Corman told the Security Innovation Network (SINET) summit held this week at the Massachusetts Institute of Technology that most corporate spending on information security is going toward ineffective, compliance-driven security instead of being used to protect against higher-level threats, such as APTs. Companies “fear the auditor more than the attacker”, he observed.
“We see people spending either 100% of their security budget on compliance or 70%/30%, but even the best security programs have been dramatically distracted by compliance”, he said.
The Akamai official said that credit cards are highly replaceable, while intellectual property (IP) is often irreplaceable. “This is why the RSA breach is so much more significant than a credit card breach….Yet most of our security ‘best practices’ bear on highly replaceable credit card assets”, he said.
While the number of credit card breaches has come down substantially, the number of IP and national security breaches have increased significantly, he observed. “Breaches of higher value, less replaceable assets got worse across the board….It’s not that we have gotten better at security, it is that [the criminals] are graduating to much more serious targets and asset types.”
Corman compared adversaries who launch APTs to “zombies” who never give up and want to eat your brains. “One at a time you can take them but in larger numbers they can be quite menacing”, Corman said. Zombies “love PCI DSS” because it diverts resources from stopping them. PCI DSS is a “no zombie left behind” program, he quipped.
“Zombies don’t want our wallets, they want to eat our brains. Yet 95% of all security programs are going to protect replaceable data at the opportunity costs of intellectual property, trade secrets, and more important assets”, he added.
Not surprisingly, the PCI Security Standards Council disagrees with Corman’s assessment. PCI DSS has gone a “long way toward protecting credit card data and any other data you have as well”, said Bob Russo, general manager at PCI.
“Money spent on security, whether it’s spent on protecting cardholder data, IP, or anything, is money well spent. This is about security, not about compliance, because if you become secure, compliance comes along as a by-product”, he told Infosecurity.
Russo cited a Cisco survey that found a substantial majority of respondents use PCI DSS compliance as a “springboard to get additional security into their enterprise, which is a good thing.” PCI DSS is the security floor that enables companies to add more layers of security, he said.
Russo noted that criminals who go after payment card data have always been a “persistent threat” and will continue to be so. “They will keep knocking on your door trying to get in….This is organized crime trying to get whatever information they can that is valuable. It used to be credit cards were easy to get, but the council and the standards have made that more difficult now. It seems like that they are moving on” to IP and other proprietary information, he said.
“We have to continue to be vigilant, but we have made a lot of progress and we continue to make progress. We are never going to see a time when there isn’t a ‘persistent threat’ out there”, he concluded.