In this RSA Conference 2011 preview video, SearchSecurity.com News Director, Robert Westervelt, moderates a discussion on information security compliance. Speakers include SearchSecurity.com's Senior Site Editor, Eric Parizo, and Research Director, Josh Corman of The 451 Group.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
RSA 2011 preview: Compliance
Robert Westervelt: Hi, I'm Rob Westervelt, the News Director of
Searchsecurity.com. Thanks for watching this video. It's part of our 2011
RSA Conference coverage. In this addition we're going to be talking about
compliance issues, with Joshua Corman. Josh is the Research Director
overseeing security research at The 451 Group, and we have Eric Parizo, the
Senior Site Editor of searchsecurity.com. Let's talk about PCI. Let's go
right into talking about PCI compliance. In 2011 there's going to be no
expected changes to the PCI standards. Will that have any effect at all on
Joshua Corman: So their normal rhythm had been to do a major revision every
two years, the last cycle would've been in October. They extended it now to
a 3-year cycle so as far as PCI changes we shouldn't expect any substinant
change until October, in almost 3 years. I've been one of the critics of
PCI, comparing it to the No Child Left Behind Act for information security.
It's not that things always need to change, it's just that the technology
landscape, the adversary landscape changes so frequently and the standard
hasn't really seena significant change in a few years. A lot of the people
on the research side, or that have been concerned that it might not be
setting the bar high enough and we are pretty disappointed to see very few
changes and no outlook for subsequent change for several more years.
The other thing it has, as you hinted at, it has a pretty dramatic impact
on spending. My research is circled around the chosen few is what I call
them, but the PCI chosen few are the 9 plus or minus a few required
technologies necessary to pass an audit. What happens in a cash-strapped
economy is the CISO goes to ask for budget and often gets pushed back from
the CFO or CIO saying will be we fine if we didn't do this? So essentially
we've separated 70 or so product categories down to 9 that are mandatory,
and everything else is discretionary, and the spending reflects that.
Almost all of our spending is on this mandatory stuff. All others that have
some promising innovation they're not finding fertile buying communities
and it's hurting their exits there with their strategies and they're having
to retool and refine even though they have fairly relevant technologies.
Eric Parizo: So the vendors are responding to that?
Joshua Corman: The vendor response has been, and this isn't a new thing, this has
been over the last few years, but the vendor response is people's road maps
have taken a hard right toward other mandatory controls, so if you weren't
on the chosen few you were partnering with building or buying technologies
that were. By having adjacency you were flourishing. So for example, PCI
6.6 was the last major revision that focused people on application
security. Let's do more of a security development life cycle, or buy a web
app firewall, also known as a WAF. The WAF players are doing great. They
don't think the economy is bad at all. They've basically gotten anointed
spending. Whereas other technologies like DLP or Network Forensics, very
relevant and much better suited to handle more advanced adversaries, are
considered discretionary and elective and found it much, much harder to
find, assured spending. What we think has happened is now people are
getting used to the compliance, they're getting used to the mandatory
controls and now they're really trying to drive cost down, so it's not so
much a learning curve, it's an optimization phase. They may find that their
log management was purchased and they checked the box, but they're not
getting any value, so maybe they're looking for a managed log management
service. This might allow them to drive some cost out of the compliance
burden, and maybe liberate some spending this year. To do a few things
beyond mandatory compliance, that's what we're hopeful and encouraging or
it simply may just be a way to cut the cost and keep doing compliance in
all the departments.
Eric Parizo: Josh, just to sort of play devil's advocate with you a little bit.
Wouldn't you say that those select few technologies that have made their
way into the standard are in fact there for a very good reason?
Joshua Corman: That's the point of debate. What we've done is if you actually look
at the nine in the constitution we've written a lot about what these chosen
few are. They are some of our oldest and least effective controls. There is
a half-life and a shelf life. It's just like you buy some milk it will
expire and go sour at some point. I’m not saying these technologies are of no
use, but there are of diminished use over time. As the technology changes
beneath it was designed and predicated under the systems as adversaries
get more intelligent and more organized and more sophisticated and I think
last year proved that is in fact happening, things that used to be
sufficiently high wall aren't high enough anymore. I would make a macro
statement that the rate at which we do the same thing this that we did last
year we've lost ground on the defense and what' it's done is it's raised
every man up to a minimum. Which was good in and off itself, but that minimum
has stayed pretty flat for several years now. Therefore the efficacy will
degrade year to year.
