RSA Europe 2011: ‘Fragile’ state of security requires new ‘agile’ model

‘Security for agility’, Thompson explained, is a “new model for security that expects failure; in fact, it embraces it”. The chief security strategist for People Security added that this new model requires that security programs be agile and create a safety net around a network.

Thompson said this idea of security being in a constantly fragile state is based on five fundamental constants, which he called laws:

1. Secure systems fail in the face of out-of-context attacks. In this case, he referred to the fact that organizations often make security decisions based on flawed data that assumes they will be susceptible to previously disclosed attacks or current attack trends.
2. Expect failure, create safety nets, and adapt. Thompson said we must evaluate our own environment and “adopt a more agile approach to security” that permits changes in strategy.
3. People will make mistakes – plan for the mistakes. People, said Thompson, may say they value privacy, but in fact they are more concerned about utility and ease of use. The explosion of personal information online means that everyone is vulnerable to a determined attacker, he continued. We can therefore lessen the impact of these mistakes by building a robust response capability. “Expect that people will make bad trust choices”, Thompson said, noting that our IT infrastructure must be resilient to this reality.
4. Assume your environment is already contested and behave accordingly. Thompson implored that this constant extends to corporate intranets. He also said it’s easier than ever to fool a well-intentioned insider into doing bad things. For example, Thompson noted: “It’s becoming harder and harder to differentiate boring work email from boring phishing email, because they look very similar.”
5. Constantly reevaluate assumptions. “Reasonable targeting” on the part of attackers no longer applies, said Thompson. It’s no longer safe to assume that those with access to the most valuable data within an organization are the most vulnerable targets. “The pillars of trust, the things that we rely on, are starting to erode”, he added.

Against this backdrop, Thompson said security practitioners “need to move from a model of lockdown to a model of agility”. He called it a “fundamental shift” in the way people think about information security.

“To combat today’s hackers”, he continued, “we need to be agile...and we need to be able to adapt. We need to be able to accept failure” and react to these failures with a flexible response plan, Thompson said in closing.