I just got back from the RSA Security conference in San Francisco, an invigorating gathering of security professionals which frankly – at least for me – is always a fun crowd to be around. My main takeaway is that the crimes and infractions we should be focused on are either very low or very high tech. Most of the security budget has been spent in the middle and the solutions put in place generally haven’t stopped the attacks executed on these two ends of the spectrum.
Seasoned security managers who I speak with feel the situation is becoming untenable and that the industry needs a ‘paradigm’ shift. There are simply too many things to worry about and too many point security solutions that need to be patched together and integrated. Indeed one colleague cited a statistic about the incredibly high number of man hours his organization spends just keeping the 200 or so security-related applications up to date and working together.
Key takeaways from the conference:
a) Insider fraud is mainly very low tech and does not involve collusion. CERT presented its findings on insider financial fraud at banks and that was its conclusion after closely examining 80 cases of insider fraud at U.S. banks. What did they find? Low and slow crimes (it took an average of 2.5 years to detect after the fraud started) and very low tech techniques such as customer service reps in call centers printing screens full of customer PII data, or bookkeepers changing entries to pay themselves.
Significantly only 6 percent of these insider cases were detected by software. The others were discovered mainly through tips or aroused suspicions (e.g. when a low salaried employee all of a sudden starts driving a brand new BMW). The CERT team didn’t correlate the findings with security expenditures at these organizations, but I would bet that most of those highly regulated banks that were surveyed had spent a lot of money on Identity Access Management systems.
But while low-tech insider fraud should be a major concern for enterprises (it does result in significant financial damage) – I didn’t come across any other mention of it at the conference other than this one presentation by CERT.
b) In contrast, ‘sophisticated’ high tech attacks are capturing most of the R&D and innovation dollars. The ‘hottest’ vendors on the RSA conference expo floor were positioning their software and services as necessary for defending an enterprise and its assets against today’s advanced targeted attacks. Whether it’s the Chinese, Iranians, or Ukrainians, it’s creating a call to cyber-arms that no one wants to ignore. So unlike the unglamorous low-tech threat – this category is getting all the dollars and attention.
c) DDoS continues – meanwhile, while the security professionals were busy at the conference, the DDoS attacks against U.S. Banks continued. Demonstrative of the cat-and-mouse nature of these attacks, the hackers have reportedly increased their botnet network from 3000 servers (with high bandwidth connectivity to the Internet) to 10,000 servers. They are attacking multiple bank domains at a time, rather than one at a time, taxing the resources of the hosting ISPs. And they are reportedly deploying new application DDoS tactics against their target banks’ web applications, further messing around with the banks’ abilities to defend themselves. These shifts in the DDoS attack taxonomies will no doubt spur new spending and solutions by the victims while the offense/defense cycle continues to spiral.
Bottom line – the attack vectors that I see working are either very low tech or very high tech. But not too many people seem interested in investing in the solutions and processes that can stop the boring low tech crimes. Under-the-radar high-tech espionage and crime is getting all the attention and dollars, and I still haven’t heard about any of it being stopped. Meanwhile, the political crazies are flexing their cyber-muscles and embarrassing the heck out of our IT security industry.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.