Eric Parizo: Which is where your No Child Left Behind analogy comes in?
Joshua Corman: Yeah, we tried to make the dumb kids smarter, but it's come with
the opportunity costs of everyone else. The elite buyer is still the elite buyer. They're still going to buy
excellent security and they have a higher risk profile. The middle market
is the one that suffered the most. They used to try to do compliance does
not equal security.
They do their best to pass the audit and secure their business and they're
the ones who just have become so fatigued and overwhelmed because it's not
just PCI. It's all the derivatives, the state and local laws, HIPAA and
high tech, perk nerk. I mean, they're breeding like rabbits. We've
basically come to a point where compliance is meant to help the negligent
do something, but it's become all-consuming where we now fear the auditor,
more than we fear the attacker. It's meant to be an aid and now it's become
almost a distraction.
Eric Parizo: I guess the question I have then is for those who are going to the RSA
Conference or following it closely, what are the technologies that are
going to be on display there? Beyond what's covered in PCI that are really
worth checking out for those organizations that want to take those extra
Joshua Corman: I think what you're going to see is we don't have a market anymore,
so if someone is looking to simply drive down the cost and pain and
distraction of compliance will be looking for ways to streamline, automate
and consolidate. They're going to want to know within that purview of
mandatory things how do I just drive down the distraction and cost or
outsource. For people who know that it's a very low bar and need to exceed
that, they're looking at things like network forensics. They're looking for
things that go beyond the limitations of signature antivirus. They're
looking at application layer security as many attacks have migrated that
way. So it's not that it's 100% distraction to do compliance, but those
seeking more than compliance will be hopefully asking very tough questions
of how are have their vendor supply chains made subsequent changes in the light
of things like Stuxnet and Wiki leaks and the high profile attacks and signs
Robert Westervelt: You know, I guess you can say that compliance kind of narrows down
market segments to a certain extent. And from the researchers I've talked
to and some of the experts I've talked to, we talked about how there may be
too many market segments in the security industry.
Joshua Corman: There are. Yeah. I think I quoted 70, I think I've heard other
analysts confirm as many as 140 markets. That's too many. This gets back
that the security industry has never retired anything. So when the botnet
guys realize that commander control decentralized peer-to-peer botnets are
better than centralized ones. You almost never see a centralized botnet.
Whereas we still use 1984 based blacklist signature antivirus as the number
one thing. We spend the most money on our oldest and least effective
control and we just never retire anything, so we can't possibly buy 70 or
140 products and that's not the message but since you're going to accept
certain exposure it's interesting to me that we hold onto our oldest wooden
shields and wooden sticks, at the opportunity cost of some more capable, more
sophisticated approaches. You're going to be exposed to something; it's
what you're choosing to be exposed to.
Although there's many benefits to compliance and it has raised the bar for
several people that had otherwise been doing nothing. It's also frozen us
in time to a certain extent, where everything around us evolves except for
these fairly predictable, unchanging compliance. It's almost like little
kids playing soccer, all huddled around the same little things but in the
meantime we're very distracted from pretty significant changes around us.
Robert Westervelt: There are some innovative vendors out there. And I know I've just
recently had a conversation with a vendor that makes a virtualized browser
to isolate attacks in the browser. There is some innovation despite PCI and
these other regulations isn't there?
Joshua Corman: Yeah, it's a different model than what we've been coaching our
clients to do. If you've got a 2003 to 2006 type boomtown expectations
about how you were going to take your product to the elite buyer then
downmarket and then you were going to have an exit or an IPO. That process
that was pretty consistent for several years and you often do some of these
changes during the RSA time frame isn't going to happen anymore. There are
just not as many mid-market buyers. In fact, we've described there's a
pretty pronounced schism between the once a week buyer and the middle has
now become a laggard buyer. They just don't have the budget or the time to
keep throwing more technology out.
