Organisations need alternative data protection as security models fail
Organisations' security models are failing - so could it be time to adopt an intelligence-led approach to data protection and fighting cyber crime?
- Companies still spending security budget on perimeter defence
- Need for damage-limitation data protection security strategy
- Complexity and consumerisation throw up security challenges
- Intelligence-led security could augment traditional measures
- Intelligence-sharing defends against diversionary tactics
- Identifying anomalous behaviour and attackers' weak spots
- Growing demand for skilled information security professionals
- Data protection must mature beyond static controls and compliance
- Cloud lends flexibility, scalability and collaboration for rapid response
- Read more from the research archive about preparing against cyber threats
Current business security models fail to prepare for cyber threats in the face of highly sophisticated, powerful cyber attack tools that are no longer the preserve of nation states, as they filter down to a wider community of attackers.
For the first time, hackers are conducting military-grade cyber attacks on less well-resourced commercial enterprises in pursuit of data assets. Cyber criminals are using these attack vectors to target better defended targets higher up the supply chain.
Researchers report cyber attackers are adapting to new technologies and communication channels to collaborate on new tools and tactics and bypassing traditional defences.
Besides this increased capability of a wider group of malicious actors, corporate IT is going through a massive transformation as it grows bigger and more complex than ever before.
Companies still spending security budget on perimeter defence
Read more from the research archive about preparing against cyber threats
- E-Guide: Identifying and addressing evolving threats
- Technical guide to emerging threats
- Ten ways to dodge cyber bullets
- Anatomy of a cyber attack
- Cyber crime battle basics: Online account, transaction and device protection
- Cyber risk perceptions: An industry snapshot
- The cyber-savvy CEO: Getting to grips with today’s growing cyber-threats
The need to move beyond the traditional perimeter-based defence model was a common theme running through keynote and track sessions at RSA Conference Europe 2012.
Kicking off the conference, Art Coviello, executive chairman of RSA, said that, as Einstein observed: "Insanity is doing the same thing over and over again and expecting a different outcome." Yet that is what many companies are doing with their data protection security strategy, he said.
Research commissioned by RSA showed many companies still spend 80% of the IT security budget on prevention; and only 15% on detection and 5% on response.
“In an age of openness, where breaches are to be expected, the balance must shift,” said Art Coviello, explaining that organisations need the capability to detect and respond to threats fast enough.
Need for damage-limitation data protection security strategy
In the light of the macro security trends, a growing number of organisations are beginning to recognise cyber criminals are switching tactics and they need to change their data protection security strategy, said Tom Heiser, president of RSA.
“They are also recognising that they need to accept that attackers are already in their networks and that is a fact of life,” Heiser told delegates at RSA Conference Europe 2012.
But this is not the same as accepting that damage will occur, said Heiser. That is why a new model is required, so that organisations are able to respond faster to avoid, or limit, loss and damage.
The goal is to reduce the amount of time attackers can move freely in the network to reduce the window of opportunity to steal information and cause damage, said Coviello.
Complexity and consumerisation throw up security challenges
Read more about security and BYOD
- How to plan for BYOD security
- BYOD continues to spark security fears
- BYOD security policy: Mitigate BYOD risk with device requirements
- BYOD: Can enterprise mitigate the risks?
- BYOD policy
- BYOD security policy considerations and best practices
- How to plan for BYOD security
- BYOD continues to spark security fears
- Nearly half of firms supporting BYOD report data breaches
Complexity is increasing with the introduction of new technologies and consumer-style devices and services with bring-your-own-device (BYOD) schemes (see panel, right). This means the IT department is in danger of losing control, said Francis deSouza, group president of enterprise products and services at Symantec.
Businesses are failing to address consumerisation security risks, compounded by hackers' adoption of multi-flank attacks.
Defence alone is no longer enough for data protection if organisations are to deal with multi-flank attacks, in which several apparent independent attacks are used in concert by a single attacker, said deSouza.
In the past, IT security professionals looked at individual elements, said deSouza, but now there is a need to understand how attack campaigns are constructed and to be able to pull all the elements together.
