So, you’ve assumed compromise. Now what?
NATIONAL HARBOR, Md. – The once-radical notion that cyber defenders should assume hackers are already in their network is now conventional wisdom. But the implications of it are still taking hold, experts and officials said Thursday.
“The guarantee [that perimeter defenses used to provide] is absolutely no longer there,” said Sue Barsamian, the senior vice president and general manager of security products for Hewlett Packard Enterprise.
“Does anyone here not assume compromise? Raise your hand,” Barsamian urged a standing-room only crowd of federal officials and business executives gathered for the Federal Cybersecurity Summit sponsored by HPE and produced by FedScoop. Not a single hand went up.
“They’re either in, or they’re going to get in. So then, speed matters … being faster than the attacker matters,” she said, highlighting the role of the security operations center, or SOC, who have to detect intruders.
The need to detect intruders quickly was also highlighted by comments during a discussion between National Institute of Standards and Technology senior cybersecurity adviser Ron Ross and Bill Horne, director of security research at Hewlett Packard Laboratories.
“Cyber is like cancer,” said Ross, “you might feel fine at first, but out of sight, very bad things are happening.”
Ross sounded a pessimistic note on cybersecurity overall. “We’ll get better at this, over time,” he said, “But we’ll never outpace our attack surface growth.”
Tom Powledge, vice president and general manager of ArcSight observed that “The most mature and innovative SOCs, across the world,” were being proactive in hunting down threats, standing up separate teams to look at threat intelligence with an eye to “driving strategy … proactively hunting” for intruders.
“They’re setting up these data lakes so that they can go in and proactively look through for these anomalies,” Powledge added. He spoke at a panel discussion later in the day.
Barsamian highlighted the importance of using that data correctly. SOCs did not need that “101st alert,” she said. “Using analytics to identify threats .. is to really miss the big picture.”
“You shouldn’t stop at using analytics to throw up alerts or you’ll end up, not with a SOC that’s faster than the attacker, but with a SOC that handling more alerts,” she warned.
A second consequence of assuming compromise, Barsamian said, was “shifting to a data-centric security posture.”
“If you can’t … keep them out, you need to control access to the data they want.”
Encryption is obviously the answer, but the problem is, she said, that encryption, for the last decade, has meant encrypting the data at rest and when being transported — but not when it was actually being used.
“Encrypting the container and the pipe,” was not enough, she said.
“You have to build the protection into the data, so that the protection travels with it,” she said.
The third way that defenders were coming to grips with assuming compromise was by focusing on software security.
“The application is the new perimeter,” Barsamian said.
The Department of Defense, recognizing this, has sought to provide engineering support “throughout the lifecycle of acquisition programs,” said Kristen Baldwin, the acting deputy assistant secretary of defense for systems engineering. “We have experts in our engineering labs and centers that care very deeply about this,” she said at an earlier session.
She touted the department’s new Joint Federated Assurance Center, where those experts hunted for vulnerabilities in new military technologies.
New tools make it possible for developers for check their coding as they go, said Rob Roy, HPE Security’s public sector CTO.
“It’s almost like a spellchecker,” he told FedScoop.