ORLANDO, Fla. -- The private sector needs to iron out new ways to share anonymous attack data or face serious consequences, brought on by expanding information stores and cloud computing services that are complicating the process of deploying security technologies, said Dave Cullinane, CEO of Security Starfish LLC and chairman of the
Global sharing is absolutely critical to our future. We're going to be completely hosed by the adversary until we do.
chairman, Cloud Security Alliance
In Tuesday's opening keynote of the Cloud Security Alliance Congress, Cullinane sought to inspire a room full of IT security pros to transform their security programs by implementing an intelligence-based security strategy. The goal, Cullinane said, is to allocate resources more effectively by perceiving future threats to systems based on actionable intelligence. He warned that many organizations are spending millions on security technologies that protect the wrong resources.
"The potential for people with whatever agenda to cause an erosion of the fundamental trust in things we rely on and depend upon every day is one of [the] major risks we face and we have to do something about it," Cullinane said. "We have to create the ability to provide the vital information everybody needs to know so we can quit chasing the enemy."
A number of security experts and government officials in recent years have advocated for an intelligence-based approach to information security, urging the private sector to share attack data despite perceived liability and legal issues that have largely thwarted the information-sharing process.
Cullinane urged security pros to talk to their public relations and legal teams and develop ways that can clear the legal hurdles. Actionable intelligence needs to provide how an organization was attacked, when the attack occurred, and where it was attacked from, Cullinane said, so other organizations can figure out if they too have been compromised and figure out how to contain the problem or address weaknesses that open systems to a similar attack.
"Our adversaries are more professional than ever. They are sharing information," Cullinane said. "They collaborate like crazy and that's one of reasons why they are so successful."
Cullinane referenced the implications of mobile technology and the increasing computing power of smartphones as driving the adoption of cloud services. Cloud providers are building massive data centers at the cost of billions of dollars to handle peak capacity, but the security implications are frightening, Cullinane said. "The pure economics of the situation is that my data center is going to be in your data center," he said.
Cullinane, who worked previously as the CISO of eBay Inc., said his former company saw billions in revenue from users buying and selling products using its mobile apps. By next year, eBay estimates that 95% of the items bought on its auction platform will be bought and sold using smartphones and tablets.
"The economics are driving change and we need to figure out how to deal with the security implications," Cullinane said.
There are signs of improvements in cloud security. Cullinane said emerging technologies are addressing log correlation and analysis in the cloud. Virtualization technologies are being developed that enable enterprises to capture and save a compromised virtual machine so forensics teams can figure out how a system was compromised.
But there are some serious problems that need to be addressed. With Platform as a Service and Software as a Service models, Cullinane said, an enterprise security team's ability to respond to an incident is highly dependent on the cloud provider it is using. Roles and responsibilities are not always clearly defined. Web applications that tap into cloud-based data are not always being tested in the environment that the app is running in, he added, causing unforeseen weaknesses to be exposed in production.
The issues snowball together, Cullinane said, creating a complicated set of problems that can only be addressed if organizations share threat information by creating ways to make the data relevant and actionable. If security pros fail to take action, he added, the situation can grow out of control. With relatively low cost, he said organized cybercriminals can create incredibly sophisticated capabilities that can come from anywhere in the world and could do massive damage, potentially disrupting economic infrastructure with catastrophic consequences.
"Global sharing is absolutely critical to our future," Cullinane said. "We're going to be completely hosed by the adversary until we do."