The Five Tough Truths Of Cybersecurity Software

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://techcrunch.com/2014/05/31/the-five-tough-truths-of-cybersecurity-software/

Building a successful security software company is notoriously hard to get
right over the long haul. Computer security is a fast-moving target. You
still need anti-virus software, for instance, but it won’t necessarily keep
you safe. The same is true for firewalls, and malware detection, and spam
blockers, and various other security measures. For better or worse, there
is never-ending opportunity here, as the good guys race to keep up with the
bad guys.

The tricky part is that over time the bad guys have gotten smarter and the
threats more ominous. The stakes keep ratcheting higher. Thirty years ago,
we were dealing with amateurs. Now the bad actors are international
organized crime groups and nation-states. In the old days, the issues were
tactical. Now they’re fundamental. This isn’t just an IT issue: Target
recently fired its CEO after the retailer suffered a massive security
breach. Careers, as well as data, are at risk.

I’ve been spending a lot of time (and money) funding new security companies
in recent years, and I’ve worked in the industry myself. Along the way,
I’ve reached some conclusions on how to improve your odds of success. Here
is my list of five truths about the cybersecurity business:

1. There are two types of companies: those that know they’ve been breached,
and those that haven’t figured it out yet.

The security software entrepreneur Kevin Mandia founded Mandiant*  –
recently sold to FireEye for $1 billion — on the thesis that no one can
really stop the bad guys from entering your network. The game is no longer
about prevention; it’s about detection. The average length of time it takes
for an advanced persistent threat to be detected on a corporate network is
now an alarming 229 days. We need to get that down to 24 hours — or one
hour.

Companies need early-warning systems to know they’ve been breached, but
they also need the context around that intruder, including what data has
been compromised and by whom, and a system to contain and fix the issue as
fast as possible. Simply manning the barricades is not enough. Evildoers
are going to come over the walls, under the walls, around the walls and
right through the front door. You need to discover them, find out what
they’re doing and stop them, and you need to do it as quickly as possible.
Software from Rapid 7 and IBM’S Qradar security platform focuses on
identifying behavioral anomalies in real-time.

The scary truth is that network security does not work as well as we
thought. That’s what leads to the fight for the endpoint — how people
protect endpoints will be completely different than over the last two or
three decades. Bromium attacks the problem by focusing on data protection,
rather than intrusion detection. They create a secure, isolated container
for each task a user performs on an untrusted network or document –-
preventing malware from spreading. Invincea, likewise creates a “secure
virtual container” to wall off the most vulnerable applications, like
browsers, PDF readers and Office.

2. Corporate networks are like M&M’s: hard outside, soft inside.

Companies need to toughen up from the inside out. (Think peanut M&M’s.)
Sure, you need to fight off malware and viruses, and you want complex
passwords and stiff security regimes. But you still won’t keep everyone
out. Rather than simply erecting thicker walls to fend off intruders, which
becomes increasingly impractical in highly distributed cloud-based
architectures, we need to encrypt the data that attackers want.

Evildoers are going to come over the walls, under the walls, around the
walls and right through the front door.

You need to encrypt data all the way to the browser, and the browser itself
has to be 100 percent authenticated. But you have to hide the complexity.
The whole thing needs to be seamless. As an end user, you’re not going to
tolerate having to mess around with encryption keys and other
complications. Companies like Ionic Security* are working on solving this
end-to-end encryption problem. If it works, hackers will face a new
challenge: they can steal the data, but they won’t be able to read it.

3. Threats are getting more dangerous, with higher risk of catastrophe…

The ramifications of security breaches are getting worse. Two decades ago,
a breach was mostly an operational problem that might cost you money and
time. Today, a breach is a strategic issue that could ruin your business
and put your customers’ finances at risk.

4. …so we need new weapons.

Global 2000 companies face an ominous issue: They can’t scale fast enough
to meet growing threats. They can’t hire enough people or buy enough
technology to be totally secure – they need to go outside to get help. The
stage is set for companies taking new approaches to this issue.

Shape Security* has created an approach it calls “shape shifting” to beat
hackers by turning the tables and going after the bad actors with the same
kind of attacks they use on the good guys. Shape’s realization: while you
can’t prevent a bot from landing on your network, you can prevent it from
being effective. Splunk uses crowdsourcing techniques to keep track of
threats and consider potential remedies. Rather than buy a threat feed, you
get it from the universe. It’s the closest you’ll get to real-time threat
detection.

Synack* takes a sort of ‘Super Friends’ approach, teaming the world’s
greatest white hat hackers and applying them to your company’s security
risk assessment with an automated platform. While few companies could ever
afford to get that talent inside, the approach here is to let you rent them.

5. If you can’t beat ‘em (and you can’t), deter them.

The bottom line is that evildoers are going to get on to your network, and
when they do, they’re going to cause troubles that will sometimes pose
catastrophic risk. But there’s no need to panic; it’s a matter of
preparation and staying vigilant when the invaders land inside the wall.
Innovation in the security space is high. But there’s a lot of creativity
being applied on the other side, as well. The good news for entrepreneurs
is, this is going to be a never-ending battle.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!