HP execs debate reality of hacker expertise; lament most businesses don't understand

SAN FRANCISCO -- Combating cyber attacks on businesses requires a complete change in understanding as well as stronger investment in defense before and after these breaches occur, based on a panel discussion of Hewlett-Packard executives and security experts on Friday.

In explaining HP's perspective on the current state of cyber security, Art Gilliland, senior vice president of enterprise security products for HP's Software group, reflected that most of the media and corporate attention is directed towards specific actors, such as Anonymous.
He described that approach as a "red herring" in terms of how companies need to respond.

"This is a game of risk management," Gilliland asserted. "Companies need to be able to see and understand their exposure potential and prioritize what they respond to."

That's because, according to Gilliland, there's so much money involved in the sale of intellectual property -- whether it's about credit cards or espionage -- there is a marketplace that has grown around cyber crime. He explained that "markets do very specific things," including organizing participants and creating a process.
Thus, Gilliland argued that if companies are going to be more effective in responding, they need to think about how they can disrupt each of the steps in the process of establishing this marketplace.
Gilliland outlined that process is made up of the following five steps: research, infiltration (breaking into a company), discovery (mapping out assets about where data may live), capture (adversary takes control of the asset), exfiltration (stealing of data and/or destruction of data).
"This is a game of risk management," Gilliland asserted. "Companies need to be able to see and understand their exposure potential and prioritize what they respond to."
Based on the conversation on Friday, two of the problems here could be that most companies are both slow to understand this and they are prioritizing security budgets in the wrong way.

"We're competing against the best in the world, and they only have to be right one time," Gilliland remarked.

Scott Lambert, director of HP DVLabs, concurred with Gilliland, remarking that we need to be quicker at identifying when and responding to hackers after they've already broken in.
"Attackers are shifting in the landscape today," Lambert said, adding that most hackers are now going after primary individuals rather organizations.
Gilliland followed up that "it's inevitable" that cyber criminals are going to innovate around the latest antivirus toolkits and solution.

"We're competing against the best in the world, and they only have to be right one time," Gilliland remarked.

He continued that if you believe that's true (which he asserted most security experts do), you have to be really good at catching them on the inside before they've stolen data.

But Gilliland lamented that if you add up all the market spending on security, most of it is spent on blocking -- and we forget that there are several other stages we need to defend.
"We're still doing check-box security," Gilliland quipped.

Joni Kahn, vice president of services and support for HP's ArcSight unit, said that the "technology is there" but there is an "IT issue" in applying security solutions effectively.

"It's amazing to see that they have not done the fundamentals yet required for basic perimeter security," Kahn commented.

Explaining that the ArcSight unit spends a lot of time "around the people process" in enabling customers to deploy its products, Kahn reflected that a lot of companies have compliance priorities when buying this technology.

But at the end of the day, she continued, it's about getting them to understand how to best leverage it.
"It's amazing to see that they have not done the fundamentals yet required for basic perimeter security," she commented.
While Gilliland also noted that another problem is that many companies don't have the expertise (or the money to hire the brainpower), the question was also raised about increasing awareness among software developers.
Software developers were described to be often hard pressed to churn out work quickly, making security often a second thought when it comes to performing basic tasks that are actually opening up a network to potential threats.
Describing himself as a long time security professional and former developer, Jacob West, chief technology officer HP's Fortify unit for enterprise security software, acknowledged that it's difficult to find a balance.

"We're still doing check-box security," Gilliland quipped.

He posited that we need to enable developers to know they are making decisions even every time they make queries.

West cited that his department has seen an increasing number of businesses with large investments in security tying developer bonuses to adequate performance in regards to security.
While forecasting that more schemes like this are starting to emerge, West admitted this culture shift is happening slowly.