Art Gilliland, Senior Vice President & General Manager of HP Software Enterprise Security Products, expresses his vision of corporate information security during RSA Conference 2013 keynote speech “Criminal Education”.
Thank you very much and good afternoon! My name is Art Gilliland, and I’m going to share a little parenting story with you.
I am the father of twins; I have two young twins, a boy and a girl. And I’m also – some of you know that, fewer of you know – that I’m also a complete sci-fi geek. And when you marry those two facts together, as your kids start to approach the 7-year-old age, you really look forward to being able to sit down and watch Star Wars together.
So we sat down; we do a Friday movie night, probably like many of you do that are parents, because you’re wasted from the week and you come home and you want to sit down and you want to be with your kids, but doing anything active is going to be too much for you.
And so you sit down. We watch Star Wars, and I think about halfway through the first Star Wars marathon my kids got really interested, in particular my daughter, my son was not as interested, but my daughter got really interested in good guys and bad guys.
And like the true analytical geek coming out, I was really happy about it. She’s asking me to rate how good they are and how bad they are; Darth Vader – 10 bad, Jabba the Hutt – maybe 8 bad, Luke Skywalker – 7 good.
And so we go through this process, and then the question that was a little shocking to me: “Daddy, are you a good guy or a bad guy?” Deep breath: “Good guy.” Second question: “How good?” Well, she is 7, so: “10 good.” Nuances are probably lost at that age. So here we go, I’ve got 10 good, I’m a good guy, and so I ask the question back: “Do you want to be a good guy or a bad guy?” And I realize: do I really want to know the answer to this question? She’s 7, so, thank goodness: “Good guy.” Ok, excellent; and I said: “Why do you want to be a good guy?” She thinks about it, looks up in the air for a little bit; she says: “Daddy, because good guys win.” I better get back to work.
So, what I want to talk about today is a little bit about what I think we can learn by studying our adversaries. We’re clearly in a war; we’re in a war with the adversaries that we believe they are winning. And so what I want to take some time to do with you today is at least share some of the analysis we’ve done, and maybe offer some suggestions on ways that we can change the way we approach the problem that might help make us more effective.
So, as all good analysis should, let’s start with some data. 94 416 71 84 – interesting data; statistics from a lot of the recent reports. But why is it so significant? It’s significant because it helps to inform us about how effective our defenses are. It also helps to inform us about how much we’re actually listening to the data we’re producing. So let’s go into this intelligence, let’s go into the high level of this intelligence.The first part of this: let’s start with the fact that 94% of the breaches that we report on, that our organization has been breached is told by a third party. So think about that: we’re spending so much of our resources to keep this adversary out, and they’re still getting in, and we’re not effective at finding them after they get in. That’s creating a challenge for us. Second piece of data: we know that we’re struggling to find them, but they are inside our organizations for a very long time. 416 days on average from when they enter the organization to when we figure out that they’re inside, and that’s significant.
The second part of this, which I think is important, is even after we find them, over the last two years, the time it takes for us to remediate that breach, the time it takes for us, after we found them, to get rid of them has grown up to 71%, and that’s important because in a recent study that HP sponsored with the Ponemon Institute, we see that over the last year, from last year to this year, the cost that has assigned of with that increased, the cost of the breach has increased about 42% because of the increase in the length of time it takes us to remediate it.And then the last piece of data: we’ve become very good, or much better, at least, at protecting our networks. We’ve become better at protecting the operating system. And that’s why we see about 84% of the breaches that occur are taking advantage of vulnerabilities that exist in the application layer.
What I take from this, or what we take from this, is that the adversary is innovating. If you combine this information – as we get better at the network, they move to the OS, we move to the application – if you take that and you combine it with the reality that they can go online now and rent botnet networks for $18 a day, or they can buy a Zeus kit for $7000 or so on average – there is something different going on in this adversary that we are competing against that we should be paying attention to. Something is different about the dynamic there.And so if we’re going to win, we may need to think a little bit differently about this. I think there’s irony, obviously, that Sun Tzu is going to be our guide towards better security, but what he’s telling us is if you know your enemy and know yourself, you need not fear the result of a hundred battles (see image).
And so what that should inform us to do is maybe we should take a step back, we should look at our own capabilities and our own skill sets, and then put that in the context of how our adversary thinks about us, because they’re using what they know about us to attack us. Maybe we should learn more about them, understand how they see us, and maybe change our behavior a little bit to respond more effectively.