ORLANDO–It’s accepted as fact that many of the compromises and data breaches that make headlines and cost CSOs their jobs are accomplished through the use of known vulnerabilities and old techniques. These problems are fixable, but throwing money and technology at them is not the right answer, experts say.
The security industry is experiencing an investment boom, both in terms of money coming into existing vendors and new startups, and in terms of budget flowing to internal security teams in enterprises. The money is going in all different directions, and many enterprises are using their budget windfalls to buy new security appliances, devices, and software. But they’re not investing in the people who have the experience and knowledge to make those purchases useful.
“We know that we’re never going to be perfect and stop one hundred percent of attacks, and it feels like we’re not getting better. But I think we are, we’re just not doing things the right way,” David Kennedy, founder and principal security consultant at TrustedSec, said during a talk at the InfoSec World conference here Monday.
“We’re focusing on technology over talent. That’s one of the problems in this industry, because most of the time the technology you’re buying isn’t that good.”
Kennedy, an experienced penetration tester and security consultant, said that the easiest ways to compromise a given organization, even one with a good security program, remain endpoints and users. Even relatively modest sized organizations may have thousands or tens of thousands of devices connected to their networks, and managing and patching them is a time-consuming and difficult task.
“We’re focusing on technology over talent.”
And that’s what attackers are counting on.
“Endpoints are winning, hands down. If I’m going after your organization, it’s going to be through the endpoints or the users,” Kennedy said.
He said that 82 percent of the breaches that his company is involved in remediating are caused by endpoint compromises. Only 14 percent were the result of compromises on the network perimeter. Kennedy said that while much of the energy in the security community has been focused on building next-generation products with faster blinking lights, the basics have been ignored in many places.
“We have a lot of risk to deal with. You can’t fix ten years of neglect with one year of investment,” he said. “We need prioritization, not productization. Buying stuff is hat gets us into a lot of trouble today. We buy too much stuff right now. Most of the technology that you have in your environment today works. You’re just not using it right.”
Kennedy emphasized that the level of talent and knowledge in the security community is far better now than it was when he started 15 years ago. That talent just needs to be utilized correctly.
“The truth is we’re not that bad. It’s night and day from where it was fifteen years ago,” he said. “It’s not that bad out there.”