Cisco Exec At RSA: The Security Industry Needs To Do Better
"If you knew you were going to be compromised, would you do security differently?"
The security industry is right now being forced to answer that question, as it faces an increasing onslaught of data breaches and targeted attacks, said Martin Roesch, chief architect of security at Cisco and founder of SourceFire, in a Thursday keynote at the 2015 RSA Conference in San Francisco.
"The reality that we face today is really interesting. We really need to do better," Roesch said. "It's not just about creating and producing and shipping new security technology to incrementally improve the problem. ... It's got to be better than that. It's not really an option -- it’s a requirement."
[Related: Security Experts: We're Being Outplayed, But It's Not Game Over]
One thing that needs to change is that, right now, the security basics, such as patching, configuration management, and identity and access management, aren't even covered for a majority of companies, Roesch said.
"This is a huge problem. We're not even doing the basics but were facing very advanced threats that are skilled at breaking into places that can ramp up their efforts as defenses stiffen," Roesch said.
Part of the problem for many of these companies, he said, is that there is significant fragmentation in the security industry. Roesch said the average company he talks to has 30 to 60 security solutions that don't work together.
"We've got a big problem right now," Roesch said. "This problem is that the way that we address security is by buying a lot of different technology and try to get them to interoperate with each other. ... This is not great. It's obviously not working because it's hard to synthesize this information into awareness and response."
One way Roesch suggested that the security industry could improve is to embrace an integrated threat-defense architecture. While some organizations have started integrating using SIEM or log management systems, Roesch said, the security industry needs to go one step further and externalize independent vendor data within an environment, and integrate it into a central visibility platform, instead of abstracting it.
"This is something that I believe is very doable," Roesch said. "What we've seen is that this approach can be very powerful when deployed appropriately. As a rule I think these visibility platforms are something that need to get built."
To take it even one step further, Roesch suggested driving systematic responses on top of that integrated threat-defense architecture, both on the defense and response sides. In more extreme cases of unconstrained compromise on an environment, Roesch proposed the idea of a failsafe for the network, where pieces or the entire network could be shut down in the event of a compromise.
The bottom line, Roesch said, is, whether it's the solutions he proposed or another way, that the security industry needs to step up its game.
"It's really not an option to keep doing things the way we've been doing them. We need new methods, new approaches, we need to get our security infrastructure working together. ... I believe now is the time," Roesch said.
PUBLISHED APRIL 23, 2015