Every year at the RSA Conference hundreds—maybe thousands—of security vendors crowd into the Moscone Center in San Francisco with claims that their products or services are better. “Better” is a relative measure, but generally speaking the assertion is either that the new product or service is better than the previous version, or better than their competitors, or both. One notable trend at this year’s RSA Conference, however, is the rise of companies not just claiming to do it better, but declaring that the traditional security model and tools just don’t work, and instead offering completely new, innovative approaches to the old problems.
It’s a tough balancing act, because the pitch is essentially, “All of your existing security solutions are broken and not protecting you as advertised, pay us money for our new security solution that will do it better.”
Defense in depth is dead
“Absolutely true,” agrees Morey Haber, VP of Technology for BeyondTrust. “There are not many new effective protection technologies, but rather a ton of hype about the behavior, correlation, and analytics around all the existing data being gathered. The realization of a layered approach, or defense in depth is dead.”
Matt Alderman, VP of Strategy for Tenable Network Security, gave a presentation at RSA on precisely that topic. His session, titled “Defense in Depth Is Dead, Long Live Depth in Defense”, focused on ways that the existing security model and traditional security tools have failed us, and the need for a new, better way.
We’ve been saying the network perimeter is dead for years—the security industry, security experts, and security media all agree. I’m not really sure why we need to keep repeating that mantra every year. Exploits and attack techniques have evolved as well, which means that security needs to shift from the idea of attack or breach prevention to attack or breach detection.
Haber explains, “While traditional technologies from SIEMs to vulnerability management solutions are still important, there is a clear message around protecting identities, users, accounts, and privileges. It’s the human element that has caused most of the breaches in 2015 through phishing, insider threat, or compromised accounts.”
Don’t throw the baby out with the bath water
The fact that the traditional security model is not invulnerable doesn’t, however, mean that you should just abandon the whole thing and invest in all new tools. “We do need a better way to protect individuals’ and enterprise data, but it’s not because what we’ve done in the past is incorrect or poorly designed,” stresses Ajay Arora, CEO of Vera Security. “Technology is evolving constantly, and the pace of that evolution is only increasing.”
Klaus Gheri, VP of Network security for Barracuda, declares, “The traditional security model and tools are a good baseline. So You can’t say they don’t work—they are just not all there is to it. With a changing attack landscape also new defenses have to be brought in place.”
Gheri also notes that the has been a revival recently of innovative endpoint security concepts. “Behavioral analysis and data analytics based on user and network activity is definitely an interesting augmentation. What is still missing are standardized interfaces (APIs) between some of the new shiny tools and the existing security infrastructure like next generation firewalls.”
According to Arora, the reason we’ve seen incremental progress in past years is because companies were trying to keep pace with threats, not head them off at the pass. “That’s what’s different now. We’ve reached an inflection point where companies have come to terms with the fact that they can’t get ahead in a head-to-head race with an incremental approach. We need to approach security in a different way—by getting straight to the point and collapsing our protections to what we’ve been trying to protect all along: our data.”
Visibility, context, and actionable intelligence are the forces driving the new era of security. Visibility into user activity is not new, but it is taking a larger part of the security stage because the user is the one ultimately causing the breach. Whether it’s user error, an intentional insider attack, or an external attacker using compromised credentials, visibility into user activity and behavior is crucial for detecting and responding to security incidents.
The ability to provide context around that visibility—pinpointing suspicious or anomalous behavior that deserves closer inspection, and threat intelligence that can connect the dots between visibility and context to identify attacks in real-time will separate effective security solutions from the security vendors that are just echoing buzzwords.