Cyber security expert Richard Clarke, the chairman and CEO of Good Harbor Consulting and a member of President Obama’s intelligence review group, issued on Tuesday a simple challenge to organizations looking for better security posture: “put your money where your strategy is.”
Speaking at a news conference at the Bit9 + Carbon Black booth at RSA Conference 2014 in San Francisco, Clarke said he often asks security companies what their protection strategy is.
“I’ll ask what they think about a strategy based on perimeter defense,” Clarke said, to a local audience of approximately 100 people and viewers watching on the Internet. “They’ll tell me, ‘that’s very 1990’s; we don’t believe in perimeter defense.’ Then I ask to see their IT security budgets. In almost every case, 90 percent or more of their budget was spent on perimeter defense.”
Clarke, who was the first White House cyber security czar, said such organizations spend money on firewall and prevention systems for the perimeter that we, as an industry, know will eventually fail.
“Security professionals are not spending enough time looking at what is going on inside the network. They need to look at what’s going on at every endpoint, seeing and recording everything that goes on. And when they find something that is malware, they need to detonate it. This is the model that all companies and government agencies need to be moving towards. It’s time for them to put their money where their strategy is,” Clarke said.
Clarke addressed Edward Snowden’s infamous insider attack of the NSA, as well as highly publicized retail breaches, noting that the hacked entities had excellent perimeter defense, but didn’t focus enough on what was occurring on the inside of their organizations.
“That doesn’t make the NSA unaware, but it does make them like most companies today,” Clarke said.
One of the most important takeaways for attendees of this year’s RSA Conference, Clarke noted, is the awareness of NIST’s recently published cybersecurity framework ordered by President Obama.
“Two critical pieces of that framework are detect malicious activity and respond to malicious activity,” Clarke said, noting that many organizations are now liable to shareholder lawsuits if they are breached and fail to follow the NIST standards.
“If you haven’t seen the NIST framework, you need to read it,” Clarke said. “If you think it’s too complicated and you don’t need to familiarize yourself with it, you are wrong. This framework has implications for you and your company and you need to learn what those implications are. Detecting and responding to malicious activity are a big part of it. [Bit9 and Carbon Black] do just that – on the network and on the endpoint.”
Further referencing Snowden’s breach of the NSA, Clarke noted that Snowden was able to do two critical things:
1) As an insider, he was able to get on a secure system and run through multiple networks and
2) Download approximately 1.5 million documents without any security software catching him.
“If the NSA had been running [Bit9 and Carbon Black], neither of these things would have happened,” Clarke said. “This product looks at what’s going on inside the network and it looks at what’s going on at every endpoint. It records everything that’s going on. This is the model that we need to adopt.”