Roger Grimes gets angry when stories like this one, about Microsoft’s UEFI security snafu, emerge – and not just because he works for Microsoft.
“It’s so complicated to pull off, it’s going to be fixed with a patch, but they’re not patching Java, or Acrobat, or the things that are actually being exploited,” said Grimes, the software giant’s principal security architect. “But the media is afire with this latest issue.”
Microsoft’s UEFI flaw may be bad, but it’s easy to focus on the latest published vulnerability as the biggest risk while ignoring others that are far easier to exploit, he warned. When he presents at SecTor this October, he will push for a more data-driven approach to defence that he believes will help to surface the real risks to an organization.
Grimes has been a security pro for the best part of three decades, and consults for anywhere between 20 and 50 customers per year. He repeatedly sees the same story: companies aren’t addressing the root causes of their security problems, even when he points executives at them. “We tell them what they can do to fix it, and they just don’t,” he said. “In the last twenty years we’ve had maybe one or two customers really fix the problems.”
Companies could iron out a large percentage of their security risks with a few measures, because they are caused by the same underlying vulnerabilities, he suggests. He points to unpatched software as one of the biggest, and social engineering as another.
While broader vulnerability categories may stay relatively consistent, the attack vectors within them will change over time. Grimes believes that attacks on operating system software are less common now than they were several years ago, because the focus has moved to third-party applications, for example.
The threats are also growing in volume. The sheer number of vulnerabilities and exploits makes it difficult for information security teams to see those that represent the biggest risk, Grimes said. As these threats grow and change, companies frequently fail to patch what’s being exploited the most, especially if the staff responsible for patching software don’t know where their softest targets are, and aren’t incentivised to concentrate on them.
Senior management typically won’t direct resource to a specific area until they have clear evidence that it’s a problem, he mused. Even when they do, it can be hard to get them on board. “I have had CIO types ask me ‘how will the data make me respond differently to what I know in my gut?’,” he recalled. “My response to that is: ‘how could it not?’”
Data gathering systems for security teams need work, Grimes added. Companies can pull data from their own current and historical logs, he said, and augment it with information from anti-malware programs, and from self-reporting initiatives. Those that create a more robust security analytics program can garner even more actionable data.
When you do nail your biggest root cause problem, the battle won’t stop, Grimes said. Security analytics will become more important than ever.
“Patching is getting better, and once it gets significantly better, the bad guys aren’t going to stop. They’re going to move to social engineering or exploit browsers more, or exploit the cloud. If you don’t have a good data collection system in place, you don’t notice the trend until it’s a really big problem.”
To hear more about Grimes’ data-driven defence strategy, come and hear him speak in Toronto at the SecTor security conference on 18-19 October 2016 (with a day of training on 17th).