Robert Westervelt: It sounds like you're blaming the people behind these regulations and
not necessarily the vendors responding to them.
Joshua Corman: It's an ecosystem so we're all to blame.
Robert Westervelt: OK.
Joshua Corman: In fact, compliance has done a wonderful thing in such that,
security professionals have created the sin of keeping security as complicated as it
actually is. So every time someone wanted an easy, simple step, a 12-step
process to securing themselves we said it's really hard, it's more
complicated than that. That void has been filled by compliance by other
organizations, by best practices, and we have oversimplified it. So this is
just a normal part of the evolution of the market. We're still pretty
nascent. I'm hoping we don't stay stuck on compliance. The stakes are
higher and the problems bigger than compliance attempts to adjust, so we're
going to be in a retooling year I think. Innovation will continue. There
will be buyers, it just won't go mid-market as quickly or as similarly as
it has in the past.
Robert Westervelt: Before we wrap up I wanted to ask you about measuring compliance.
There have been some studies out there that try to measure the
effectiveness of PCI for example. What's your take on some this.
Joshua Corman: This is one of the reasons that Alex Hutton and I are doing our
Metrics or Bunk talk. It's not that we're anti-science; in fact he's doing
a lot to further metrics to the Verizon Business Report. There are several
people taking statistics out of context, or with limited data, and claiming
victory, with things like compliance that's it working. But really we don't
have enough data to substantiate that it isn't working or it is working and
that was really the seed of the debate between Alex and I and we've become
a lot more aligned in our thinking through the debate. But a lot of those
claims are taking data out of context, putting a happy face on things. I
saw some ridiculous claim that being compliant makes you half less likely
to be breached. I think we need to stop looking at it like with the
available breach data in isolation and instead look at if you actually
break down the required controls, all of them are defeatable. All of them
are trivial defeatable, with pretty free and open tools. You don't have to
be a super ninja hacker black hat. You can just use widely available free
tools to undermine an antivirus to evade IDS, to go through a web app
firewall, which isn't required. And if you look at the data we do have
available, most of these attacks did just that. I think 89% of the breach
records involve sequel injection, a 10-year-old threat which there are
some countermeasures against and PCI isn't stopping those breaches from
Antiviruses are at the high-wire mark of required control and yet 94% of
breach records involves custom malware. Not super sexy Stuxnet stuff, just
custom enough to undermine the required control. So we have potentially
people who aren't doing their compliance in a diligent way but more
importantly even if they were we know the conceptual limitations and the
defeatability of many of these low water mark requirements. To me I think
the metrics need to shift from who did and didn't disclose publicly, and
more to what the actual efficacy of the control we're mandating. Do they
work? How well do they hold up against a determined adversary? And we'll
get better as an industry, but at the moment any claims that it's working
or not working, really don't have the data to back it up.
Eric Parizo: Before we wrap up, not completely counters with what Josh is saying.
But we are just launching a brand new security school lesson on
searchsecurity.com featuring Eric Holmquist, a compliance expert and the
topic is how to create a compliance score card for your organization. As
Josh sort of eluded to, there's no black and white way to do it. It's sort
of about finding the compliance metrics that are important to you. But once
you do that there are some interesting ways and strategies to put in place
that can not only measure compliance in a way that executives want to see
so they can see trouble spots and such but also measure programmatically
how the organization is doing in terms of compliance. I won't say that
it's impossible, it can be challenging but if anyone is interested in that
they can check out that lesson. There's some interesting methods there.
Joshua Corman: And a warning about statistics right? They use statistics like a
drunk uses lampposts. More for support than for elimination, so we have a
lot of stats and we have a lot of reports and there's good nuggets and good
data, in all of them. Some of the conclusions are a little less reliable.
Eric Parizo: But like a good lamppost, it can at least point you in the right
Robert Westervelt: And we'll wrap up with that. Gentlemen, thanks very much. For more
videos and more information during the RSA Conference you can go to
searchsecurity.com/RSA2011. Thanks for watching.