Why cybersecurity has failed our market and how to fix it
Security has the fame of being complex and expensive. There are too many acronyms, too many attacks and too many fear around the topic. Take the World Trade Center incident. After those buildings fell, questions like "what would you do if your company lose all its data?" began to pop over and over marketing materials. And they're still prevalent in today's marketing campaigns, the so called Fear, uncertainty and doubt (FUD), a disinformation strategy. This stupid strategy ruins the industry all the time. It also results in lower security budgets.
In the end the day, the security industry in general were selling Anti-Advanced Persistent Threat (APT) solutions, next-generation firewalls, next-generation endpoint protection and a kid on his 17 years old exploits a SQL Injection vulnerability using an open source tool. Or a cybercriminal creates a botnet that only exploits weak passwords on Internet of Things (IoT) devices and generates a monstruous Distributed Deny of Service (DDoS) attack. I'm talking about Mirai botnet. I also recommend you to read what its creator posted when he/she released its source code. Yes, it's open source now.
By the way, I'm not a fan of "next-generation" products because products aren't likely to work as a panacea. A new version will be needed to solve the next problems that will arrive. Security is not static and there is no exclusive generation of products that will solve everything. "Next-generation" means living in the future and guess what happens when this product doesn't solve the problem? You'll need to append another "next-generation" on it. Product-ng-ng. Or ng² if you be creative at least.
Ok, that's easy to pinpoint problems and don't talk about the solution. No, it's not easy to pinpoint problems, but let's go to the solution. Well, it's to focus on the basics. Before preventing APT you need to get rid of known malware. Before using Data Loss Prevention (DPL), make sure you can intercept SSL/TLS traffic in the first place. In times of complexity, focus on the basics.
And the basics include update your systems, run security scanners against them. That's Cyber Hygiene. For that you do many things that aren't expensive and helps to protect your data. You can use Gauntlet.io for free to run scanners on your assets and manage your findings in a centralized fashion. I work on Gauntlet, you know, but I can't resist to speak of it. It's really useful.
To finish I'd like to share the origin of the title of this post. It came from this interview on CNBC with Orion Hindawi, co-founder and CEO of Tanium. It feels so good to see that we as an industry are starting to admit mistakes, move on and focus on what matters. The majority of companies play against this line of thinking, but I hope evolution reaches them.