ATP: Don't Give Up On Prevention - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Digital Business
Commentary
11/13/2014
01:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
100%
0%

ATP: Don't Give Up On Prevention

As businesses rely on more complex systems with more tools from different vendors, traditional security measures are becoming increasingly inadequate.

When it comes to information security and the challenge of advanced persistent threats (APTs), I can't help but think of Benjamin Franklin's famous adage: "An ounce of prevention is worth a pound of cure."

Sounds like sage advice. However, so many organizations today complicate matters by adding more and more tools to their security arsenals on top of multiple entry points to company data, including the cloud, on-premises systems, and mobile devices. I recently met a CISO with 80 tools from 35 vendors, and that's not uncommon.

But all these tools hinder CISOs' ability to cure what ails their security infrastructures. They use antivirus software to weed out malware, firewalls to keep the bad guys out, and lots of other solutions in other parts of the enterprise, but none of these systems communicate with each other in an intelligible, integrated way throughout an entire hybrid IT environment.

You might think that more and more investments in new security advances and defensive technologies would reduce the threats. But because so many lack real integration, they've had the opposite effect. Meanwhile, attackers adopt new tactics. And every new attack technique has produced a new response that narrow-point products miss. In an age of complex, clever, and continuous APTs, we see more breaches and dwindling organizational trust.

[Smart security companies are cooperating, not competing, with each other. Read Better Together: Why Cyber Security Vendors Are Teaming Up.]

In a Ponemon Institute study conducted in 2014, "The Economic Consequences of an APT Attack," the majority of companies surveyed said targeted attacks are the greatest threat, costing them on average $9.4 million in brand equity alone. And the costs of those breaches continue to rise, especially as enterprises move more data to cloud and hybrid cloud infrastructures. According to Ponemon's "2014 Cost of Data Breach Study," the organizational cost of data breaches has increased from $5.4 million to $5.9 million.

There are four essential truths when it comes to real threat protection:

1. Prevention is mandatory
Prevention hasn't worked, because the primary tools in use -- firewalls and antivirus -- have relied on more reactive, signature-based approaches. Makers of these tools saw hackers go around them and declared "AV is dead," to no one's real surprise.

Security experts, including IBM, recognized this development three years ago and worked on a new class of prevention technologies. These are based on behavioral engines, crowdsourced threat intelligence, and new in-line blocking methods. When put into an enterprise, they actually work. When combined with new security intelligence detection, they become even more effective.

For example, a major healthcare provider recently incorporated a behavior-based approach to protect sensitive patient data. It detected more than 100 high-risk infections, despite the presence of traditional tools including an antivirus solution and a next-generation firewall. The organization can mitigate these infections with minimal operational impact, and it now has access to event analysis and solution tuning.

2. Security intelligence is the underpinning
Data is at the core of security. It's also the primary target of cyber criminals, and big data analytics is foundational to solving the next generation of tough information security problems.

For example, a large petroleum company sees 25 attempted data breaches in one day. Stopping those breaches is based on data -- anomalies, irregular behavior of applications, and other nuances. The shelf life of the data is extended by using those breach attempts to learn more about the potential attackers.

The good news is, thanks to analytics, organizations are now able to sift through massive amounts of data -- both inside and outside the enterprise -- to uncover hidden relationships, detect attack patterns, stamp out security threats, and set priorities for remediation. Security intelligence requires an all-inclusive system that goes beyond traditional logging to ingesting vast amounts of data and applying behavioral analytics to actually determine when a breach might, or did, occur.

3. Integration enables protection
Securing an enterprise has always been about securing its people, data, applications, and infrastructure -- in the cloud or on-premises. The issue is that over time enterprises have adopted dozens of point products to secure each of these domains. CISOs need a way to govern the control of data and access to its systems amidst the thousands of access points and requests coming online every day. Security intelligence helps by offering an analytics dashboard across these disparate security domains and myriad security tools. That's a first step in integration.

But the real hard work of integration happens when all of your security capabilities can work in unison to stop an attack. For example, abnormal behavior of a privileged user triggers an alert that allows you to block a network segment. Or the appearance of malware on a mobile device causes you to stop the authentication of a customer. Or detection of a vulnerability in an application causes you to block its exploitation on the network. These are examples of integration that close the space between security domains and block hackers from squeezing through an enterprise's security cracks.

For true integration-enabled protection, it's not enough to have technology and solutions in parts of your infrastructure. Technologies must seamlessly integrate with processes and people to achieve protection.

4. Openness must be embraced
Organizations need the ability to share context and invoke actions across numerous new and existing security investments. Many of these investments include mobile and cloud capabilities. According to IBM's 2013 CISO survey, 70% of security executives expressed concern about cloud and mobile security. Enterprises require the same level of security in the cloud as they have come to expect with traditional IT environments.

It may seem counterintuitive, but cloud and mobile actually improve security.

As organizations embrace new technologies -- today it's cloud, social, and mobile, but tomorrow will bring new innovations -- it's easier to build in security from the start where you can control and make changes to applications, permissions, and authentication processes in real time.

By recognizing these four truths:

  • A bank can correlate real-time and historical account activity to spot abnormal user and application behavior, stop suspicious transactions, and uncover fraud.
  • A global energy provider can analyze 1 million events per second -- more than 85 billion events per day -- to make sure its operations are secure and meet compliance requirements.
  • An international apparel company can use security intelligence to discover an insider stealing critical product designs.

