Guest blog by Johna Johnson, CEO and founder, Nemertes Research
Over the last decade, the security space has shifted under our feet—there is a growing gap between cybercrime and skilled professionals able to combat it; finding security professionals who are able to help stem the rising tide of cyber crime is of critical importance. There’s almost never a single “bad guy” breaking into your systems. That model—the lone genius sociopath, who not only has criminal intent but also the technological savvy to act on it—makes crime more understandable and, in a perverse way, more comfortable.
The reality is, instead of a huge wave of lone-genius-sociopaths, we have the magic of markets. There is a vast, complex, fluid, and resilient parallel economy built around cybercrime, a loosely coupled series of free markets focused on the separate phases of cracking into and stealing from enterprise systems:
- Vulnerability discovery, attack creation, and exploit packaging (the hardest parts, technologically, and also totally legal!)
- Attack propagation (botnets etc)
- Actual systems compromise and data exfiltration
- Monetization of stolen information
And as markets usually do, these phases drive ever-greater efficiencies within and across the tiers of action. They both attract skilled IT security labor in the difficult technical parts of the lifecycle (with steady pay for legal work) and make skilled labor less important to any individual criminal effort by making the product of that skilled labor easily available in a market. There can be any number of “bad guys” out there now; they need no technical know-how and no financial know-how, they only need to know how to consume services, legal and not, aimed at a criminal goal.
This mix of black and grey markets is agile, transnational, and enormous; it is worth more than the total market values of the IT security companies out there, and widening the lead over time (Nemertes Research, 2007). Nemertes believes it may employ more IT security researchers too, in legal activities, than cybersecurity firms. Security professionals being hard to find already, losing any to the (legal) economy that is actively serving the interests of those undermining everyone else’s security is doubly damaging.
So how do we stem the tide? We need to match the criminals by taking new approaches to securing the systems they are taking new approaches to compromising.
Begin with security in mind. Where they focus on finding vulnerabilities, we must focus on not creating them in the first place, with developers trained in more secure development methodologies and companies building security (both creating and testing it) into their development processes from day one.
Create more good guys. In addition to getting folks better trained in developing securely, we need to get more people in general trained in security, at an earlier point in time (e.g. university-level), through more and faster certification programs, and to have them spread more broadly in IT teams.
Share data to crowdsource better security. To counter the fact that those in the cybercrime markets freely buy and sell information on vulnerabilities and how to exploit them, we must become vastly more open and efficient about sharing information as well (that isn’t buying and selling). We must share information both about attacks we are experiencing and about defenses that work, via government and industry clearinghouses and using standard protocols and mechanisms such as STIX and TAXII.
Automate security. Criminals put a lot of effort into automating attacks. We need to increase our use of automation in defense: In adapting deployed solutions to new information on attacks as it becomes available (as with signature updates, or address reputation reporting and response), for example, and in scaling solutions up and down as needed to respond to spikes in attacks or dynamic scaling of solutions being protected.
Defend in depth. We need protection for each application and service to follow it wherever it goes in a fluid and dynamic service environment, and we need that protection to be focused on defending against both internal and external threats. Internal segmentation—protecting valuable informational assets even from lateral attacks launched from compromised internal systems—makes it much harder to turn a successful system breach into a financially rewarding one.
Not underestimating the realities of the current cybercrime environment and understanding how to respond to them are key both to improving security and to making the criminal activity less rewarding. Making crime pay less, well while also revamping the way we secure our valuables, will tip the balance back in our favor and steadily improve all our prospects.