In my job, I often meet with IT Security folks that have been working with computers for 25-30 years or more. I always want to say to them something like: “You have probably seen more change in your career than a lot of other people nearing retirement.” I can’t think of how to phrase that sentiment in a flattering way, so I always keep it to myself.
It is remarkable, though: In the majority of industries, the only discernible change to job function have been because of computers. Within the computer industry itself, the years 1991-2021 have brought on change so constant, a phenomenon called Moore’s Law was observed where computing power roughly doubled itself every two years. (This idea has whimpered more recently, as humans have been unable to meaningfully use or appreciate chips more capable than 2018-19’s examples. It’s sort of a reverse ‘Peak Oil’ paradox.) User experience has evolved from pointing applications and processes around like it’s “Weekend at Bernie’s” to, well, the opposite. Apps today cross-reference data continuously to provide the most possible access to users. Remember back in the 20th century – if it was 9 or 10:00 pm and you wanted to accomplish a transaction of any sort, you had to wait until the business opened their doors the following morning. Now, with your mobile phone, you can at the very least do enough to where you are assured your transaction will be completed the following day. Get to sleep, you deserve it!
The issue, then, is security. When a tightly guarded, paper-based filing system is accessible in only one time zone from 8am-5pm, it can’t do business in today’s world – But when things are happening 24 hours a day, when customers are liable to call on you at 10:00 pm or 3:00 am, how can you realize a state of “tightly guarded?” In the ’90s and 2000s, the best the IT industry could come up with was the firewall. It makes enough sense: It’s a perimeter. A line in the sand. “Beyond this line, YOU DO NOT!” – It’s the practice of checking credentials at the door to protect the network and applications inside. This used to work. Now, it doesn’t.
In the last five years, insider attacks, ransomware and data breaches have become commonplace. The reason for this is simply because hackers have focused for 25 years or more on defeating these perimeter-based controls. They aren’t spending all night plotting what they’re going to do tomorrow morning when your doors open; they’re working in shifts, in massive office buildings with bosses and TPS reports to fill out. It’s a bizarro-opposite version of a legitimate office worker just trying to turn a cog in their conglomeration. When they’re past the perimeter, they go wild – They take whatever they can, cover their tracks and keep the fire exit open for someone else. In the Solarwinds matter from January of ’21, that’s what they did – Hacked literally hundreds of household names in ’17 or ’18, then kept sewing shut and reopening a hole for 3+ years.
The answer, then, is to trust – to verify. If you have someone type in a password, then you know it’s them. Right? Well, if after they type in their password, then they receive a text message on their cell with a secret code, then they manually parrot that code – now, you really know it’s them. Right? This is the thought process of businesses, and it’s honestly not altogether bad. But businesses are still getting attacked every day – and it looks like this siege is going to define computing in the 20s.
Behavior is the key to information security.
It’s way too late to keep attackers “out” – Decades late – So, to monitor their actions at all times while they are accessing privileged information is the way to protect against attacks. machine learning can be used over a period of weeks or months to define traffic as “normal,” and immediately alert or block on anything irregular. It allows a security team to paint controls with a fine brush based on expected behaviors. An attacker can get yesterday’s “permission,” successfully enter an environment, and still be stopped in their tracks when they actually put their paw in the honey jar. When the first claw passes the rim, behavioral-based application security controls can slap it away before it touches the nectar. Then, what does the hacker say to their supervisor? It’s not: “I got what I wanted, plus I have this hole half-sewn shut so we can come back for more!” – And, it’s not: “I got what I wanted, but I got caught and booted out, now we have to start over again from square one” – IT’S JUST: “I didn’t get what I wanted.” And that is what the majority of businesses today are unable to do.
The threat landscape is changing to the point where behavior is the only differentiator – and, yes, I work for a behavioral-based application security vendor.
Reach out if you would like to know more: ferri.leon@pm.me
Leon Ferri 