Mike Spanbauer, Vice President of Research at NSS Labs, emphasized the importance of asking the right questions in thinking about the current threat environment.
“We in security have a labor issue, a talent issue,” Spanbauer announced at the outset of his thought leadership presentation at the 2016 Chief Information Security Officer Leadership Forum held in San Francisco on June 29. “There aren’t enough folks to work on the tools, manage, and maintain them much less address the epic struggle between us and the adversaries. Are we thinking about this problem in the right way?” he asked.
“Whether or not you believe you’ve been breached, chances are, you have,” said Spanbauer. “The question is whether this is a threat of note.” These days, he said, organizations should be:
• Expecting persistent attacks
• Redefining breaches (as data exfiltration)
• Working to understand the adversary through attack lifecycle management and the kill chain
• Rapidly redistributing investments (by moving beyond prevention-only)
• Addressing security risk strategically
• Empowering security tactics beyond SEC-OPs
“Whether or not you believe you’ve been breached, chances are, you have. The question is whether this is a threat of note.”
“Employee training is critical because every member of the organization is part of the security function,” said Spanbauer. “Education shouldn’t only focus on protecting against vulnerabilities but empowering employees to be responsible for enhancing security.”
Spanbauer continued: “Attacks progress in a sequence. The key consideration for security is whether the organization has effective technologies, processes, and people to address each point in this sequence. The closer to the infection point that it’s possible to effectively protect the data, the less costly it’s going to be,” he pointed out. These early intervention platforms include decision support, vulnerability management, and patch management.
“The closer to the infection point that it’s possible to effectively protect the data, the less costly it’s going to be.”
“We often look backwards rather than at what exploits are popular now, what applications are being targeted,” observed Spanbauer. “Threat intelligence is, by nature, a rear-view mirror, although it’s more than just information. It has to include insight. We often have too much of the wrong kind of information. In addition,” he said, “attacks happen in computer time but responses happen in human time. And, as I mentioned at the beginning of this talk, there’s the talent shortage. We need to look outside security to find people who can do this work—people with a gaming mindset, creative problem solvers—because the attackers are these sorts of people.”
Almost 100% of all breaches are attributed to a few hundred exploits and a few dozen commercial exploit kits, noted Spanbauer. “APTs make headlines and zero days are sexy, but chances are you’ll never see one. Your IT environment can have thousands of unpatched vulnerabilities but, at any given time, only a small handful of vulnerabilities are being actively exploited, and only a few of those can bypass your security products.”
“APTs make headlines and zero days are sexy, but chances are you’ll never see one.”
In the last six months, Internet Explorer 9 and Internet Explorer 8 were by far the top applications targeted, according to research by Spanbauer’s company, with more than 4500 and 1800 attacks, respectively, followed by Silverlight 5 and Silverlight 5.5, with several hundred attacks each.
“We need to change as quickly as the threat actors change,” Spanbauer advised. “The applications threat actors target are changing and the security products they bypass are changing. However, the only real exposure is where active exploits and company assets intersect, so this is where security needs to be focused.”
ABOUT MIKE SPANBAUER:
Mike Spanbauer, a recognized leader in security and infrastructure technologies, leads the analyst team in creating research that combines years of testing experience with quantitative analysis of the world’s leading security companies, products, and markets. In addition to running the company’s research organization, he also advises clients on how best to address today’s cybersecurity threats.
Prior to joining NSS, Mike was Service Director at Current Analysis, managing the Business Technology and Software group, which monitored, analyzed, and advised on application platforms, collaboration platforms, data center technology, enterprise mobility technology, enterprise networking, enterprise security, and unified communications and contact centers.
Previously, he spent nearly 15 years at Hewlett-Packard, where he established and managed competitive intelligence programs networking hardware and in-network management software.
Mike is well respected within the enterprise and carrier communities for his comprehensive insights into the domains and management of cloud, networking, cybersecurity, and software-defined networking. He has spoken at multiple industry events as a subject matter expert and as a Track Chair.