Predictive Security Intelligence Isn't Just looking ahead, It's Looking at Everything We Already Have to Effectively Identify Trends and Thwart Attacks Before They Occur...
As the CEO of a security company, I know I have a unique perspective when it comes to deciding how security budget decisions are made and where funds are allocated. Having been a security professional who has dedicated most of his professional career to making networks more secure and mitigating risk, I fully believe that companies don’t pay enough attention to security and that they are, in many cases, putting themselves at risk. However, when I look at the budget issue through the lens of my role as CEO, I can understand some of the hesitancy and trepidation they have when it comes to making a major investment in new technology.
Executives that have budgetary control in their organization are under tremendous pressure from all corners of the business. Every department can make a strong case for why they need additional funding for new initiatives, but at the end of the day, there are only so many budget dollars to go around and tough choices need to be made. This is where I believe the security industry has done itself a bit of a disservice.
Whether you are the leader of a department, business unit or are the CEO of the company, it is far more costly to have to explain what went wrong, versus allocating funds to ensure security processes are improved, mistakes are not duplicated and vulnerabilities are addressed. As an industry, the security market has spent way too much time explaining what went wrong and not nearly enough time talking about how we can be better prepared to avoid similar outcomes the next time around.
When overseeing risk in an organization, I want to know that the investments I’ve made in security are painting a holistic view of my company’s risk and providing the data needed to thwart future attacks. Multiple point products that don’t relate to one another or provide a clear picture of where I’m likely to be hit does not feel like money well spent to me.
This is where the concept of predictive security intelligence enters the equation. While not a new term, it represents a security utopia of sorts that that all IT departments should be working towards. Over the past couple of years I’ve heard the term thrown around quite a bit but rarely accurately defined. For example, as the CEO of a company, if you came to me and said we need more funding to invest in a new security solution that would allow us to be more predictive, I would assume that you meant that this technology would allow us to predict:
• Where we are most likely to be hit next
• Which assets are must vulnerable and likely to be targeted
• What the early warning signs of an attack will look like
My expectation would also be that this new technology would bring together all of the security information accumulated by the various point products we already own to create a broad picture of our security environment. To me, predictive shouldn’t just be looking ahead, it is looking at everything we already have to effectively identify trends and thwart attacks before they occur. In this case, I would feel that I was getting a solid return on my investment.
Why is it so important now to be so predictive? Ten years ago, Internet worms, e-mail spam and opportunistic hacks were the biggest threats to a corporate network. In response, a stateful inspection firewall, desktop antivirus software, and spam filtering were reasonably expected to keep your corporate network protected. But pick up any newspaper on any given day and it’s easy to see that times have changed significantly.
Today, attacks against your organization are much more likely to be targeted, stealthy and slow moving. Starting with an initial compromise through targeted e-mail or Web attacks, sophisticated attackers move laterally and quietly within your organization, often times for years before you even detect them. They are exploiting employees’ access permissions, misconfigured servers and weakly protected assets to obtain sensitive data, including customer information, financial records and intellectual property. They are the enemy you don’t know and are the most dangerous.
Unfortunately, many organizations that are the targets of sophisticated attacks are fighting an inefficient war when it comes to their IT security investments. They continue to focus on what I refer to as “intelligence after the fact,” rather than applying their focus and investments on thwarting attacks before they happen. In security, as in life, it’s important to learn from the past but if you’re not applying what you learned towards preventing future breaches, history will repeat itself.
The greatest risk to any organization in the face of modern threats is complacency. It’s no longer acceptable to merely react to incidents and threats. Just enough just isn’t enough anymore. Instead, your organization has to go on the offensive: pre-empting attacks rather than waiting to deal with their aftermath. By applying the principles of security intelligence, your company can better utilize its current and future security investments to identify the likely subjects of attacks. Clearly outlining how much a potential breach can cost often makes the security line item on a budget a little more reasonable, and a lot more important.