Endpoint //

Authentication

2/9/2018
10:30 AM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Back to Basics: AI Isn't the Answer to What Ails Us in Cyber

The irony behind just about every headline-grabbing data breach we've seen in recent years is that they all could have been prevented with simple cyber hygiene.

Earlier this month, many of the planet's most influential leaders met at the World Economic Forum in Davos to address some of the most pressing issues of our time, including artificial intelligence (AI). AI was touted as the answer to everything from bespoke cancer therapies to more-efficient cheese making. Some people in cyber are turning to AI as well, arguing that machines will be able to more quickly adapt to and manage threats, and eventually even be able to predict (and therefore prevent) attacks.

AI has a great PR machine behind it and may hold good long-term potential. But it's not the answer to what ails us in cyber. In fact, I'd put AI in the same camp as advanced persistent threats (APTs) — sophisticated cyberattacks usually orchestrated by state-sponsored hackers and often undetected for long periods of time (think Stuxnet). Both are really intriguing, but in their own ways they're existential distractions from the necessary work at hand.

At the crux of just about every high-profile breach and compromise, from Yahoo to Equifax, sits a lack of foundational cyber hygiene. Those breaches weren't about failing to use some super-expensive, bleeding-edge, difficult-to-deploy and unproven mouse trap. In cyber, what differentiates the leaders from the laggards isn't spending millions and millions of dollars on sexy bells-and-whistles interfaces. It's about organizations setting a culture in which security matters. That means they prioritize cyber hygiene. They understand that cyber risk equals business risk in our digital age.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Consider the Equifax breach. When the company was called to testify before Congress about the catastrophic breach that affected 145 million Americans, they displayed a dazzling disregard of cyber-risk. Their willingness to blame the breach on a single engineer's slow response to a known vulnerability highlighted a lack of procedural discipline and rigor, to say nothing of the organization's immaturity in cybersecurity basics. AI cannot address or solve for this cultural misalignment.

Cyber Hygiene 101
Let me be clear — perfect cybersecurity is not possible, no matter what anyone may say. If someone is determined at all costs to get through your defenses, the odds are good that they'll find a way in. But the irony behind just about all the headline-grabbing data breaches we've seen in recent years is that they could have been prevented with basic cyber hygiene. Why? Because even when state actors are behind an attack, they most often take advantage of lackadaisical security practices and use known vulnerabilities and exploits to get in. It's cheaper. It's easier. You don't have to burn a zero-day. Attribution is much harder, and there is a slew of other good reasons, which brings us back to the fact that basic cyber hygiene is the cheapest, easiest, and most effective way to improve your security posture. 

What's even better news? Very good cybersecurity is within reach for most organizations. It begins with the fundamentals, and if you follow some of these best practices, you can prevent the vast supermajority of breaches and exploits.  

Best Practice 1: Know your systems really, really well. This may seem obvious but it's astonishing how many organizations do not know precisely what technology they're using. This presents a twofold problem. First, you can't protect what you can't see. Second, technology is not risk free. For every digital investment — IT, cloud, mobile, apps, the Internet of Things, and DevOps — there is an accompanying risk. Most organizations fundamentally don't understand the extent of the systems they're using, how those systems can be exploited, or what they need to do to prevent that from happening.   

Best Practice 2: Use state-of-the-art authentication and access management. If you're using passwords today, you simply fail to understand the reality of our threat environment. You need to embrace multifactor authentication. Think of TouchID or FaceID or something similar. Getting rid of passwords and the associated user failures moves the needle, and can improve user frustration. Along with that, manage account privileges based on what access is needed by whom.

Best Practice 3: Invest in better monitoring and more efficient response. The average number of days between the time a breach occurs and when it is detected consistently clocks in at over six months. Organizations can take advantage of the technologies that shrink this time by providing greater visibility into computing platforms — cloud, hybrid, or on-premises — to ensure that security teams have a complete view of their entire attack surface.

Here's a challenge that we should all embrace — let's make 2018 the year we all get serious about cybersecurity fundamentals. Let's get the basics right. Let's not throw our arms up in despair or search endlessly for the latest cure-all until we're adequately addressing the basics. Investing in AI is no substitute for sound fundamentals. 

Related Content:

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
100%
0%
BrianN060,
User Rank: Ninja
2/9/2018 | 12:13:31 PM
A few more points
A good article, with several important best practices. 

As for AI (Artificial Intelligence), it's an unfortunate choice for a label, for something that is actually a dynamic artifact of collective human intelligence.  You're right about the effective PR. 

You can add a couple of more items to your best practices list:
  • Limit data access, and type of access, on a needs basis.  If a knowledge worker doesn't require access of a particular kind, and from a particular source, in order to do their job, they shouldn't have it.
  • Know what data you have.  Very hard to tell if something is missing or has been altered, if you don't know what you have, and where it is.
  • Limit the proliferation of data.  Yes, you need a well thought out plan to recover compromised data; but more backup copies doesn't equate to more security - just the opposite.  Also, limit the data used for analysis, using the same needs-based criteria mentioned above.  Part of that is not running analysis directly on line-of-business/transactional data. 

Each of these goals is easier to implement if your organization uses the proper modeling methodologies. 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.