The panelists at Slush argued that a change in culture is needed, where companies need to encourage coworkers and employees to find vulnerabilities without fear of being reprimanded. This needs to be done in co-ordination with using advanced technologies that understand the changing threat landscape.
Marten Mickos, CEO at HackerOne, a company that acts as a middleman between good hackers and companies that want to find their security flaws, said that the digital world wasn’t built with security first and foremost in mind. He said:
I think we spent the last 20 years building an amazing internet without any thought of security at all. I’m guilty myself, so I’m trying to repent and fix it. It’s a risk to individual citizens, it’s a risk to start-ups and it’s a risk to corporations. They’re being attacked by nation states, criminals and young guys that just have nothing better to do.
Andrew Rubin, CEO of security company Illumio, agreed and said that the problem with the internet is that it has enabled us to build things quickly, at a rate that wasn’t previously possible. This has resulted in security not being able to keep up with the pace of innovation. He said:
There are so many people here today that are trying to take technology and effectively enable us to try and do things that we couldn’t do weeks, let alone months or years ago. And there is a cost to doing that. And the cost to that is that we have created a massive attack surface. We run the world on tech, we run the world on data, we want more of it, we want to use it more aggressively - and in the process we have created this massive attack surface, with very little thought about how we are going to protect it.
And now it’s growing faster than ever before. What we are finding is that we are way behind in terms of thinking about how we protect this, let alone build the tools necessary to do it. And the reality is that as we are going faster, security is getting harder, not easier. And all we want to do is go faster and faster, but with very little regard for how we are building security into the process from the beginning and how we are going to get security to keep up along the way.
It’s a different kind of war
Frans Rosén, founder of Detectify, a security company focused on automation tools, boldly declared during the session “we are at war every day”.
Rubin agreed and went on to say that companies have mistakingly applied the age-old tactics of war to the internet, where it has been focus on investing in protecting the perimeter. However, he doesn’t think the same rules can be applied. He said:
We built a set of assumptions, 20-30 years ago, a lot of them based on this concept of the perimeter, and we said we are going to invest all of our effort in keeping bad guys out. And that’s going to be the entire premise of how we secure things. Fast forward to 2016, and all of a sudden we realise we are fighting an entirely different type of war, but we are doing it with the old tools and the old methodologies and old approaches. And it’s not working.
He added that one of the challenges for companies as it relates to cyber crime is that it’s very disproportionate. Meaning that it doesn’t take a lot of money, or effort, or a lot of people, to cause huge problems for a company. He said:
It’s very, very mis-leveraged. This is a different type of war.
What can be done?Rubin said that there are some steps that can be taken to protect your company as much as possible. For example, he said that one thing to consider when signing up security vendors and/or staff is that although you might be running in one type of environment today, as your grow and distribute your systems, you may need to ensure that protection down the line. Don’t have a short-term view of the security challenges ahead. He said:
It’s obvious that lock-in to a vendor or a technology approach is becoming an old way of thinking. So one thing to consider is that you may be in AWS today, but as your company grows up, you might be AWS, Azure and a whole bunch of other places. And as you’re investing in security from the beginning, you should be pressing them and asking about being protected in AWS, but also being [protected in other environments]. I don’t want to have an investment that ends up being dead, that I have to rip out painfully, in order to be able to run in a more distributed way.
Both Rubin and Mickos said that companies need to work hard with their people to encourage an environment whereby finding security problems is celebrated. Mickos said:
If you are a start-up and you’re running software, you have to design security into the software when you write it. When you deploy it, I would recommend using AWS or Cloudflare, those that give you some basic protection of the infrastructure. We believe that human beings are the solution, not the problem - lets others help find your vulnerabilities.
Turn it around, turn it into a positive constructive thing and say let’s look for the problems. Celebrate them when we find them. Talk about them. Reward those who find them. Then you can turn security into something positive.
Rubin agreed and said:
There’s a cultural element to this. We want to go fast, we would obviously prefer to get it right, but we know that by going fast we are going to break things. There are going to be bugs, there are going to be problems. But we don’t want to slow down to a crawl to prevent that from happening. Security has this stigma attached to it where the theory is that if something goes wrong it’s a huge problem, and therefore it should be buried or shoved aside.
The ability to bring these things to the surface quickly and deal with them, two things will happen. One, the problem will probably go away a lot faster and will probably go away a lot smaller. Secondly, people will realise that it’s okay to surface these things right away and as a community we get better at it.
However, interestingly, both warned that companies that are signing up to SaaS companies as they grow and scale should do so with caution. Rubin and Mickos said that they had been stung by SaaS companies being hacked and that most companies don’t think twice about signing up for a cloud service. Mickos said:
I would be really careful about signing up new SaaS services, making sure that they’re secure. We started using a marketing service, and after launching it within four hours it had been hacked. We realised that we have to be very careful in choosing which SaaS services that we use.
Rubin also warned:
We’ve had that experience twice. We are an early stage company so we’ve used lots of SaaS and cloud. And we have had two our providers hacked in the past 12 months. We realised that we have to start asking these providers questions about their security. We may not go in an audit everything they do, but generically we were just signing up to things and not asking anything at all.
One of the things that start-ups have to do is that from the very beginning is talk to your people and make them aware of the fact that it’s shared responsibility and it’s an obligation that everybody has. Realising that this isn’t just a large enterprise or government problem, you’re start-up, you’re probably collecting data, you're being targeted. You’re part of the attack surface.