If you compare the world of cybercrime now to that of 10 years ago, there really is no comparison. Whether one measures its impact through estimated profits – which some estimate as now surpassing those of the profits for illegal drugs – or from the scale, scope, and sophistication of available “black hat” services and supporting technologies now versus years ago, one can’t help but notice the massive difference. I believe the industrialization (or modernization) of cybercrime is the key driver of the security hole our industry currently finds ourselves in. Companies are generally well suited to wrestle with competitors, regulators, changing customer needs and many other common challenges of running a business, but dealing with industrialized cybercriminals is a different story. And this is a challenge that many organizations are only now waking up to.
A key proxy I use to measure the level of modernity of any market is to look at the amount of specialization that exists in it. As has been true since the days of early human civilization, the level of societal modernity is directly related to the level of specialization one finds in daily life. Or said more simply, one key measure of the sophistication of a society or market is to look at what products and services one can acquire on the open market versus having to make or do them oneself.
By this measure the cybercrime market has reached an impressive level of modernity. In just a few hours of research I was able to find multiple vendors of just about everything one would need to run a crime campaign available as outsource-able services, namely, datacenter services including core applications such as email (for spamming) and Web hosting that advertises as being “bulletproof”, multi-lingual call centers, rentable cybercrime infrastructure (bots), “black” payment systems, crimeware development tools (specifically advertised as avoiding preventive systems such as anti-virus), and 0-day vulnerabilities for sale, among many others. Many of them were kind enough to put together demo videos on youtube.com to describe their capabilities.
So what can we defenders do about this? Think differently and innovate! Organizations need to expand their security programs beyond static preventive controls and perimeter-centric defenses. The attackers with their bevy of specialized tools and services are simply too sophisticated for those to be much of a barrier. Organizations need to rethink their mix of investments across prevention, monitoring, and response and in most cases significantly beef up their investments in monitoring and response, while also getting smarter with prevention. Fortunately the security industry in general and RSA in particular is literally booming with innovation in these areas. Proof that modernization is a force for good as it is for evil.
For those of you attending EMC World this May, I encourage you to attend my breakout session on this topic Key Innovations In Cybersecurity: The Shift To Detection & Response. In this session I will delve deeper into the world of cybercrime and into the many innovations that are emerging to help organizations better defend themselves. One key innovation is the shift to behavior based threat detection analytics versus analytics that are based on static rules that require precise foreknowledge of the attacker’s tools or techniques. But more on those innovations in my session! For those readers that are unable to attend my EMC World session, don’t worry as I plan to write a follow-up blog in which I focus on these innovations.