On Wednesday, Dan Kaminsky delivered the opening keynote address at Black Hat. His talk was entitled, “The Hidden Architecture of our Time: “Why This Internet Worked, How We Could Lose It, and the Role Hackers Play,” and detailed the challenges and risks of the Internet, and what vendors need to do to fix it.
Central to his presentation was a discussion of his new hardened browser, IronFrame, and a new firewall technology called Autoclave. Both are built on the premise of hardening and isolating environments in order to reduce the attack surface. Which basically means, limiting user options.
There are a number of these hardened browser solutions on the market. They all suffer from the same flaw: human beings. How do you prevent a user from simply deploying a different browser on their device and using that instead of the hardened one? Or figuring out a workaround? Which is exactly what is going to happen if the hardened browser or other draconian security device gets in the way of a user doing what she or he is used to doing.
I see this approach a lot. And I understand that there is a problem. Companies are spending millions of dollars on security, and attacks and breaches are still on the rise. Worse, many older attack tools are still successfully breaking into networks. And the weakest links in the chain, clearly, are the human beings using, configuring, or managing the devices.
So what we need to do, the argument goes, is lock them down, take away options, impose more training, and enforce penalties for non-compliance. Like that’s going to work. Clearly, the people making these proposals don’t have high school or college-aged kids.
Recent surveys show that young workers today see using the devices and tools of their choice as a right, not a privilege. Regular access to social media, even during work hours, ranks on the needs scale right below oxygen. Surveyed workers regularly respond that they are willing to break company policies to use the device they want however they want, that they are willing to take a lower paying job if it includes flexibility in the technology they get to use, and that as far as they are concerned, security is someone else’s responsibility.
Regardless of how you may feel about all of that, it is what it is and you’re not going to change it. Which means that all attempts to lock down users and technologies are, frankly, a fool’s errand, because that genie is not going back in the bottle.
It’s ironic that a message like this would be delivered at a place like Black Hat. Good grief, the entire event is a shrine to oppositional will. It’s what makes us human. We are motivated to bend the digital world to our individual wants and needs. Every locked door is just begging to be cracked open. Black Hat and Defcon are digital versions of Superman’s Bizarro world, where up is down and no clearly means yes.
Like it or not, the first assumption anyone needs to make when thinking about security is that the people you are trying to protect are not going to cooperate. Because anyone with any experience knows that we are never going to prevent devices from getting onto our network, we will never stop someone from clicking on an attachment, or prevent them from downloading malware, or eating up our bandwidth by streaming content or grazing on social media. To paraphrase Dr. Ian Malcolm in Jurassic Park 2, “life always finds a way.”
The conundrum, then, is to build security that operates seamlessly in the background. It needs to provide protection and controls in spite of what users are going to do. This requires things like dynamically segmenting traffic at the point of entry. Doing deep inspection on unstructured content in real time. Disabling malware before it gets clicked. And rather than shutting users down and locking devices out, organizations need to build an integrated security architecture that shares threat intelligence, centralizes orchestration and reporting, sees around corners into remote devices, IoT, and the cloud, and coordinates responses to threats wherever they are found.
What they need is a collaborative and adaptiveSecurity Fabric.