Endpoint //

Authentication

2/9/2018
10:30 AM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Back to Basics: AI Isn't the Answer to What Ails Us in Cyber

The irony behind just about every headline-grabbing data breach we've seen in recent years is that they all could have been prevented with simple cyber hygiene.

Earlier this month, many of the planet's most influential leaders met at the World Economic Forum in Davos to address some of the most pressing issues of our time, including artificial intelligence (AI). AI was touted as the answer to everything from bespoke cancer therapies to more-efficient cheese making. Some people in cyber are turning to AI as well, arguing that machines will be able to more quickly adapt to and manage threats, and eventually even be able to predict (and therefore prevent) attacks.

AI has a great PR machine behind it and may hold good long-term potential. But it's not the answer to what ails us in cyber. In fact, I'd put AI in the same camp as advanced persistent threats (APTs) — sophisticated cyberattacks usually orchestrated by state-sponsored hackers and often undetected for long periods of time (think Stuxnet). Both are really intriguing, but in their own ways they're existential distractions from the necessary work at hand.

At the crux of just about every high-profile breach and compromise, from Yahoo to Equifax, sits a lack of foundational cyber hygiene. Those breaches weren't about failing to use some super-expensive, bleeding-edge, difficult-to-deploy and unproven mouse trap. In cyber, what differentiates the leaders from the laggards isn't spending millions and millions of dollars on sexy bells-and-whistles interfaces. It's about organizations setting a culture in which security matters. That means they prioritize cyber hygiene. They understand that cyber risk equals business risk in our digital age.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Consider the Equifax breach. When the company was called to testify before Congress about the catastrophic breach that affected 145 million Americans, they displayed a dazzling disregard of cyber-risk. Their willingness to blame the breach on a single engineer's slow response to a known vulnerability highlighted a lack of procedural discipline and rigor, to say nothing of the organization's immaturity in cybersecurity basics. AI cannot address or solve for this cultural misalignment.

Cyber Hygiene 101
Let me be clear — perfect cybersecurity is not possible, no matter what anyone may say. If someone is determined at all costs to get through your defenses, the odds are good that they'll find a way in. But the irony behind just about all the headline-grabbing data breaches we've seen in recent years is that they could have been prevented with basic cyber hygiene. Why? Because even when state actors are behind an attack, they most often take advantage of lackadaisical security practices and use known vulnerabilities and exploits to get in. It's cheaper. It's easier. You don't have to burn a zero-day. Attribution is much harder, and there is a slew of other good reasons, which brings us back to the fact that basic cyber hygiene is the cheapest, easiest, and most effective way to improve your security posture. 

What's even better news? Very good cybersecurity is within reach for most organizations. It begins with the fundamentals, and if you follow some of these best practices, you can prevent the vast supermajority of breaches and exploits.  

Best Practice 1: Know your systems really, really well. This may seem obvious but it's astonishing how many organizations do not know precisely what technology they're using. This presents a twofold problem. First, you can't protect what you can't see. Second, technology is not risk free. For every digital investment — IT, cloud, mobile, apps, the Internet of Things, and DevOps — there is an accompanying risk. Most organizations fundamentally don't understand the extent of the systems they're using, how those systems can be exploited, or what they need to do to prevent that from happening.   

Best Practice 2: Use state-of-the-art authentication and access management. If you're using passwords today, you simply fail to understand the reality of our threat environment. You need to embrace multifactor authentication. Think of TouchID or FaceID or something similar. Getting rid of passwords and the associated user failures moves the needle, and can improve user frustration. Along with that, manage account privileges based on what access is needed by whom.

Best Practice 3: Invest in better monitoring and more efficient response. The average number of days between the time a breach occurs and when it is detected consistently clocks in at over six months. Organizations can take advantage of the technologies that shrink this time by providing greater visibility into computing platforms — cloud, hybrid, or on-premises — to ensure that security teams have a complete view of their entire attack surface.

Here's a challenge that we should all embrace — let's make 2018 the year we all get serious about cybersecurity fundamentals. Let's get the basics right. Let's not throw our arms up in despair or search endlessly for the latest cure-all until we're adequately addressing the basics. Investing in AI is no substitute for sound fundamentals. 

Related Content:

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
100%
0%
BrianN060,
User Rank: Strategist
2/9/2018 | 12:13:31 PM
A few more points
A good article, with several important best practices. 

As for AI (Artificial Intelligence), it's an unfortunate choice for a label, for something that is actually a dynamic artifact of collective human intelligence.  You're right about the effective PR. 

You can add a couple of more items to your best practices list:
  • Limit data access, and type of access, on a needs basis.  If a knowledge worker doesn't require access of a particular kind, and from a particular source, in order to do their job, they shouldn't have it.
  • Know what data you have.  Very hard to tell if something is missing or has been altered, if you don't know what you have, and where it is.
  • Limit the proliferation of data.  Yes, you need a well thought out plan to recover compromised data; but more backup copies doesn't equate to more security - just the opposite.  Also, limit the data used for analysis, using the same needs-based criteria mentioned above.  Part of that is not running analysis directly on line-of-business/transactional data. 

Each of these goals is easier to implement if your organization uses the proper modeling methodologies. 
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
One in Three SOC Analysts Now Job-Hunting
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/12/2018
Can Android for Work Redefine Enterprise Mobile Security?
Satish Shetty, CEO, Codeproof Technologies,  2/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Welcome to the pit of misery.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.