By Gregory Hale
Safety and security have differences, but in the end they focus on measuring risk and how that applies to what you are trying to protect.
“There is no such thing as security, it is just the measurement of risk,” said Chris Roberts, chief security strategist at Attivo Networks during his talk at Synopsys’ Codenomicon conference during Black Hat USA 2019 in Las Vegas, NV, last week. “How can we work with the business so we all understand what the risk is to the business? We have to change the conversation to talk about risk.”
Roberts talked about security versus safety. “For 60,000 years we understood safety.”
Understanding risk means understanding what will keep adversaries out and one thing Roberts said is putting up walls just won’t work. For 4,000 years, we have put up walls and people find a way around them, it just doesn’t work, he said.
The problem is, Roberts said, the security vendors in the industry are constantly pushing product and hyping the latest and greatest technologies and users are falling for the easy solution. But that is not helping.
“We’re broken as an industry, we have some challenges,” Roberts said. “We are spending $124 billion on security this year and we keep losing more and more data each week. We spend more money and we keep losing data. We keep spending money on conferences and marketing. Then we tell our customers we can keep you 100 percent secure, what bollocks.”
Instead, security professionals need to look inward.
“We need to change our own discussion about ourselves,” he said. “We need to stop treating people like idiots; this is our industry we need to protect. Let’s not get caught up in the blinking lights and things like AI, send them away.”
Rather, Roberts said there are some other old fashioned things we can do to help boost security.
“We need to spend more time listening,” he said. “We are not doing a good job of it. We need to look at metrics. Instead, we are putting band aids on top of band aids.”
He then talked about some issues that are affecting the industry like passwords. He added he is working on a different approach to that problem focusing on mapping different brain signals that could end up being a very effective form of a password.
That is one example of using a different way of trying to solve a problem.
“We keep talking about the same things and using the same approach,” Roberts said. “Why not go out and hire people outside the industry.”
He talked about other types of security issues where people are impressed with the technology, but Roberts wondered about the security.
Things like planes that have 10,000 sensors in the wings, but he questioned how secure they are. Even autonomous vehicles. He also mentioned shipping. Where it would not be too difficult for an attacker to take over something like ballast control, which could be devastating.
Even trains present a problem where every few miles there is a signal box an attacker could take over and he or she could do whatever he or she wants.
“We have forgotten the basics,” he said. “It all comes down to knowledge and action. We need to fix the humans. We need people who care.”
Along the lines of the basics, Roberts talked about end user awareness training where some type of education has to happen every month.
Keeping in line with more basics, Roberts said people need to understand their systems and then grow security from that point.
“If your network is flat, don’t buy advanced crap. You need to segment,” he said. “You don’t have a perimeter. Accept it. Start looking at preventive, proactive and predictive. Use two-factor authentication and start to educate people. Get a plan in place. Communications and collaboration; it is the basic stuff.”
And security folks need remain humble and admit they don’t have all the answers.
“Can we walk into a situation and say I can’t help you, but I know someone that can. Do we ever say that? Do we have the discipline to step back and say how can we do things differently? Do we have the humility to go the business and speak the same language?
In the end, the security industry needs to bring in different perspectives to solve problems.
“If we collaborate and communicate effectively between all of us, we stand a chance,” Roberts said.