This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.
Ransomware. Pwning the IoT. Backdoors. Botnets. Skimmers. APT. Malicious apps. The NSA. Lots and lots of noise from the press about these scary threats, but what grabs the headline is not what drives the security budgets. Hacking devices and networks is all very clever, but when we get in front of enterprises, data security remains—as it has for many years—at the top their priority list. As we do each year, we offer the following guide to help you steer you clear of the hype and anti-trends and towards real data security solutions.
Behind the FUD
"How do you stop the insider threat?" and "What do we do about malicious insiders?" You'll see dozens of ads during RSA week throwing this problem into your face, daring you to come up with a response. From our analyst perch these questions use to appear as the very essence of FUD, preying on mental insecurities of IT folks. We don't know if it's a learned response from listening to vendors and media hype all these years, or maybe they've watched too many episodes of "Mr. Robot," but enterprise clients are legitimately worried about employees and contractors, and now ask us these very questions. When it comes down to it, the entire conversation is B.S. Ignore it.
In reality attackers access your systems from their apartments, sitting in their underwear and drinking coffee, just like your 'work at home' employees and contractors. How do you tell the difference? If you said 'ski masks', stop reading now, and go update your resume. For the rest, understand that any attacker, once they gain a foothold on an endpoint or web server or admin account will begin to leverage your resources just like an employee. They will search for what they want, and then steal/alter data. It's less important to be looking for "insiders" than it is for misuse in general. Once you move past the basic protections provided by encryption and identity management, protecting data from misuse means actively detecting misuse. Activity monitoring and event analysis do this, and these tools will detect both classes of attacker.
We don't want the debate between insider and outsider—which is essentially vendors attempting to differentiate their products—to cloud the issue of protecting data beyond preventative security controls. Instead, approach it from the type of repository you want to protect, and the type of activity most likely to be misused. At that point there are only a couple options to detect data misuse, so you choices become clearer, and you can side-step the meaningless insider debate.
Where Have You Gone, Abe Vigoda
Most people were surprised Abe Vigoda passed away this year. In fact, so many people thought he passed away a long time ago that—in the late 90s—the Abe Vigoda clock was created to reflect Abe's status of being alive and well. Alas, the legendary actor has passed in January 2016, and the clock has stopped. But it got us thinking that from a data security standpoint, we need to create a PCI-DSS status clock so people know "PCI-DSS is still alive." I know, I know, you're surprised by this news too. Considering the lack of updates to the standard and the continued stream of card breaches, it's easy to see why you might make this mistake. Serious discussions about the specification, the audit process, or any other facet seem to be on hold. When you consider how PCI-DSS was the major driver for data security for almost a decade, the silence is deafening. You may be thinking that the council has crawled into a hole somewhere waiting to die.
Being the person in change of PCI certification process is a like being the designated driver at a bachelor party, where you're buddies insist on pushing you onto a stage to perform Karaoke sober. Nobody looks good performing this charade to begin with, and it's definitely not fun without alcohol. The good news is this is the first year in a long time we're not trying to solve new PCI audit finding. And a relative status quo on the compliance front is OK with IT folks, who remain apathetic towards the standard, just going through the motions without embracing it as a serious exercise in security. And who can blame them when it seemed many breached firms had recently undergone the certification process. Even when the council does pop up, it appears they've lost their drive and vigor. Recent case in point, Christmas 2015 deadline to retire SSL and TLS 1.0 protocols pushed out till June 2018. Two and one half years is a lifetime in security.
We think the posture of the council reflects the truth. The writing is on the wall and sometime in the near future, the standard's relevance will cease. Payment systems will finally dispense with credit card numbers altogether. ApplePay, AndroidPay and SamsungPay are all based on tokenization systems, and the credit card need never be passed to the new contactless terminals. Credit card numbers will not be stored because it won't be shared with merchants; only a token will. For the same reasons it's going to take 2.5 years to fully adopt TLS 1.0, it will take time to fully realize tokenized payment systems. For now you still need to go through the process, as the 'Abe Vigoda clock' for PCI-DSS is still ticking.
Love-Hate Relationship with Big Data
Big Data will have a huge presence on the RSA conference floor this year. It's the secret sauce for all those new miracle products; you know, the ones that find profound value from all types of data. The ones that promise to find the APTs, reduce your risk, detect threats before they occur, do forensic analysis, help SIEMs scale, juggles chainsaws, has 'force visions' of the future and make your insides all tickle-y. But the security market has a curious bi-polar relationship with Big Data. It's a disruptive technology to be sure. At least that's the sales pitch for new security products.Ask IT practitioners and they are not so sure. "What's in the cluster? Is customer data stored there? Is it secure? Who has access? Do we need to worry about SQL Injection? Why does that elephant look so damned happy and carefree?"
When it comes down to it, stories of the wonderful things NoSQL databases can do for you need to be balanced with the realities of owning and operating a big giant multi-tenant data warehouse. What you will be seeing is hype about the value Hadoop provides and very little about how to secure your copy of it! The hype is around battling the bad guys, but the real work to be done is protecting data. You're going to have to dig a bit at the show to find NoSQL security solutions, but there are vendors in attendance that offer data and database security for Hadoop and the common NoSQL platforms. And in many cases, there is no vendor at RSAC because the solutions are open source! A pre-conference Google-search will help identify the handful of commercial and open source identity, encryption, data discovery and management solutions that help tackle big data security.
SLAs—Keeping Data Insecure Since 1995
Of course you remember the Target breach. And like us you probably laughed about lunacy of a successful attack through and external network connection for HVAC management. That is until you realized that between your external SoC, third-party mainframe management, cloud gateways and contractors you have about 100 other remote connection points that provide the management conduit for most prized systems. They use generic admin accounts and your directory services lists these third parties under the same roles as employees; after-all, these contractors are performing a role an employee used to. Why go through the pain to set up new roles for contractors? Now they come in through VPN connections on unregistered devices, often without passwords, performing the admin duties you contracted them to do. You invited them to the party so good luck reigning them in. Most third-party firms simply reject new security constraints as outside the service level agreement. Those providers that volunteer only do so after you sign a 'change order', which means you pay lots of money not currently in your budget.
2FA—or two-factor authentication—is buzzing this year as a means to get better user authentication. By requiring users to not only possess a VPN certificate and general network credentials, it forced users to verify that they are who they say they are by requiring they validate from a registered mobile device as well. The same VPN and identity infrastructure is in play, but 2FA solves several problems related to system and data access. You validate the user by leveraging the mobile device authentication, it ties activity to a specific user/device combination, and it stops attackers with stolen laptops—the ones that have VPN certificates embedded—from automatically gaining access to the network.
— Adrian Lane
Check out the complete series: Introduction
Theme posts: Threat Intelligence & Bothan Spies, R2DevOps, Escape from Cloud City, The Beginning of the End(point) for the Empire, Training Security Jedi, Attack of the (Analytics) Clones
Deep Dives: All Threats, All the Time..., Data Security Deep Dive, Cloud Security Deep Dive