For too long, the idea of security in digital systems has been accompanied by another idea: secrecy.
To have true security, some argue, the technology that provides it must be kept a secret, even from the customers who use it. Just trust us, they say — our software is constantly updated by the best developers out there. We’re monitoring for threats before anyone else knows they exist. And we patch them up before they ever create a problem for your systems. All you have to do is install our software and leave what happens on the inside of it to us.
Unfortunately, this black-box approach to security is, in an era of committed, well-resourced attackers who seek to do great harm, a huge vulnerability in itself. By closing off their code from the community, these security firms themselves become targets for hackers. One undetected attack on security software can end up exposing thousands of customers to vulnerabilities and intrusions, making untold quantities of sensitive data available to malicious actors. Whether they are after financial information, trade secrets, blackmail material, or diplomatic scandals, breaking open one black box means attackers can gain the keys to the kingdom.
The new security paradigm
In recent years, we’ve seen all kinds of data thefts plastered over the homepages of news sites. In each case, somewhere along the way, a breakdown in security is what ultimately allowed the attackers access to data. And in each case the victims of these vulnerabilities were ultimately sitting in a black box, in the dark, unaware of the shape of the threat or how, and whether, their security software could handle it.
It’s time for a new paradigm in the world of cybersecurity. No one approach or one team of developers will ever have all the answers or be able to stop every intrusion. But by keeping their efforts obscured in the black box, these firms do two things: first, they hold their customers hostage, without allowing them the kind of verification and auditing available everywhere else in their systems. Second, they perpetuate escalations with the very attackers they are trying to stop, incentivizing them to break the newest patch, the newest release, in the hopes of discovering a vulnerability they can exploit or sell to the highest bidder.
There is a better way to keep systems secure.
Rather than closed systems that show no signs of abating the ever-increasing cycle of vulnerability, intrusion, patch, and repeat, we propose a model of Open Security — one in which security software is developed out in the open, where anyone can see what features are working to keep users secure, and what code can be enhanced to protect against emergent threats.
Our company, Elastic, has a proud heritage of open, community collaboration. It’s why our solutions are what they are today — used by the biggest organizations around the world, on their most critical systems. It’s time to bring that spirit to Elastic Security. Security is too critical, in a world where hostilities seemingly only increase, to be left to black boxes.
Open Security in action
So what does Open Security look like, and mean? The definitions of course should be agreed upon by those who collaborate in this endeavor, but first and foremost it does mean just that: collaboration. It means security vendors do their work out in the open, share code, detection rules, and artifacts to further understanding of how to truly protect systems from intrusions and exploits. It’s a joint effort to improve security software so that all may benefit, no matter which product or solution is in their stack.
Cyber attacks and cyber warfare are increasingly part of the global landscape, from the conflict in Ukraine to corporate espionage that increasingly takes place across time zones and continents. They aren’t going away. But they can be mitigated and defended much more effectively.
Some would argue that this kind of openness is incompatible with true security — that public information about how a system works will only lead to that system being weaker. But nothing could be further from the truth. Open Security ensures that customers are protected by the collective brainpower of everyone for whom security is an issue — everyone who has skin in the game. And those who seek to protect still far outnumber those who seek to exploit and disrupt.
Security through obscurity doesn’t work — obscurity is just another vulnerability, another weak point for hackers to pound on or social engineer to access. True security is like a shield in battle, hardened, not weakened, by understanding and addressing all the ways in which attackers have tried and failed to destroy it.
There will always, of course, be some proprietary information around customers’ security needs and configurations that will be unique, and non-public. This effort isn’t about goading attackers into breaking in — it’s about sharing the common code and techniques that keep systems safe. Along with providing the tools and knowledge to help customers configure security for their particular use cases and threat profiles.
Security through transparency and community
The culture of secrecy that current security practices are rooted in is only good for those who want to safeguard their control over others. From science to technology to democracy, openness and transparency are fundamental values that ensure we can continue to build on the work of those who came before us, to the benefit of all. Security is too important to be left in the hands of those who would say, “trust us” even as their approaches have atrophied and failed, time and time again.
The shift to Open Security won’t take place overnight. What will help power and transition that change is pressure from customers on their vendors, along with a robust security research community, including those who work in black-box systems who believe there is a better way.
Our Open Security effort at Elastic is just beginning, but open source development is part of our heritage and remains in our DNA. We look forward to collaborating with our customers and competitors on being the change we want to see, and enabling a better, more open security for all who need it.