the security blender

Catching up on some new feeds, I see Marcus Sachs threw down a quick SANS diary post question about the future of security, framed with recent Stuxnet analysis from Symantec. I have two pieces to pull out.

While the demo is for Stuxnet, it brings home many of the techniques that have been perfected over the past two years to bypass firewalls, intrusion detection systems, and other classic defense mechanisms.

It helps (from a certain perspective) that organizations and people are bypassing these controls during daily business. For instance, the big stink in recent years about SCADA has been the degradation of the traditional “air gap” between those controlling systems and the greater network (even Internet) of the organization. The classic defense mechanism of an “air gap” doesn’t even need to be bypassed by attackers, because it’s already done! Same with challenges in endpoint controls and basically any other traditional, rigid, layer.

Well, we need to start rethinking how we are going to defend our networks in the coming years and decades. Layers of defense are, of course, important – but what should those layers be?

This is a strange question, especially as these layers of defense are deteriorated by users and organizations themselves. I’d probably point to several directions as discussion-starters. I think the real point is there are no longer discrete “layers” so much as a creative blending of existing and new pseudo-layers to create some security value.

Disclaimer: I have no answers at the moment; just contributions to ongoing discussions!

  • diligent staff – It might sound stupid and all 1950s, but when all else fails, you really simply have to have skilled staff keeping their fingers on the pulse of the network. Technological layers aren’t going to fix what is increasingly becoming a soft problem; not without defining end truly enforcing rigid limitations/controls. This is fallible, yes, but if one wants to say all these layers of defenses today are failing, you need to move into layer 8…
  • get security correct from the start – Obviously software, systems, hardware, and the various ways they’re put together need to be created/implemented in a secure fashion from the start. Unknown attacks will still pop up (0days), but at least start as secure as we possibly know how to be.
  • encryption – Basically, encrypt everything. Of course, this cuts both ways, and will impact security visibility as well.
  • identity – If you need to blindly trust encrypted communication, you must implement a trusted identity mechanism to control who can dump information into those encrypted communication channels. This includes people as well as devices and even app identity.

I’d say none of these options are realistically possible to fully achieve. Some of all of these can be used. Besides, the whole concept of a layered approach to security *should* imply that no single layer (or even couple of layers) provides full security. Likewise, none of these additional pieces above will do it alone, but rather each should be implemented as much as resources allow, for even more blended approaches.

Of course, we’re back to looking at security less from a technological standpoint and more from a pragmatic or risk standpoint, yeah?