Every day we hear about another breach, and most of the time the information we get is fairly consistent – the breach started and finished long before it was discovered. It’s not always clear exactly how or where the attackers were able to get access because they’ve had ample time to cover their tracks. Whatever log or history data we have is massive, and sifting through it to figure out anything about the attack is very difficult and time consuming. We don’t quite know what we’re looking for and much of the evidence has come and gone.
As I survey the cybersecurity market and media coverage, I notice that:
- We’ve thrown in the towel, it’s “not if, but when” you’ll be breached.
- Many security vendors are now talking about analytics, dashboards, and big data instead of prevention.
Notably absent is the acknowledgement that the attack did not happen at a single point or computer, and that the actual theft of data was allowed because the data looked like legitimate network traffic using allowed routes through and out of the network.
We hear a lot about not having enough “security expertise”. Is that really the problem? Or is the problem that the security experts don’t really understand the full complexity of their networks? The network experts understand. These attacks are happening via network traffic – not on a device, nor with a known signature. And what do networking professionals care about? Traffic, and how it’s flowing. I maintain that there’s a lot more expertise that could help in this breach analysis and prevention than we think – we’re just not asking the right people.
In subsequent posts I’ll talk about why the networking team is becoming vital to security efforts, and why understanding how a network is constructed and performs is the best chance we have of improving our defenses.