ATP: Don't Give Up On Prevention

When it comes to information security and the challenge of advanced persistent threats (APTs), I can't help but think of Benjamin Franklin's famous adage: "An ounce of prevention is worth a pound of cure."

Sounds like sage advice. However, so many organizations today complicate matters by adding more and more tools to their security arsenals on top of multiple entry points to company data, including the cloud, on-premises systems, and mobile devices. I recently met a CISO with 80 tools from 35 vendors, and that's not uncommon.

But all these tools hinder CISOs' ability to cure what ails their security infrastructures. They use antivirus software to weed out malware, firewalls to keep the bad guys out, and lots of other solutions in other parts of the enterprise, but none of these systems communicate with each other in an intelligible, integrated way throughout an entire hybrid IT environment.

You might think that more and more investments in new security advances and defensive technologies would reduce the threats. But because so many lack real integration, they've had the opposite effect. Meanwhile, attackers adopt new tactics. And every new attack technique has produced a new response that narrow-point products miss. In an age of complex, clever, and continuous APTs, we see more breaches and dwindling organizational trust.

[Smart security companies are cooperating, not competing, with each other. Read Better Together: Why Cyber Security Vendors Are Teaming Up.]

In a Ponemon Institute study conducted in 2014, "The Economic Consequences of an APT Attack," the majority of companies surveyed said targeted attacks are the greatest threat, costing them on average $9.4 million in brand equity alone. And the costs of those breaches continue to rise, especially as enterprises move more data to cloud and hybrid cloud infrastructures. According to Ponemon's "2014 Cost of Data Breach Study," the organizational cost of data breaches has increased from $5.4 million to $5.9 million.

There are four essential truths when it comes to real threat protection:

1. Prevention is mandatory
Prevention hasn't worked, because the primary tools in use -- firewalls and antivirus -- have relied on more reactive, signature-based approaches. Makers of these tools saw hackers go around them and declared "AV is dead," to no one's real surprise.

Security experts, including IBM, recognized this development three years ago and worked on a new class of prevention technologies. These are based on behavioral engines, crowdsourced threat intelligence, and new in-line blocking methods. When put into an enterprise, they actually work. When combined with new security intelligence detection, they become even more effective.

For example, a major healthcare provider recently incorporated a behavior-based approach to protect sensitive patient data. It detected more than 100 high-risk infections, despite the presence of traditional tools including an antivirus solution and a next-generation firewall. The organization can mitigate these infections with minimal operational impact, and it now has access to event analysis and solution tuning.

2. Security intelligence is the underpinning
Data is at the core of security. It's also the primary target of cyber criminals, and big data analytics is foundational to solving the next generation of tough information security problems.

For example, a large petroleum company sees 25 attempted data breaches in one day. Stopping those breaches is based on data -- anomalies, irregular behavior of applications, and other nuances. The shelf life of the data is extended by using those breach attempts to learn more about the potential attackers.

The good news is, thanks to analytics, organizations are now able to sift through massive amounts of data -- both inside and outside the enterprise -- to uncover hidden relationships, detect attack patterns, stamp out security threats, and set priorities for remediation. Security intelligence requires an all-inclusive system that goes beyond traditional logging to ingesting vast amounts of data and applying behavioral analytics to actually determine when a breach might, or did, occur.

3. Integration enables protection
Securing an enterprise has always been about securing its people, data, applications, and infrastructure -- in the cloud or on-premises. The issue is that over time enterprises have adopted dozens of point products to secure each of these domains. CISOs need a way to govern the control of data and access to its systems amidst the thousands of access points and requests coming online every day. Security intelligence helps by offering an analytics dashboard across these disparate security domains and myriad security tools. That's a first step in integration.

But the real hard work of integration happens when all of your security capabilities can work in unison to stop an attack. For example, abnormal behavior of a privileged user triggers an alert that allows you to block a network segment. Or the appearance of malware on a mobile device causes you to stop the authentication of a customer. Or detection of a vulnerability in an application causes you to block its exploitation on the network. These are examples of integration that close the space between security domains and block hackers from squeezing through an enterprise's security cracks.

For true integration-enabled protection, it's not enough to have technology and solutions in parts of your infrastructure. Technologies must seamlessly integrate with processes and people to achieve protection.

4. Openness must be embraced
Organizations need the ability to share context and invoke actions across numerous new and existing security investments. Many of these investments include mobile and cloud capabilities. According to IBM's 2013 CISO survey, 70% of security executives expressed concern about cloud and mobile security. Enterprises require the same level of security in the cloud as they have come to expect with traditional IT environments.

It may seem counterintuitive, but cloud and mobile actually improve security.

As organizations embrace new technologies -- today it's cloud, social, and mobile, but tomorrow will bring new innovations -- it's easier to build in security from the start where you can control and make changes to applications, permissions, and authentication processes in real time.

By recognizing these four truths:

In a nutshell, when it comes to security, it's not so much about "an ounce of prevention." Rather, it's about looking at security as an immune system that can get stronger and stronger with sophisticated, predictive analytics, deliver an organization-wide view of risk, and embrace mobile and cloud without sacrificing innovation.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.