Last week saw the start of RSA 2015, the annual gathering of security professionals and vendors from across the world in San Francisco. In the opening session, Amit Yoran, president of RSA, declared that InfoSec needed to escape the dark ages.
While technology may soon be capable of accelerating its own development, "we are still in the Dark Ages of Information Security", he told the audience. In his keynote speech, Yoran highlighted how 2014, widely seen as the "year of the breach", was another example that "things are getting worse" and a reminder that "we are losing this contest."
Yoran added that the industry has all too often promoted a defensive strategy that "building taller castle walls and digging deeper moats" is the answer, but it's not solving the problem.
Yoran also referenced that the industry is still over-reliant on signature-based systems and building perimeters that are "incapable of detecting the threats that matter to us most". Yoran added that though the terrain has changed, many information security professionals are still clinging to their old maps, he urged the audience to "realise that things are different".
Yoran makes a number of interesting points throughout his speech. It's long been clear that many IT security professionals are clinging on to an antiquated approach to endpoint security; one that's reactionary rather than proactive.
To take Yoran's castle analogy one step further, many businesses are building higher and higher front gates, but turning a blind eye to their crumbling walls - and this is leaving them exposed. A lot of malware may be stopped at the front door, but this can quite easily be flanked, and security breached.
If we look at some of the most high profile breaches, namely Target, Sony Pictures or Home Depot, we can build big strong doors, with cameras and security guards, but then leave the back door wide open for 3rd party contractors, employee error or those with malicious intent.
So why don't we apply these practices to our InfoSec?
A true Defense in Depth security strategy should be one which layers proactive technologies to ensure a complete 360o approach to combat advanced threats. Rather than relying on building higher and higher front gates to catch the most obvious attacks, we need to consider all access to the infrastructure. Least privilege, application whitelists and other proactive defences can be leveraged on top of traditional security measures such as antivirus and firewalls to protect the enterprise from within.
InfoSec isn't in the dark ages, but entering a period of enlightenment - the security community has to look beyond the reactive and embrace a more proactive approach if we're ever to truly tackle an increasingly sophisticated cyber threat landscape.