions are realized by technology. How can you know?

Recently, I have seen firewall configuration files containing well over 150,000 lines of configuration. These devices live within networks with thousands of other devices that forward packets according to a variety of rules 250px-whackamole(routing, access control, load balancing, and more). The only way to know what’s really going on is to perform an in-context analysis of the  network. This is very difficult to do well, and impossible to do without automation. Furthermore, if you don’t  do it, you are relegated to playing Whack-A-Mole with the probes and attacks that are being launched against  you, probably at the rate of thousands per day.

Use automation as a proactive offense against what could be launched even as you continue to deploy reactive systems to respond to attacks that make it through your defenses.