APTs are as David Lacey says in his post on Computer Weekly blog that we need to find some learning points from how we manage them. I agree that ticking controls as compliant is not the way forward, although clearly it can demonstrate “due diligence” and provide certain safeguards. My opinion is that most business owners really don’t care until they’ve been exposed to the consequences of this type of attack. I believe that the reason why is 2-fold:
1) they have invested in “security theatre” technologies for too long now, i.e. technologies that don’t improve security, but make you feel safer. Often the impulse to invest in security is triggered by scaring the audience into digging deep in their pockets, powerpoint slides, press reports, etc., it is like the boy that shouted “wolf” one time too many.
2) Secondly there is a serious lack of alignment between the technology/security technical parts of an organisation and the Line of Business (LoB). McAfee have written a really good book on this (Security Battleground) and I advise reading in order to focus your investment, and get the ear of the business owner having money to spend on security. They don’t mention technologies once. I have met once of the authors here in Sweden recently (Kevin T. Readon) and he is a sound guy, he really knows his stuff!
So what is their advice? Basically from a LoB angle focus on the 3Rs: 1) Rich, what makes your business rich?; 2) Ruin, what can ruin your business?; and 3) Regulations, what do you need to be compliant with? I would say to just demonstrate “due diligence”.
I also believe in deeply the stuff that David has been co-founder of that security should follow the information, or be close to the information, i.e. perimeter security is not the future (Jericho Forum). And I’m an avid follower of what Intel is up to with their VPro, security from the chip-level up (I know technically it is not a perfect description ;-)).
One of the major challenges I believe for now and the future is authentication/authorization with the BYOD trends, and the fact too that many of the APTs do attack humans. The most promising trends I seen to date is that from Lequa, they are placing the identity in the hands of the individual. No more PKI, or Identity Management top level down… that is not, let’s face it, scalable to 6bn persons worldwide? I don’t know if they will succeed, but if they don’t I still think that a bottom-up approach is the way forward, especially if this is integrated with what Intel is upto.