How can corporate America cure its information security ills? Take a page from the FBI's terrorism-combating revamp.
That was the pitch made by Shawn Henry, president of CrowdStrike, in his keynote presentation Wednesday opening the Black Hat 2012 conference in Las Vegas. Until March 2012, Henry was the executive assistant director of the FBI, with responsibility for all of the FBI's criminal investigations worldwide, including cyber investigations, the critical incident response group, and international investigations.
After Sept. 11, said Henry, the FBI retooled to better combat "kinetic terrorist attacks--bombs going off, and people getting killed." Doing this meant admitting that terrorists might already be at work in the country, and then finding the best way to help the bureau and other intelligence agencies gather and share better intelligence.
[ Can data analysis apps help catch bad guys? Read more at Big Data Plus Police Work: Good Partners?]
Now it's time for businesses to admit that they also face new types of risks. "Today, with a $500 laptop and an Internet connection, anyone anywhere can attack anyone, anywhere," said Henry. But many senior executives seem to have been slow to catch on to this new state of insecurity. "I still hear from CEOs: why would I be a target? Why would they come after me?" said Henry.
But senior executives must get proactive about combating security threats. To do so, Henry recommends applying 6 lessons learned by the FBI:
1. Assume You've Been Breached. In recent years, forward-thinking CISOs have adjusted their information security perspective. Instead of trying to keep their network 100% secure, they're admitting that preventing every breach is impossible. Accordingly, they need to be able to quickly spot intrusions and then quickly respond.
Unfortunately, not enough businesses have come around to that more progressive way of thinking. "I can't tell you how many times FBI agents are deployed onsite, saying they found data that was breached, because we found all of this company data outside of the network," Henry said. "We sit down with the CISO or COO, and they said it couldn't have happened." But typically, after a bit of analysis, they find that their perimeter security defenses were breached months--and in a few cases, years--before. Of course, because they failed to spot the breach, the business's sensitive information could have been exposed for months or years.
2. Beware Foreign Intelligence Services. Who is best at stealing corporate data? "Foreign intelligence services ... are the most important threat today," said Henry, who said there are dozens of intelligence services with the ability to launch highly sophisticated reconnaissance-gathering operations. When such operations are successful, he said, they put businesses on the opposing side at a disadvantage during negotiations. "It's like playing poker with a marked deck," he said.
3. Get Proactive. "If you agree with the premise that someone has breached your network, that they're already in there, then why aren't you looking for them?" said Henry. "We have to constantly be looking for them." But he pointedly stopped short of calling for hack-back attacks, which he said would break the law. Instead, he recommended counterintelligence, such as leaving "decoy documents"--fake intelligence--to fool attackers.