A top cybersecurity official at CISA said that addressing computer security vulnerabilities by finding and patching flaws is a fundamentally broken model in need of being overhauled and called on technology providers to “take accountability” for the security of their customers.
“To say that our solution to cybersecurity is at least in part, patch faster, fix faster, that is a failed model. It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against,” said Eric Goldstein, executive assistant director for cybersecurity at CISA at an event held by the nonprofit International Information System Security Certification Consortium.
Goldstein argued that meaningful gains in computer security will require a “philosophical shift” taking the burden away from school districts, water utilities, and small businesses and putting it on the technology providers.
“What we’re seeing today, we believe, is systematic cost transference from technology providers who make decisions to design products a certain way to customers, who then have to bear the burden to patch, to mitigate, to respond. It doesn’t make sense to us, at least as applied to smaller organizations that really can’t bear that burden,” Goldstein continued.
Goldstein also expressed optimism that AI can assist in finding and fixing vulnerabilities in legacy code, discover tactics, techniques and procedures used by malicious hackers, and to assist in writing secure code.
Troy Batterberry, CEO and founder, EchoMark had this comment:
“Eric Goldstein is correct. Software as a Service (SaaS) vendors have an unrealized potential to help address this big problem. SaaS vendors can already remove the burden of customers having to periodically patch information systems. SaaS vendors can also take on more direct accountability for breaches in their systems. Through more “security conscious” configuration settings such as requiring Multi-Factor Authentication (MFA), more defense in depth technologies, architectures, and monitoring (including Artificial Intelligence), SaaS vendors can preclude a vast majority of breaches from happening in the first place. In many cases, the knowhow already exists. Those involved simply need a nudge.
“This has happened before in other industries. Somewhat analogous to how Federal and State government have required standards and compliance with transportation safety for decades, it is time for governments to further impose effective regulations for cyber-security against both SaaS vendors and organizations that utilize them on our information superhighways. This includes the rapid phaseout of insecure legacy systems, which are too often the “wide open door” that lets hackers in.”
Mike Barker, CCO, HYAS Infosec follow with this:
“Absolutely agree with Eric Goldstein’s perspective on the need for a paradigm shift in cybersecurity. It’s high time we move beyond the reactive “patch and fix” approach. Holding technology providers accountable for security is a crucial step towards a more robust defense.
“Excitingly, Goldstein’s optimism about leveraging AI aligns perfectly with the evolving threat landscape. AI can play a pivotal role in proactively identifying vulnerabilities and enhancing overall cybersecurity resilience.
“Looking forward to a future where technology providers lead the charge in security, embracing innovative solutions to stay one step ahead of adversaries.
David Ratner, CEO, HYAS Infosec concludes with this:
“”While I agree with Goldstein that technology providers need to be accountable and responsible, there is also another fundamental shift required. Gone are the days where one can be confident that they can keep bad actors out of their environment; instead, organizations need to shift their thinking from a pure-prevention strategy to one of operational resiliency. They need to implement appropriate levels of visibility and controls because everyone will at one time or another be breached, and they need to ensure that when it happens to them, the breach can be identified, isolated, and addressed before it spreads and causes financial, reputational, and other damage.”
Defence is best done in layers. Patching is a layer but there need to be other layers to make sure that your organization stays safe.
Like this:
Like Loading...
Related
This entry was posted on December 4, 2023 at 3:23 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CISA Official Argues ‘Patch Faster, Fix Faster’ Is A Failed Model
A top cybersecurity official at CISA said that addressing computer security vulnerabilities by finding and patching flaws is a fundamentally broken model in need of being overhauled and called on technology providers to “take accountability” for the security of their customers.
“To say that our solution to cybersecurity is at least in part, patch faster, fix faster, that is a failed model. It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against,” said Eric Goldstein, executive assistant director for cybersecurity at CISA at an event held by the nonprofit International Information System Security Certification Consortium.
Goldstein argued that meaningful gains in computer security will require a “philosophical shift” taking the burden away from school districts, water utilities, and small businesses and putting it on the technology providers.
“What we’re seeing today, we believe, is systematic cost transference from technology providers who make decisions to design products a certain way to customers, who then have to bear the burden to patch, to mitigate, to respond. It doesn’t make sense to us, at least as applied to smaller organizations that really can’t bear that burden,” Goldstein continued.
Goldstein also expressed optimism that AI can assist in finding and fixing vulnerabilities in legacy code, discover tactics, techniques and procedures used by malicious hackers, and to assist in writing secure code.
Troy Batterberry, CEO and founder, EchoMark had this comment:
“Eric Goldstein is correct. Software as a Service (SaaS) vendors have an unrealized potential to help address this big problem. SaaS vendors can already remove the burden of customers having to periodically patch information systems. SaaS vendors can also take on more direct accountability for breaches in their systems. Through more “security conscious” configuration settings such as requiring Multi-Factor Authentication (MFA), more defense in depth technologies, architectures, and monitoring (including Artificial Intelligence), SaaS vendors can preclude a vast majority of breaches from happening in the first place. In many cases, the knowhow already exists. Those involved simply need a nudge.
“This has happened before in other industries. Somewhat analogous to how Federal and State government have required standards and compliance with transportation safety for decades, it is time for governments to further impose effective regulations for cyber-security against both SaaS vendors and organizations that utilize them on our information superhighways. This includes the rapid phaseout of insecure legacy systems, which are too often the “wide open door” that lets hackers in.”
Mike Barker, CCO, HYAS Infosec follow with this:
“Absolutely agree with Eric Goldstein’s perspective on the need for a paradigm shift in cybersecurity. It’s high time we move beyond the reactive “patch and fix” approach. Holding technology providers accountable for security is a crucial step towards a more robust defense.
“Excitingly, Goldstein’s optimism about leveraging AI aligns perfectly with the evolving threat landscape. AI can play a pivotal role in proactively identifying vulnerabilities and enhancing overall cybersecurity resilience.
“Looking forward to a future where technology providers lead the charge in security, embracing innovative solutions to stay one step ahead of adversaries.
David Ratner, CEO, HYAS Infosec concludes with this:
“”While I agree with Goldstein that technology providers need to be accountable and responsible, there is also another fundamental shift required. Gone are the days where one can be confident that they can keep bad actors out of their environment; instead, organizations need to shift their thinking from a pure-prevention strategy to one of operational resiliency. They need to implement appropriate levels of visibility and controls because everyone will at one time or another be breached, and they need to ensure that when it happens to them, the breach can be identified, isolated, and addressed before it spreads and causes financial, reputational, and other damage.”
Defence is best done in layers. Patching is a layer but there need to be other layers to make sure that your organization stays safe.
Share this:
Like this:
Related
This entry was posted on December 4, 2023 at 3:23 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.