Which are you? More like 007 or TJ Hooker (which is cooler to you)? We all want to be the suave figure in the snappy black tie with a martini shaken, not stirred (personally its whiskey, neat) but you get the idea. What I am asking you are you busy investigating traffic crimes, writing your users tickets like T.J. Hooker? Or are you hunting for Red October?
Sometime ago we shifted our cyber criminal culture to something akin to being cops, yes cops are important, take them away and you get bedlam. But cops (for the most part) investigate crimes that already happened. Just like most cyber security teams do, they investigate breeches or violations after they happen. Why do incident response teams and companies make so much? Why wouldn’t we pay more for people to prevent it in the first place, maybe some sort of front line cyber defense group watching your IP and your users and names, wait we do have some of those (do they work?).
So shift the cyber security model to being Spy’s, not only is it cooler but also it’s more productive. Let machines do the cop part, enforce policy and limit user interaction, humans need to make the hard call, fuzzy logic stuff. Let’s get to a culture where Phillip K. **bleep** is our role model in security and products are ‘Minority Reporting’ rather than ‘piles of reporting’?
I think its by security automation, we demand (not ask) that security vendors stop selling us point solutions that meet a specific need but are part of a greater solution. Today you have 7? 10? Security products that talk to each other how, do they meet in the SEIM? How is that working? (Lot’s of swivel chair administration?) Seriously, why can’t my IDS trigger a scan from my vulnerability scanner, triggering an endpoint remediation? STIX and TAXI promise some of this, but I fail to see how they can at all deliver specific solutions from generic protocol, ask a hacker how to compromise STIX and get back to me.
If security professionals continue to accept things as they are, we will be in worse shape in 5 years. Today even the most secure networks work as-if compromised continually. Why is that? Because we cannot even detect most compromises until long after they happen. How long is the average breech-to-detection? (It’s 200 days) seriously? How long is the average remediation? (21 days) seriously?
So lets consider no waiting for the breech, stop-playing cop. Lets dig into our data, know what is valuable in our network. Stop playing cop at the edge and remember that like the Matrix ‘There is no spoon’ (or in this case there is no edge) the user is the endpoint, not the device.
Lets build a culture of security, secure applications by design, build secure networks, and secure data. Stop thinking encrypt it all, and start thinking ‘why do we have this in the first place’. Ask your application developers ‘why do we need the social security number’ or ‘why do we store that data’ and not ‘how are we encrypting it’. See where tokenization, and just plain anonymity for our users is possible. A breech is really different when you can report ‘we don’t have any PII, we don’t store it’
See you at the Casino Royale…I will take a Whiskey Neat
*Jaron Lanier (thanks dude)