On stage at RSA 2015 this week, Martin Roesch, vice president and chief architect of Cisco’s Security Business Group, outlined strategies to evolve security to address incidents efficiently, enable visibility, facilitate appropriate actions and support business growth. Chief among them? Centralized transparency.
“The stuff we have is working kind of well, but not as well as we need it to. It’s interesting to look at how we’ve gotten to where we are today, subject to multiple high-profile attacks that are successful and do substantial damage,” he said, in his “Advanced Strategies for Defending Against a New Breed of Attacks” keynote. “It’s not going to get better, so we need new approaches to addressing the problem.”
One of the reasons that it’s not going to get better is because of the industrialization of hacking.
“As hackers start to realize the potential payoff that’s out there, they start to professionalize and deploy classic entrepreneurial maneuvers, like land grabs,” he said. “The increasing value of the data online is a big target, and the skills required and barriers to entry for hacking are low. Our adversaries are highly motivated. Whether it's nation-state adversaries, money-motivated criminals or hacktivists, the industrialization of hacking has turned out to be a real thing. And we’re seeing ever more voracious attackers executing more daring attacks, and [they] are getting away with a bigger haul.”
Security researchers at Cisco have found that 75 percent of all attacks take only minutes to begin exfiltrating data, and more than 50 percent of attacks persist for months or years before they are discovered.
He also noted that attackers aren’t simply moving on if the attack is not easy, the way they have in the past. But even so, many organizations are not even doing the basics of security, like ID and access provisioning, and software patching. Roesch said that this is a function of complexity.
“The way that we address security is by buying a lot of different technologies and trying to get them to interoperate,” he explained. "The typical enterprise company has between 30 and 60 security vendors that they’re working with. And that means that many management platforms, reporting mechanisms and definitions of good and bad. And they’re all trying to tell you something useful or interesting to help the defense of your environment. And with all of that going on, it’s hard to synthesize the information into actionable items to mount a response.”
What’s called for, he said, is an event management platform that can weave together different platforms. But things like intrusion protection, sandboxing, antivirus and other endpoint security systems and so on typically don’t work together, because they have no way of sharing the information that they’re seeing.
“Security technologies have a lot of awareness about their local environment,” said Roesch. “What if we could build a platform to bring all of this together in one place? The ability to export their data and externalize their data into one central visibility platform, and then have a single map of what’s running in my network would be invaluable."
He added that if it were possible to knit together all of the data sets in order to enable companies to see what’s running on the network, how’s it configured, who’s using it and other crucial data, all in one place, it’s possible to start running automation on it, and to recommend policies based on vulnerability status and contextual impact assessment.
“Contextualizing our security events to drive better control is important—what does this event mean?” he said. “I believe this is very doable, and what we see is that this approach is very powerful when deployed appropriately. These visibility engines need to get built.”