Apr 192011

Late last week I attended a federal data security event sponsored by Neustar. What impressed me about this event was the frank admission that sensitive data will be lost – the only issue is how to minimize the vulnerabilities and mitigate the inevitable losses.

It was an intimate event with just two speakers. William Crowell is the former Deputy Director of the NSA, and Rodney Joffe is SVP and Senior Technologist for Neustar. Both highlighted vulnerabilities, suggested some best steps and in Joffe’s case, proposed a fundamentally new way to view online security.

Crowell is now a security consultant, and mentioned he was part of the team at NSA that worked way back when on decrypting the Venona cables. (As a former PoliSci major, I found that pretty cool.) He told the group that if government supervisors took data security as seriously as they do physical security there would be fewer breaches.

According to Crowell, intelligence has never won a war, but intelligence allows soldiers to win wars. He identified the combination of social engineering and fast advancing technological capabilities as a “unholy alliance” that is behind fully half of all advanced, persistent online attacks directed against the U.S. government.

He outlined the following steps to fight back:

  • Stop talking about ID management, and start doing — there is currently no system deployed within the U.S. government with cryptographic capabilities
  • We need gateways and firewalls that can handle hundreds of distinct rules per packet — current tools can handle about 25
  • Develop anomaly models for online behavior — just like we have in the physical world
  • FISMA — refocus on real-time security, these requirements have become a static checklist
  • Education of users — very often overlooked
  • Move to the cloud — government needs to stop arguing about the benefits, which are manifest, and focus on securing

Joffe opened his address by stating that the current tools for data security aren’t enough. As an example of the level of threats today, he pointed to the take down that day of a two million strong botnet by the DoJ and the FBI. He told the audience that he’s learned a lot by “being a target since 2002,” through his founding of the leading managed DNS provider UltraDNS (purchased by Neustar in 2006).

Joffe preaches mitigation, since 100 percent prevention is an illusion. He encouraged the audience to engage in a premortem when considering data security. This approach assumes failure, then looks for evidence that can lead back to specific areas of weakness. It’s a fundamentally different way to visualize security — here’s a Harvard Business Review article with more detail on the premortem methodology.

I’ve known Rodney for many years, and he’s very good at explaining technology with analogies. In describing why planning for failure in data protection is necessary and not at all defeatist, he used the example of the modern conference room where we all were sitting. The building employed the latest in safety construction, right down to fire retardant materials in the furniture. Yet there was still a sprinkler system overhead.

Why, he asked the audience? Because fires still happen, despite taking all the proper steps to prevent them. It’s the same with data security.

Here’s Rodney’s to-do list for feds looking to protect their data:

  • Continue with all the current best practices and the layered approach to security — firewalls, the latest anti-virus programs, IDS/IPS
  • Deploy failure sensors and plan for losses — this is where existing solutions fall down
  • Work backwards from failures by examining the artifacts breaches leave behind –– Joffe said he will have more to say publicly on how this can done in a few weeks

In today’s online threat climate, focusing only on perimeter defense is like the French relying on the Maginot Line in 1940. I’m looking forward to seeing how the federal market reacts to this new way of conceptualizing data security.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>