Today I have a guest commentary on the changes in security landscape since 2001 in Threatpost.
So as I look back over the last 10 years I don’t see much of a change in the vulnerability-scape, if you will, but in the threat landscape. New classes of attackers have gone mainstream and global. They are sophisticated and effective. But our defenses have barely gotten better. There has been an incremental approach to defenses: deeper packet inspections, more heuristic anti-malware, more auto-update patching, but it hasn’t been able to keep up. I hope over the next 10 years there are some radical changes in how we perform security or the problem will get dramatically worse. The criminals, spies, and hacktivists are here to stay unless we stop them.
It sounds a bit pessimistic but I mean it to be a wakeup call. The still current trend of reactive security, where we detect more things ever faster and share signatures ever wider, will not solve our problems. Attackers will counter by being more targeted and changing attack signatures quicker. They are operating inside the reactive defenders OODA loop and are not going to give up this advantage unless we change the model on them. I am not advocating eliminating reactive security. Detection and sharing is important. We need smoke detectors and fire departments. But just like those fire safety capabilities alone don't give us safe living and working environments, IDS in its various forms will not give us safe computer networks. We need to add building codes on top of reaction. We need to use the computer analogs of "fire proof materials" and have less risky behaviors with flammable materials. This means building the software that makes up our infrastructure more securely and having public standards to test that it really is more secure. It is a harder problem than inspecting buildings but we have to solve this problem or the attackers will always be able to burn us down.