Security Zombie Apocalypse

Hariharan Kolam

World War Z Photo-Security Analogy

The RSA conference 2015 took place last week at the Moscone Center in San Francisco, and is one of the most important IT security conferences in the world. The conference has consistently attracted the world’s best and brightest in the field and this year was no different. I braved the crowds and spent some time immersing myself in the dynamic setting and adrenaline rush that surrounds RSA. As always, this was a great opportunity to get a pulse on the latest and greatest happenings in the world of security.

From a trends perspective, cloud security (not surprisingly) continues to be a hot topic of discussion. Enterprises are adopting cloud aggressively by using cloud-based applications and infrastructure. But this in turn is creating its own set of security challenges. I saw several companies at the conference that are focused on addressing this problem by building cloud security infrastructure, tools for security forensics, analytics and automation, all to detect and defend. Our ProxyWall  which we announced late last year, includes Web Application Firewall (WAF) and origin protection capabilities, and uses a similar approach to defend applications from the cloud.

Cloud-based protection entails monitoring events from a multitude of sources, detecting anomalies in them and then using the anomalies to build enforceable security policies. The volume of data and events to be monitored is huge, and detecting anomalies in this setup essentially is analogous to finding a needle in a haystack (with the shape, form and color of the needle continuously changing). A high incidence of false positives evidently is a huge problem and enterprises are using big data technologies and tools extensively to address this. The proliferation (and potential) of big data in implementing enforceable security policies is quite real and I saw a large number of security vendors at RSA that offer diverse capabilities for this.

Clearly, the solution is far from perfect. I found it particularly interesting that more and more people are assuming the imperfect solution to be the norm. Attacks are becoming increasingly sophisticated. Simply relying on patterns and anomalies to detect and defend against these constantly shape-shifting attacks is not the best strategy.  

A quick review of some of the prominent attacks over the last year reveals exactly that. The Ebay redirect attack resulted in significant negative press for the company as many of its buyers’ credentials were leaked. This particular phishing attack exploited a vulnerability that executed malicious code on users’ browsers. The Anthem data breach, which compromised the credentials of 80 million customers, is suspected to have been started by a phishing attack on internal Anthem employees. Twitter’s recent account hijack significantly corroded the company’s brand, as the compromised user was none other than its own CFO. All the companies that I list above have invested heavily in security, yet the malicious code was able to creep through the defenses and reach the user. Once that happens and the application is compromised on its way to the user, there is no defense against it. The damage in all of the above cases was quite significant.

A very apt analogy in this context comes to mind. Many of you might have seen the movie World War Z where the Israelis fortify the Jerusalem wall, yet the zombies, being extremely persistent, find a way to penetrate nonetheless. You get my point :-).

We collectively as an industry have made much progress in the security realm, yet much more remains to be done. The theme this year at RSA was quite provocative and questioned the status quo – “challenge today’s security thinking.” As the number of variables (events, metrics, data) to detect an attack continuously increases, compounded with more sophisticated attacks and attackers, your security strategy cannot just be about piling on layers of defense. A strategy that assumes a compromised application can be prevented from reaching the user is flawed. How to limit damage when a compromised application manages to creep through the layers of defense has to be critical to any good security strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *