Years ago, right here in this blog, I pointed out that the worst of gamification was being applied to information security–play the game until you lose. I wish I could say we were past that, but we are not. And I think it is time for us to have a bit of a rethink (as my UK colleagues would say).
Consider this. Twenty years ago, breaches were relatively common and we were concerned enough to enact laws about data, security, etc. Today, breaches are relatively common. In the intervening years, we implemented more and more security.
The problem is that our environments—from mainframes to today—have grown increasingly complex. Our mission to make applications more useful and accessible makes them more vulnerable at the same time. And the changes are constant.
If we were doing this right, breach notifications would be super rare, and we’d all want to know if it was a broken machine or human at fault—kind of like aircraft crashes are handled and reported in most of the world. Instead, we go out to a site like haveibeenpwned to see if we’ve been impacted, shrug and assume that the free credit monitoring service from the last five breaches should have us covered financially, and we move along.
Internally, there is a post-mortem that closes whatever hole the attacker got through or exfiltrated data through and carry on, knowing full well that a different attack is coming.
We are currently staring longingly at the bright lights of AI, hoping it can protect us from unknown vulnerabilities going forward. A bit of critical thinking will make it obvious that this is simply keeping up with attackers who also have access to AI and are using it to refine and launch even more complex attacks.
The problem is that we all see the non-stop changes to attack vectors and architectures and don’t know how we could protect more broadly—and that is the appeal of trainable AI. We hope that it can rapidly generalize from its training to detect previously unknown attacks and, given enough inputs, can computationally detect attacks humans might miss in the sea of data. But that is still a point solution, in my opinion.
How attackers approach the problem and what tools (both tooling and vulnerabilities) they have available are constantly changing, but the goals are unchanged. And I think we have to adapt our thinking to address those goals instead. Policy enforcement is a step in that direction—but, again, that means we’re protecting against the known.
I don’t have the answers. I keep thinking of two approaches—airplanes are routed around a ton of threats to get their cargo to its destination safely, and that seems to be analogous to the problem. And hardened fortresses that literally ignore current mentality of “the perimeter is everywhere” and take the core, important bits of applications and lock them away even more tightly than we do today, with single-API access to a given bit and the API is monitored and analyzed constantly.
But those are both sweeping, drastic approaches, and that may be our problem. Security spaces are merging slowly, but we still have a largely “That’s ops, that’s dev” mentality in security (as just one example of why sweeping overall protections are problematic). So, maybe with merges, the time will come that this is naturally resolved. But we’re not there yet.
If you think about it, we’ve solved much more intractable problems, as the phone in your hand or the online game you enjoy spending a bit of time on demonstrate—we in IT and Dev are capable of amazing feats if we set clear goals and commit to both developing and implementing a solution. We just need those clear goals, and fighting today’s attack and hoping against hope another won’t come tomorrow just isn’t it.