In Security, Know That You Know Nothing

Only when security professionals become aware of what they don’t know, can they start asking the right questions and implementing the right security controls.

Michael Sutton, Chief Information Security Office, Zscaler

July 26, 2016

5 Min Read

As I head into one of the most popular security conferences of the year, Black Hat, there are a few things that I expect to be top of mind for security professionals both at the show and in the various enterprises where they work: In security today, everyone claims to know what the problem is and how to solve it, but the challenge is to sift through the noise and understand where the true vulnerabilities lie. Regardless of all the tools an enterprise might have, its assumptions—like those in encryption’s ability to protect data or that every security threat can be identified—can quickly lead to a compromise.

The truth is that although security measures may work, industry professionals can’t set them and forget them—or operate under false assumptions. They need real visibility, they need to be aware that they won’t always know what to look for and, ultimately, they need to take proactive steps to ensure they can keep up and get ahead of possible threats. Only when security professionals become aware of what they don’t know, can they start asking the right questions and implementing the right security controls. Here are a few things I’m most concerned with.

Encryption, a double-edged sword
Encryption has been a hot topic of discussion for some time, most recently at the center of the FBI vs. Apple debate. And it’s one of the most important tools in security, especially when an organization is not in control of its data. But, as an industry, we’ve been ignoring a very real threat factor that comes with encryption. Namely, that malicious traffic can breach an organization’s security when masked with encryption. Encryption protects hackers as much as it protects a business.

The issue is exacerbated by the fact that we are rapidly headed toward ‘encryption by default’ on all major Internet properties—meaning traditional passive packet sniffers can’t observe what’s coming in. And as hackers continue to breach organizations, they are benefiting from it, even though they are not necessarily trying to leverage SSL/TLS encryption.

As such, organizations need to realize that they can’t know what is being obfuscated via encryption. From there, they can begin a conversation about how they can manage encrypted data and gain visibility into it to prevent an attack. Once the right people are involved and concerns are ironed out, the right technology can be set in place. Put simply, organizations can no longer think that because traffic is encrypted everything is safe.

We can’t protect what we can’t see
Encryption is one reason why data may not be visible, but increasingly, even when unencrypted, security teams simply do not have access to employee traffic. Gone are the days when employees leveraged corporate laptops connected to enterprise Wi-Fi to store data on in-house servers. Today, even when an employee is sitting at their desk they might be leveraging a personal device on a 3G/4G network to store data on Dropbox.

Security teams need to adapt to this new reality. We cannot assume that network traffic will travel a "preferred" path.  We cannot have differing levels of security and visibility based on the device that an employee has chosen to employ and where they’ve decided to work today.

We don’t know what to look for
There seems to be a false assumption in security that we know what to look for and how to go about it when scanning for threats. But this is not the case. Traditional signature-based security controls just aren’t good enough. Further, threats are constantly evolving and hackers have grown savvy to what organizations are looking for. Ransomware for example, has proven to be a blunt wake up call for enterprises relying solely on static signature based controls.

Even when an organization does know what to look for, there are encroaching factors that make this methodology less than optimal. SSL encryption makes knowing signatures pointless. Mobility means that traffic is not always within the scope of an organization’s control. And cloud-based services have created another space organizations don’t always have access to.

Security professionals need to be aware of this gap in knowledge and find ways to bridge it with tools that allow them to become aware of new and evolving threats as they happen. Only then can they be better at catching hackers banking on the use of traditional signature-based security models.

The need for a proactive approach
It’s apparent that security is not completely attuned to threats and their origins. What’s needed is a proactive stance, one that focuses on gaining visibility to break past encryption along with processes that screen and adapt to new threats as they happen. The enterprise cannot function under false assumptions that will only guarantee a breach down the line. So as you head into the sessions and solutions exposé at Black Hat (or read about them on Dark Reading), know what you don’t know and work to change that as much as possible. 

More Black Hat 2016 Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Read more about:

Black Hat News

About the Author(s)

Michael Sutton

Chief Information Security Office, Zscaler

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler's Office of the CISO. Zscaler has built the world's largest security cloud, trusted by 5,000+ companies, making internal security a critical focus requiring 24x7 monitoring from internal and external resources. The Office of the CISO is a team engaging security executives at a peer level, to drive best practices and facilitate industry wide collaboration on emerging security topics. The Office of the CISO is also responsible for providing subject matter expertise through speaking engagements, blogging and media collaboration.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights