Panel: “Security is not a ‘Thing’ – it’s a Goal that Requires a Layered Approach”

Security is not a “thing” – it’s a goal and a business enabler that, to be done well, requires a layered approach based on an understanding of risk and an organization’s IT environment.

This was one of the main takeaways from an Oct. 6 panel discussion on cyber-security hosted by Kaspersky Lab in New York, where security experts laid out the challenges facing businesses and governments as attackers continue to evolve. One of those challenges is a basic level of situational awareness – something many IT shops don’t have, said Steve Adegbite, director of cyber innovations at Lockheed Martin. For example, organizations need to be able to identify if an employee is logging in at an unusual hour, or from a suspicious location.

“We have to advance technology, but we have to layer the people, process and what we call looking at the sequence of events,” he said. “There are key events that every attacker needs to go through in order to be successful. If you can layer your defenses along with your advance technology on that and basically disrupt the key events that they have to go through, you can find a lot of attacks, and that’s what we’re seeing inside our environment.”

Adegbite was joined on the panel by Gartner analyst Peter Firstbrook, Cigital Chief Technology Officer Gary McGraw, and Eugene Kaspersky, CEO of Kaspersky Lab. Though security has traditionally been layered on afterwards, security professionals are now realizing they can be a business enabler, Adegbite said, and at Lockheed, security pros are being brought in earlier as the company starts building products.

Still, while discussing Stuxnet, McGraw noted that security is still viewed by many as a “thing.”

“We all know that security is a property, and not a thing,” he said. “It’s a goal and a process.”

While the industry is improving is some respects, the government is way behind – making their role in battling cyber-threats problematic.

“If we rely on the government to regulate this stuff, we’re first going to have to teach them what that means, because they frankly just don’t know,” he said.

Kaspersky said stronger regulation has a role to play in improving security, though it still needs to be in conjunction with improvements in technology. “(The) good news is that governments already understand that,” he said. “Finally, after the Estonia incident, Stuxnet, other incidents related to security, governments…want to do something. But they don’t know what to do.”

But if statistics on malware infections are any indications, businesses do not know what to do either much of the time.

“I am from an IT security company,” Kaspersky said. “I must think about threats. If you are from business or government, you better think about risk. But our job is to explain your threats to let you manage the risk.”

If businesses develop a myopic focus on threats as opposed to risk, it can actually make security efforts less efficient, Adegbite said.

“You’re not going to stop a hundred percent of the threats or the attacks,” he said. “But you need to stop the ones that are going to critically impact the percentage (of assets) that you need to do your business.”