ORLANDO – Several security industry heavyweights flexed their muscle and star power to warn attendees of the 2012 InfoSec World Conference and Expo that relying on technology alone to secure networks is a damning IT security strategy.
The security luminaries -- Marcus Ranum, CSO of Columbia, Md.-based Tenable Network Security Inc.; Chris Nickerson, founder and principal security consultant at Lares Consulting in Denver; and Alex Hutton, a former risk analyst at Verizon and currently director of operational risk at a financial institution -- didn't mince words. They told attendees they are failing at securing their networks and will continue to fail if they don't shed their compliance mentality, understand how their business works, and become more proactive about security. Instead of buying another appliance to automate security processes, the panelists said CISOs should figure out what their company’s core assets are, and hire and train talented people to analyze their system logs and protect the data at the heart of the company.
“This stuff isn’t rocket science; it’s about attention to detail,” Ranum said. “The security industry has a tendency of moving something from having smart people to dumb processes… Big data is not going to save you it’s the people examining your big data that are going to save you.”
Attendees: Speakers' message tough to swallow
It was a discussion that was partly lighthearted, but mostly designed, according to conference organizers, to give the audience a dose of truth, even if hearing the panelists’ message was a difficult pill to swallow. During a Q&A with attendees, one attendee was left speechless at the microphone when Nickerson asked him to explain his company’s mission statement and the attendee was unable to do so.
“I think you should try and protect things that are important to your company. You have to go out and ask questions,” Nickerson said, addressing the audience. “Being homogenous and saying I can protect everything is a losing strategy. When you work with this perimeter mentality and protect the whole enterprise – that’s crazy.”
Nickerson railed against CISOs attempting to apply compliance standards and other models to protect their systems without customizing them based on the way the organization does business. Standardization and homogenization is a doomed strategy, he said.
“We should get through the first step of our AA program and admit that we have a problem and try and grow from it,” Nickerson said. “We’ve failed at learning the general rules of battle, and we’re now protecting things based on someone’s standard instead of knowing our boundaries and what we can and can’t do to protect those things to the best of our ability.”
The panelists’ frank and unapologetic tone may have insulted some of the security professionals in attendance, said one attendee, an IT security director who declined to give his name. He said many people in charge of their company’s security program operate with a limited IT staff and trying to monitor and protect critical systems on a shoestring budget.
“We’re limited by the constraints set on us by the business itself and I think we’re doing the best we can with the tools we’re given to do our job,” the attendee said. “It’s cost-prohibitive for most of us to make major changes to our overall programs and then justify them to upper management.”
Evolving toward counter-threat operations
However, the panelists also explained how some organizations are getting security done correctly, in their opinion. Hutton described his company’s massive data warehouse. The firm ties virtually everything into its data warehouse, capturing MAC addresses and correlating log data from different systems to track users and detect anomalous behavior.
The company essentially turned IT staff from being installers and maintainers into counter-threat operations experts, he said. Most organizations are doing the opposite, focusing on buying a technology to meet a specific compliance objective, he said.
“Your main threat is auditor or regulator, because that’s where you’re spending the majority of your time,” Hutton said “We measure everything… we have people [who] do nothing but statistical analysis on behaviors.”
In response to an attendee’s question, Ranum said no single industry does security best. There are some government agencies that are “resoundingly clueful,” he said, explaining that finding a security gem is very random. Some of the best information security being done is at biotechnology giant Amgen and makeup and body care retailer Mary Kay, which relies on independent resellers of its products to make money.
According to Ranum, among the company’s biggest worries was consultants who poach customers from other consultants. The company went out and designed a database that won’t allow a person to query it for customer data. “They figured out their data management problem," Ranum said, "they addressed it and they’re moving on.”