'Day of reckoning is coming' for the web, says Amit Yoran
EXCLUSIVE: FORMER head of cyber security for US Department of Homeland Security says bleak times are ahead for the web.
FOR someone who has been working in internet security for more than 20 years, Amit Yoran seems to have a decidedly bleak outlook on internet security.
But I suppose that's what happens when you've worked in almost every aspect of cyber security, up to and including military threats.
Amit Yoran is kind of a big deal.
But you won't catch him telling you that.
The man who is helping governments and businesses to protect themselves from prying cyber criminals was so modest he barely mentioned his many, many credentials and actually completely failed to discuss his "Security Analytics" software during our one hour phone interview.
I actually had to email him back to get him to talk more about his product and how it works.
The former director of the US Department of Homeland Security's National Cyber Security Division sat down with news.com.au to discuss the future of online threats and surprisingly, Yoran said we're fighting a losing battle.
"I do think there is an inevitable bad day of reckoning ahead," he told News.com.au. "I won’t say internet wide but for many organisations it is going to happen and for many people on a personal level.
"ID theft or account takeover types of issues are quite painful and has effected many individuals."
Cyber security threats are in fact so common that more money is being made from cyber crime than from drug trafficking, Yoran said,
"The fact of the matter is that in many parts of the world, if you're willing to go in that direction, the return on investment for your time for doing something criminal is quite high because is a very low probability of getting detected."
And the darkest days are still ahead.
"I don't think we're winning," he said.
"The rush to automate, integrate and leverage technology for all of the advantages it provides us has increased the ease with which that technology can be exploited."
"The landscape seems to be getting worse, far better than people are making strides to improve their security posture."
This is a fairly depressing outlook for someone who has developed security software for business that is changing the way we think of cyber security.
"This is getting a little bleak," he said. "I'm going to have to have a beer before my next interview."
What Yoran has failed to mention is that he's already built the solution, or at least part of it.
The fact is, the man who has been called the Steve Wozniak of the internet security world is just far too self-effacing to discuss his achievements in any detail.
Yoran co-founded his second internet start-up, NetWitness in the mid-'90s which would be acquired by RSA in 2011, around the time of its embarrassing security breach where hackers gained access to data pertaining to RSA's secure tokens that encrypted the online activity of people who used online banking, as well as the Defence Force and other corporations, making them vulnerable to cyber attacks.
The software couldn't come soon enough for RSA who was humiliated after itself becoming the victim of a security breach.
RSA told News.com.au that it was actually Yoran's Netwitness software that led to the early detection of the attack.
"The RSA breach is recognised industry-wide as an effective and quick response to an advanced threat," a spokesperson said.
"The Security Analytics offering takes this ability even further forward."
Though no RSA customers were affected by the breach, it demonstrated just how far behind the world had fallen at addressing online security.
That's where Security Analytics comes in.
One of the biggest problems in the security space is that existing security systems aren't going to stop a determined hacker. Threats come in all shapes and sizes and few share similar identifiers. The more sophisticated the threat, the better they are at hiding themselves.
Equally problematic is the way that “everyday consumers” perceive online security. Yoran says businesses and consumers alike are being "lulled into a false sense of security."
"The protective security apparatus that organisations have deployed over the last 20 years are the tried and true fire walls and intrusion detection systems and anti-virus products that are literally costing millions of dollars but their core signatures are based on differentiating between bad behaviour, and behaviour they don't know is bad," he said.
"Organisations are being lulled into a false sense of security that just because my internet detection system isn't going off and the anti-virus system isn't triggering, they sit around all happy and assuming everything is as it should be. But adversaries are doing all sorts of very creative things to assure that's not the case.”
Yoran’s Security Analytics analyses entire work networks to find potential points of weaknesses, while at the same time taking a snapshot of the entire web, searching for anomalies or unique identifiers that when analysed together, could help to predict when an attack is going to occur and stop it from occurring.
Yoran refers to this as "finding a needle in an enormous haystack".
Unfortunately, the software is only available to businesses, but Yoran says that is by design. Companies need to better protect their customers, instead of relying on consumers to protect themselves, he said.
But the entrepreneur admits that it’s not as easy as it sounds.
“It’s extremely difficult to be well protected online,” he said. “Users so frequently opt for the convenient over the safe – I’m as guilty of it as anyone.
“People do things like using easily remembered passwords or share passwords across various accounts and infrastructure, to even leaving their computers on.
“As silly as it sounds, when your systems are on, they’re accessible and if someone is looking for a vulnerable system or happens to get access to yours, leaving your computer on when you’re not using it increases your exposure.”
The main thing Yoran wants people to take away from all this is to realise that what we’ve been doing for many years to address cyber security is not working today, “and it’s certainly not going to work moving forward”.
“We need to create awareness so people can evolve and change their behaviour – the same goes for organisations,” he said.
So where did this entrepreneur get his computer smarts?
Well one thing is for sure, he didn't inherit it from his parents.
"My parents were technophobes and have barely and unsuccessfully made the transition to smartphones," he said.
Yoran's first formal exposure to computer security occurred while he was studying at US Military Academy, Westpoint.
After completing a masters of computer science at George Washington University, Yoran went to work for the US department of defence, monitoring and developing its defence computer emergency response team (CERT for short). He then moved to the department of homeland security and helped to form the Bush administration's cyber security strategy, but not before founding network security company, Rip Tech which was acquired by Symantec for $145 million in 2002. He has also served on the boards of a number of security companies.