Don’t try to avoid data breaches altogether – that’s a waste of time. Nowadays, dealing with a breach is now simply part of being a security professional. Instead, focus on mitigating the damage once a breach occurs.
While that wasn’t a particularly uplifting introduction to this post, that was the message coming from Kevin Mandia, senior vice-president and chief operating officer of FireEye Inc., during his keynote address at the RSA conference in San Francisco last week.
“I used to say security breaches were inevitable, but I’ve been told that’s defeatist-sounding,” said Mandia, the former founder and CEO of Mandiant, a company he sold to FireEye in January for almost $1 billion in stock and cash. “Now I say: they happen. If people want to break it, they will break in, so let’s figure out how to break into ourselves.”
In his presentation, Mandia pointed to one of the reports his firm had been working on – its investigation of the New York Times hackings in the fall of 2012. The Times hired Mandiant to investigate who was attacking its computers, and Mandiant found it was the Chinese military – a stunning find at the time, given governments generally spy on other governments and avoid going after the private sector.
What was more stunning was what the Times did with that information – instead of sitting on it, the paper came right out and accused the Chinese government of spying. While the Chinese government denied it, Mandia said his company still went ahead and released their report.
“There were a few reasons for the release,” he said. “We could feel the frustration. Companies are spending $10 million, $20 million [on security], but it’s an unfair fight with a government.”
Given the battle for cybersecurity is so lopsided, what can businesses do? When his firm is investigating a breach, it only answers two questions, over and over, Mandia said. First, what happened? And second, what can businesses do about it?
“What I learned [from the New York Times hacking] is that there are no risks and repercussions. It’s still happening today,” he said. “People can commit crimes from six to 20,000 miles away … They’re not smarter. But it’s just easier to shatter crystal than to shape it.”
In giving his presentation, Mandia was tapping into a lot of what was being said at the RSA conference last week. As IT environments get more complex and attackers become more sophisticated, CIOs and other security professionals often find themselves scrambling to stop up all the gaps and fill in all of the holes in their security – and sometimes, they don’t feel fully prepared.
“I have to be right every time, but [hackers] only have to be right one time,” said Joseph Lowe, a senior security analyst with Intrawest Resort Holdings Inc. and an attendee at the RSA conference.
He added he doesn’t feel sure he’s able to deal with many of the threats coming his way, simply because he doesn’t have the resources or the staff.
Lowe isn’t the only one who feels this way. In a survey published by Trustwave Holdings Inc. last month, about 58 per cent of the 833 security professionals polled said they felt as though they faced more pressure to protect their organizations than in 2013.
Out of those respondents, 64 per cent said their biggest worry was targeted malware and advanced persistent threats, while 62 per cent said they were concerned about data loss, theft, and breaches.
Another 60 per cent said they were watching for phishing schemes and socially engineered attacks.
The fact is, many IT professionals just aren’t equipped enough for the demands of today’s security landscape, says Lawrence Pingree, an analyst for Gartner Inc. In the first place, security professionals need to have a general, well-rounded background and understanding of IT technologies, but many people are too heavily specialized in one area – for example, system administration, he says.
And while hiring someone who is proficient in all IT technologies might be difficult enough, there aren’t that many IT professionals to begin with, he adds.
“Now, [being a security professional today] is more of a challenge,” Pingree says. “Security professionals play the art of war. I build a castle and a moat – and then somebody comes by with a boat.”
While it’s still possible to set up strong, protective defenses, what security professionals need to do is share intelligence, he says. As attackers have the element of surprise on their side, security companies need to pool their data together and figure out how those attackers are breaking in – an idea that Symantec Corp.’s Stephen Trilling also floated during his keynote address at the RSA conference.
For Mandia, the most important thing security professionals can do is to accept they’re not always going to win. That means ensuring they have the ability to know when they’ve been hacked, and not simply blindly accepting they’ve never been hacked simply because they haven’t noticed. Then, once they’ve realized they’ve been hacked, security professionals need to fess up and begin mitigating the damage by contacting the customers affected, cleaning up the damage, and setting up controls to prevent a similar attack from happening again.
“It’s a tough job being a [chief information security officer],” he said. “When someone hacks you, you have to apologize for being the victim … Breaches will happen, but we need to eliminate the impact.”