Music degrees aside, relevant discussions around “what Equifax got wrong” are as predictable as they are ridiculous. There are things that we as an industry can do now which will make a difference, and better patch management just doesn’t cut it. Below I talk on our defeatist industry as I see it, a much needed paradigm shift, and add my own bias in how we can be better in some respects, by using cyber deception.
The critique heard and advice given following each data breach consists of the same old security basics. Don’t get me wrong, as a security professional I believe in basics, and I believe in processes. But, they will never be perfect.
Further, there are endless circles of basics. If an attacker got in through a vulnerability or misconfiguration, should they then be able to own our entire infrastructure? What can we do that is different and will make a difference, and not two years from now, but today?
There is an inherent asymmetry in cyber security, with adversaries who only need to succeed once, while defenders have to remain vigilant all the time, at a huge cost differential. We must think differently. We must shift the economics of attackers, making their operations riskier, and their cost at each step that much higher.
To do this, the basics in security we should be looking at instead are strategic. Do we control our own ground? Are we building static defences or are we agile? Can we control what information the attackers have on us, hence controlling their activities? We are so defeatist in cyber security, each morning going to work we recognize we are going to lose if only the bad guys want it hard enough. I refuse to accept it.
Three years ago, I quit everything and decided to change the conversation. To do this, I opened a company, Cymmetria, focused on creating cyber deception technology to empower the defenders. I was tired of hearing, yet again, about the 250 days until an attacker is discovered, or to see yet another new technology trying to run the rat race of discovering malware or vulnerabilities faster, the same way NetWitness or Trusteer did 10 years ago, only 10% better, with AI on top. To create something new, I looked to the world of strategy. We must shift the asymmetry in cyber security, and more-over, turn the tables on the attackers. This is what cyber deception does.
Back in 2014, I tried to approach people about cyber deception their response was so often, “honeypots?” Today, I am happy to say cyber deception has become a best practice. 2017 has been an amazing year for us with inbound RFPs, projects and budgets, and endless installations. Gartner has helped, defining deception as a top 10 security control for the enterprise.
Cyber deception won’t solve the world’s problems, and won’t catch everything. It does however make attackers’ lives that much harder, while dealing with real pain points. This is how hunting is done. We want to have the same visibility we have at the edge inside of the perimeter? We want to counter lateral movement? Catch responder/Pass-the-Hash? Be able to deterministically say whether an event/alert is real? Cyber deception can do that.
Yet, when a data breach occurs, people still talk about better patch management. While attackers are extremely fast adopters of technology, defenders are not.
Cyber deception isn’t the only new technology out there in security. Further, it won’t solve all of your problems. It will however find attackers in your environment, and help you kick them out. It’s a growing industry. You should look into it, and from my biased perspective, you should look at Cymmetria.
In fact, talk to me. Three years ago I bet my life on the concept. It’s time to take control back and stop being a defeatist industry.
Gadi Evron.(Twitter: @gadievron, Facebook: @gadioncyber)
#Equifax #databreach #basics #patching #asymmetry #cyberdeception #cymmetria