In a nutshell, when it comes to security, it's not so much about "an ounce of prevention." Rather, it's about looking at security as an immune system that can get stronger and stronger with sophisticated, predictive analytics, deliver an organization-wide view of risk, and embrace mobile and cloud without sacrificing innovation.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

Marc van Zadelhoff, IBM Security's Vice President of Worldwide Strategy and Product Management, has nearly 20 years of experience in strategy, venture capital, business development and marketing in the IT and security space. Prior to IBM, Marc was a member of the executive ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
yalanand
50%
50%
yalanand,
User Rank: Ninja
11/30/2014 | 7:00:10 AM
Re: Layered security
"@Dr. T: Most firms who are not related to software development do not care about much security, and they take whatever is given to them, it is only after being affected do they realize that the security measure they took was as old as the 1990's itself. Newer security measures, while costlier, give thousand times better protection from an inside as well as outside breach. "

@SunitaT: You are right, security measures are changing throughout and hackers are becoming more able. It is only necessary to make the most of freedom at the cost of tight security.
yalanand
50%
50%
yalanand,
User Rank: Ninja
11/30/2014 | 6:57:14 AM
Re: Don't Give Up On Prevention
"@SunitaT0, yes that is possible but I suspect that attacking back is going to get you some attention from your ISP.  I've had calls from mine a couple times when we were doing PEN testing on our own networks.  "We're seeing a lot of suspicious traffic coming from your network".  The ISPs are good at knocking down their customers when they get chatty but they don't see to have that same level of concern when the traffic is incoming."

@SaneIT: Thank you for clearing things out. The problem is that everything is trackable and unless you are a really good hacker, you can't hide from your network signatures all over the places you go.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
11/24/2014 | 7:40:53 AM
Re: Don't Give Up On Prevention
@SunitaT0, yes that is possible but I suspect that attacking back is going to get you some attention from your ISP.  I've had calls from mine a couple times when we were doing PEN testing on our own networks.  "We're seeing a lot of suspicious traffic coming from your network".  The ISPs are good at knocking down their customers when they get chatty but they don't see to have that same level of concern when the traffic is incoming.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
11/23/2014 | 10:01:20 PM
Re: Don't Give Up On Prevention
@SaneIT: Maybe while somebody is trying to break through the layers of security in the cloud, maybe the cloud analytic systems would read the breaching patterns and devise a strategy to attack the attacker while he's breaching. This can be done through flushing his network with spam so that he cannot get through to the cloud and also the cloud analytic engines may be able to track from where the breach is occuring.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
11/23/2014 | 9:57:58 PM
Re: Layered security
@Dr. T: Most firms who are not related to software development do not care about much security, and they take whatever is given to them, it is only after being affected do they realize that the security measure they took was as old as the 1990's itself. Newer security measures, while costlier, give thousand times better protection from an inside as well as outside breach. 
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
11/17/2014 | 8:02:58 AM
Re: Don't Give Up On Prevention
Layering is good and making yourself harder to attack than the guy down the road is a valid exercise but it's not the same as hitting back.  Actions against people attacking private corporations are few and far between, and in most cases it is incredibly hard to get enough information to hand over to law enforcement so that they can follow up.  I would like to see something that could work at the ISP level, who become responsible for how their connections are being used.  If it's a matter of a misconfigured or infected device then they offer help to the owner of that device.  If it is obviously malicious intent then they cut them off and notify local authorities.
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
11/14/2014 | 12:52:52 PM
Re: Don't Give Up On Prevention
  Some days I really wish we could hit back"

I hear you. Having a layered security measures in place would be like hitting back. When the attackers realize that they will not be able to penetrate it will be very disappointing for them, they will have to move next one.
Dr.T
100%
0%
Dr.T,
User Rank: Strategist
11/14/2014 | 12:49:59 PM
Re: Don't Give Up On Prevention
"risk management"

Good point. And lock of it. We aspect to avoid all these at attacks but most of us do not really do the homework of managing the risk. Without a risk management plan there is also tons of waste undret the name of security.
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
11/14/2014 | 12:47:27 PM
Layered security
I agree with the article. No one security measure will protect us from the attackers. We have to apply a layered approach. Event most sophisticated prevention systems would not prevent everything unless you unplug your computer and do not connect anywhere. It has to be a layered security approach to minimize the risk of a breach.
SaneIT
100%
0%
SaneIT,
User Rank: Ninja
11/14/2014 | 7:21:32 AM
Re: Don't Give Up On Prevention
@zerox203, very valid points, while prevention is important it needs to start at a lower level and be a consistent theme.  I've had days where I wished I could attack back.  I've had former employees do dumb things, someone sitting in Russia constantly trying to log on to a service with a brute force attack, and as every IT person has no doubt experienced a current employee who is sharing passwords or always trying to get into things they do not have access to.  In most cases our hands are tied and the only thing we can do is put up another wall.  Some days I really wish we could hit back.  I know that there are a number of individuals who crusade against the black hats but I would really love to see an organization large enough to shut down some bigger threats out there.
Page 1 / 2   >   >>
News
IBM Puts Red Hat OpenShift to Work on Sports Data at US Open
Joao-Pierre S. Ruth, Senior Writer,  8/30/2019
Slideshows
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Commentary
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll