Defense in depth a dying philosophy: Eddie Schwartz

The approach to information security needs to evolve, says Edward Schwartz, CISO at RSA. Agility, dynamism, and fresh security paradigms a need of the hour.

Edward Schwartz is the chief information security officer and vice president at RSA. Previously chief security office at NetWitness, he has more than 25 years of experience in information security. Here are some insights from his keynote address at the SecurityByte conference in Bengaluru this month.

Speaking about the relevance of defense in depth at SecurityByte 2011, Edward Schwartz says the defense in depth security philosophy is fast becoming redundant and ineffective. According to Schwartz, the models in place today lead to a situation where the defender is constantly playing catch-up. “As we continue to operate in defense in depth mode, the adversary is now going for offense in depth,” says Schwartz.

Today’s attackers either ignore or bypass perimeter security or focus on client-side attacks. It is now virtually impossible to have completely secure environments. The question therefore is which environments can be secured. Citing spear-phishing and drive-by attacks as examples, Schwartz says there is no way to protect against the end-user doing whatever they want.

Attacker free-time: Characteristics and challenges

Once a network has been penetrated, there is a period known as attacker free-time during which attackers have the run of the network and can basically do whatever they want. (See Sidebar: How advanced attacks unfold for details.) Studies show that it takes anywhere between a week and 60 days to detect an advanced attack.

Schwartz believes the key lies in shrinking this attacker free-time window. With conventional defense strategies, this issue is hampered by a lack of visibility, poor internal controls, and inadequate threat management and correlation mechanisms, not to mention human error.

Compounding the problem is that fact that most malware used in attacks is not even seen by intrusion prevention systems. “If you don’t believe today that most anti-viruses are ineffective against advanced attacks, you’re probably in the wrong line of business,” Schwartz says.

There are people issues too, with the information security industry's reliance on professional certifications such as CISSP. Schwartz believes the technical standards are not high enough. There is a need for more dynamism and agility. “Maintaining secure systems and networks has become a ridiculous numbers game with people rushing about trying to patch everything in sight, while the big vendors release more vulnerabilities to patch,” says Schwartz.

He believes most day to day security processes conducted in organizations today are a waste of time since ultimately, not everything can be protected. Other issues that make defense in depth unfeasible include managing the time to patch systems, properly managing authentication and authorization, as well as developing secure code.

What should security be doing?

>>Information centricity

The first issue here is to define assets, and the second is to know what needs to be protected. The mantra here is: You can’t protect everything equally, you should know where everything is. You should know what matters most.  “It is impossible to be 100% secure, so it's okay to let some things go and focus on the important stuff,” says Schwartz.

>>Risk focus

A clearly developed risk focus is needed, based on an adversarial threat model. The mantra here is: Know your enemy, know what is being targeted, and what one can do about it. “The most important thing here is to understand who your adversaries are and what they are capable of,” says Schwartz.

>>Built-in rather than bolt-on security

According to Schwartz, The work dynamic needs security to be built-in into the system, not bolt-on, says Schwartz. “While I don’t think it is possible to build security in from ground up, certain aspects and security principles need to be built in from scratch,” he says” .Constant vigilance is the price to pay for securing against advanced persistent threats (APTs). If you don’t believe everyday that somebody has penetrated your network, you’re living in a fantasy word,” adds Schwartz.

Read more on IT risk management