Cyber resilience more than a software problem

Security is supposed to protect you, and customers should expect it to work all of the time. No one invests in expensive security tools hoping they will work part of the time.

The new US National Cyber Security Strategy was recently published, and we have all now had a bit of time to absorb it. We wholeheartedly support the mission, and now as we shift from the abstract into the practical — there are some challenges we will all need to roll up our sleeves to address together.

Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, was quoted recently: “We often blame a company today that has a security breach because they didn’t patch a known vulnerability.” she said. “What about the manufacturer that produced the technology that required too many patches in the first place?”

Many took that to mean that cyber resilience was a problem that could only be solved by vendors who were just not stepping up to the challenge and that this could all be changed by redirecting our lawsuits from the customers who were breached to the security tools they used to prevent it. While that makes for great headlines, I cannot imagine that this was the intent, nor is it the reality. If we are going to really tackle cyber resiliency, it is going to take all members of this ecosystem to close the resiliency gap — no single member can solve it alone. What is needed is shared accountability. Customers need to maintain compliance, and vendors need to manage complexity and resiliency, and accountability needs to be shared.

Let’s not oversimplify what is driving the fragility of security.

Software requires repairing for many, many reasons. Changes in the environment around it. New forms of risk introduced by adversaries or by the user. But most of all — complexity. In the past 10 years, cyber security spending has exploded, with many tens of billions a year being spent to add new security capabilities to protect end-user devices or endpoints and detect/prevent bad things from happening. As a result, the number of security applications installed today on a laptop on average is 11 to 12. In any regulated space, we can see more than two to three times that number of security agents, plus the many other non-security applications also running on these devices. And yet, we still see breaches. Why? The answer is complexity.

Complexity makes continuity nearly impossible.

Across millions of active devices today, we can see more than 17 versions of Windows with over 300 patches/combinations, along with an endless array of configuration and connection variables. As a developer, building a test matrix for these infinite combinations as well as being able to predict the unknown unknowns that emerge daily from bad actors and innovative end users has been arguably impossible for both customers and vendors to maintain. Now for enterprise customers, add the lack of available cyber talent for managing the mountains of alerts and events coming from these systems to be able to respond and restore them — often months behind when they are released and/or broken. And we cannot forget customer SLAs themselves. Rightfully, customers want any known vulnerability or quality issue to be reported and remediated within days/weeks. Rapid response with patches and fixes is paramount to securing customer environments from new risks. The complexity is immense. Improving quality, managing complexity and new capabilities around analytics and artificial intelligence can help over time, but what do we do today?

VIEW ALL

Cyber resiliency has to be as much about recovery as much as it is about not failing in the first place.

It is arguable that no one looks at application health and the effect it has on endpoint cyber resiliency more than we do. In our experience, not all ISVs are underinvesting in quality. From our unique position in the BIOS of millions of active devices, we can see security applications from the world’s leading security companies, running in some of the most sophisticated security environments by some of the strongest cyber teams and still be operating at 60 to 70 per cent resiliency — meaning they are only installed, running and healthy across 60 to 70 per cent of the devices where they are required for compliance. Another way to think about that is $0.30 to $0.40 of every dollar spent could be wasted if those controls are not healthy and working to protect the user. That complexity is what we need to tackle for certain. And understanding that the end result will never be zero risk — resiliency in spite of complexity is what Absolute Resilience does that no one else can do. We leverage our unique Persistence technology, already in the device itself, to self-heal these applications automatically — to restore, repair, or even reinstall an application and help to close that seemingly insurmountable gap. We see application resiliency going from 60 to 70 per cent compliance in some cases to 97 to 99 per cent — unassisted by IT. We can make security more resilient today with what we already have.

As an industry — we must ask ourselves: “What is the core problem we are trying to solve?” Is it — “Whose fault is it, and who gets the lawsuit?” Or is it, “How do we collectively make security better?” That is the goal, and we can all do more.

We believe security should work.

This is our passion and our purpose. Compliance is a scorecard for the end game — which is continuity. Already built inside the hardware of over 600 million devices across 28 different PC manufacturers — organisations already have the ability to enable this capability for their critical security applications. And ISVs equally can leverage this platform today to deliver more resilient solutions to their customers. Collectively, we can deliver better compliance and greater continuity in the face of complexity.

Cyber resiliency is a team sport.