White hat hacker Marc Rogers knows how to take down your network, or secure it. Here’s why businesses and IT should pay attention.
We’ve never had a greater need for security, and it’s never been harder to achieve. Google has pioneered a new way of looking at security, dubbed BeyondCorp, that re-imagines corporate security in a perimeter-less world. Such an approach remains a lonely exception, however, to the rule of largely underdefended corporate treasure troves of personal data.
And yet there’s hope, as I learned in talking with one of the most famous white hats in information security, Marc Rogers. An organizer for the past two decades of DEFCON, the world’s largest hacking conference, and co-founder of the notorious British hacker group known as “The Agents of a Hostile Power,” Rogers spends his days as head of Information Security at Cloudflare. In his view, to make security work we need to stop thinking about erecting walls around an enterprise and instead think of security as an enabling function.
Wait, does this mean no more silly password rules?
‘I don’t need no walls around me’
Not exactly. According to Rogers, “Information security has always been predicated on a goal to stop access, to prevent things and keep people out of things. That’s fundamentally a blocking attitude.” What has changed, he went on, is that “We’re now starting to recognize that security is potentially one of the greatest enablers a company has.” An enabler, really?
Think about it this way: Though we generally think of brakes as a means for stopping cars, they actually fill a more nuanced purpose, according to Rogers. While they absolutely do help to bring a car to a stop, they serve a more fundamental purpose of controlling risk. When brakes were introduced for cars, their top speeds leaped from 20 miles per hour to 50 or 60 miles per hour. In other words, the introduction of brakes did more than stop cars: It actually allowed cars to go much faster without fear of imminent death. Security, says Rogers, is much the same: “It should be an enabler that allows a company to choose which risks it wants to take on, in a controlled fashion, in order to go faster.”
SEE: Here’s Google’s biggest secret to not failing at security (TechRepublic)
In this way, he told me, “Good security is a marriage between form and function: It’s useful, it adds value, and it doesn’t get in the way.”
It’s needed more than ever, given that our world is increasingly interconnected—from our cars to our toasters. The companies that make these devices have little or no experience with facing internet threats, and for new enterprises sprouting up in this climate, we’re facing those threats without adequate protection or understanding, and not surprisingly falling into common issues that the industry thought it had solved in the 90s.
The no. 1 threat factor affecting IoT right now is default passwords. There are botnets affecting printers, toasters, and fridges, and the problem is only getting worse. If a botnet of several hundred thousand little cameras can bring giant security companies to their knees, as Mirai did, then imagine what happens if predictions of tens of billions of interconnected devices by 2020 come true.
That kind of surface, if weaponized, would bring entire nations to their knees. A new kind of security is imperative, but how do we get there from here?
Into the great wide open
As mentioned, Google’s BeyondCorp is a great example of this kind of information security thinking. The challenge with BeyondCorp, however, is that while most companies would benefit from adopting this approach, they have already grown massive networks organically. That technical debt makes it hard to implement something like BeyondCorp because an enterprise already has customer applications that communicate in non-standard ways, and they don’t always know where all your data is because it’s distributed across a giant network.
For “Exhibit A,” look no further than Equifax.
SEE: Guidelines for building security policies (Tech Pro Research)
Equifax’s problem is that they ended up with an unmanageable mess of a network that had vulnerabilities coming out of every corner. They relied on the classic eggshell security model, but once the egg gets cracked, everything leaks out. As such, Rogers reasoned, is migration from old world security thinking to new world security thinking.
“The challenge we’re going to face with getting companies to move towards these more future-thinking models, to move towards things like BeyondCorp, is how do we help them? How do we hold their hands and provide them with the tools to migrate safely and effectively without impacting their business?,” Rogers said.
That’s not a simple hurdle to clear.
Even though companies will struggle to bridge the gap from their current security to a BeyondCorp-type approach, there’s reason for optimism. In Rogers’ mind, security isn’t a matter of some utopian approach “out there” just waiting for a company to shed all its technical debt to embrace. Rather, Rogers said, “Security is all about bringing an appropriate suite of tools to bear, and having a good understanding of the threats that you face. There is no one solution.”
BeyondCorp, in other words, may well be a “true visualization of what defense in-depth should look like,” but every company can benefit from it, even if they’re not yet ready to playact at being Google.