Intelligence-led security could augment traditional measures
"We need the right IT security skills to translate intelligence into action"
Art Coviello, executive chairman of RSA
So if traditional security models are failing, what is the alternative?
Across the security suppliers represented at RSA Conference Europe 2012, intelligence-led security was the single, most common theme.
RSA believes successful data protection requires a new security strategy that uses multiple sources of internal and external information.
This information, delivered to analytical engines that enable information-sharing, is at the heart of a new model of intelligence-led security that is risk-based, agile and contextual.
Last year, Eugene Kaspersky, chief executive and co-founder of Kaspersky Lab, said IT security industry collaboration could eliminate 90% of malware.
Intelligence-sharing defends against diversionary tactics
Symantec’s deSouza said pulling in information from a wide range of detection systems allows organisations to identify multi-flank or multi-element attack campaigns.
Only by integrating and correlating security intelligence can organisations avoid being tricked into focusing on traditional attacks such as distributed denial-of- service (DDoS) attacks while something far more serious is going on, said deSouza.
“It is not uncommon nowadays for attackers to launch DDoS attacks as a diversion at the same time as they are breaching databases to copy credit and debit card information,” said deSouza.
Attackers rely on the fact that, in many organisations, information is not shared between different security silos, but hackers are very good at sharing information.
Identifying anomalous behaviour and attackers' weak spots
"Real-time big data is a key element of tomorrow's security"
Philippe Courtot, CEO of Qualys
The only way defenders are going to get ahead of attackers is to be able to understand their methods, identify potential attacks and disrupt the overall campaign.
According to deSouza, security intelligence is essential to enabling organisations to identify and block attacks to prevent or limit the damage by using knowledge of an attack’s weak spots to shut it down.
RSA’s Tom Heiser said an intelligence-based model of security enables organisations to identify anomalous and potentially malicious behaviours, which means controls are able to adapt to changes in the threat landscape.
But is this not just another way of selling more technology?
Growing demand for skilled information security professionals
According to RSA’s Coviello, it is not just about technology. “We also need the right IT security skills to translate intelligence into action,” he said.
After budget constraints, Coviello said organisations are facing a serious shortage of IT security skills. Analysts estimate the number of information security professionals will need to more than double from 2010 levels by 2015, but it is not clear how addressing the demand for technical security skills will be achieved.
It is also about educating boards and the media about the real nature of the challenges and adversaries information security professionals face.
Few people outside the law enforcement and information security research communities have a proper understanding of the true depth of the problem, said Coviello. They are seeing only the tip of the iceberg, because most organisations being hit do not want to tell anyone about it.
There is a serious gap between perception and reality, he said, mainly because there is a lack of effective ways to share information.
Data protection must mature beyond static controls and compliance
Coviello said there is a lot of work to be done in improving the maturity of information security in organisations. Many are still stuck in an elementary approach that focuses on static controls; or a compliance-based security approach that is all about ticking boxes rather than protecting data.
“Organisations should be aiming to move to more mature approaches that are based on IT-risk and ultimately on business-risk,” said Coviello.
The most mature approaches to IT security see an opportunity to change business models based on technologies such as cloud and moving security in tandem with those changes, he said.
Cloud lends flexibility, scalability and collaboration for rapid response
Intelligence-led security, said Coviello, is about combining all the data about what is going on in a network to provide actionable information in near real-time. “It is about starting with risk, and finding out where potential compromises exist, which turns the traditional model on its head,” he said.
The problem with many existing and traditional security systems, said Philippe Courtot, chairman and CEO of Qualys, is that they do not scale. Organisations need to find new, more flexible approaches.
"Scale is probably only something the cloud itself can solve," he said. Organisations should be looking to build new cloud-based security intelligence platforms to deliver real-time threat analysis, mitigation and compliance with security policies.
"Real-time big data is a key element of tomorrow's security, because once an organisation has created one platform, it can be cloned easily and used globally," said Courtot.
Putting this all in perspective, security author and journalist Misha Glenny said UK targeted attacks have gone from four a year to 500 a day in just two years.
“But it is not just big corporations that are being targeted, attackers are going after everyone in the supply chain," Misha Glenny said, supporting the idea that all organisations probably need to rethink their security strategies if they have not done so already.