Security Experts:

The Pendulum Swings From Reactive To Proactive Security

There is a shift going on in the security business. It’s been a slow-moving wave for a while now – a shift from reactive to proactive. In the long view, you can see that the pendulum has swung back and forth a few times.

The firewall was perhaps the first proactive security technology – don’t just assess the damage after an attack; put something inline that can block unwanted traffic to prevent at least some incidents. This was effective enough in its day. In recent years, most attention has been on the other side – sensors, IDS/IPS, log management, and SIEM. All these technologies assume your defenses will be breached and that you therefore need to spend effort to gather data on how and why you lost. This is quite sensible stuff, and has consumed attention for several years now – long enough for mainstream market adopters to buy, deploy, watch, and learn from this technology.

What did we learn? Several points. One is that extracting insight from raw sensor data is hard – we want to see deviations from “normal”, but we really have no clue what normal is. Good effort is being spent on this area now, but it’s a bit late. We’ve learned the hard way that a mountain of data needs a crew of skilled mountaineers – the data doesn’t just analyze itself and offer up cogent summaries of actionable insights. Worse, we started looking for our Data Scientists at the same time as everyone else – the rest of the commercial world recently decided these hitherto underappreciated pick-axe wielders in the data mines warrant C-level titles and paychecks to match. It’s a good time to be a statistician, as big data mania hoovers up those with the right skills, in a process akin to the way the early Web hoovered up those well versed in library science.

Proactive Security

The second problem is that sensor analysis, properly applied to every barn door, tells you only that the horse already bolted, or at best, you get to see the horse thief waving to you on the way in and out. Knowing they got in and did something or stole something is of some use, but wouldn’t you rather know in advance that the door was left open? Don’t get me wrong – I do believe in the necessity of awareness. The trick about awareness is to appreciate that it’s not just about the bad guys; you need to be aware of your own situation too. When I worked as a statistician, we referred to “nowcasting” – something you need when it’s so expensive to measure a real world quantity (GDP, for example) that you have to rummage through other more tangible things to estimate what you really want to know. As Niels Bohr said, “prediction is very difficult, especially about the future” – to a statistician, this isn’t very funny. (Best not to confuse this process of nowcasting with the audition website “nowCasting.com”!) Security faces a comparable challenge – yes, we need to understand forensically how we got attacked in the past, but it’d be better to achieve nowcasting, to know our current situation, and better yet to get to forecasting – an ability to head off attacks before they even start. This is the spectrum along which the pendulum swings over the years.

Within security we have names for past, present and future work – forensic analysis, incident response, and risk management. My observation is that recent investments in the first two, while worthwhile, have crossed the point of diminishing returns. For forensics, it’s proven beneficial to increase our stockpile of sensor data, and we’re hoping to get better at going through it all, but it’s highly labor-intensive in a field with negative unemployment. (I see the shortage of experienced talent as a concern in every organization I visit – public or private, well-funded or not.) Labor-intensive technologies have limits, when time and attention span are the most precious commodities.

We need more automation, but for present-tense incident response, the science of big data nowcasting is in its infancy. Optimists may hope that regular big data methods will work for security, but I see fundamental reasons to be skeptical. Sales and marketing analysis of big data is all about the hunt for trends and similarities, while security is all about anomaly and difference. It takes completely new approaches, and I believe we will find them, but from what I’ve seen, we are many years and several inventions away from it now.

So where can we turn for more automation, more leverage? The good news is that risk management is more tractable, here and now. Increasingly, I see organizations shifting to balance reactive investments with a renewed focus on prediction and prevention. Of course, I would say that, given that I spend my time on one major flavor of predictive attack prevention and risk management. However, I’m hardly alone in this busy arena and my competitors agree – we are seeing a rising tide of interest in predictive risk management. We’ve been talking about incident prevention or risk management for years, but comparatively recently, it’s taken off. One of the questions I’ve been asked is “why now?”

The topic isn’t new, of course – risk management has origins in the high risk, high reward business of cargo shipping. Financial techniques were well developed in Ancient Rome, and possibly extend back into prehistory. For a fun sidebar on that point, check out the Uluburun shipwreck. That particular discovery (found in 1982) rewrote the history books – as far back as the late Bronze Age, you had ships loaded with artifacts from as many as 10 different cultures, in what can even be interpreted as a kind of economic diversification! These problems and solutions are older than we might think. Returning to our age, even in IT security, there has been a lot of talk around risk management for the last decade or so. Why is this talk suddenly turning into action?

I see a convergence of three major forces. First, there’s board-level pressure to integrate security as another responsible, professional business process. Too much fire-fighting and reflexive spending just makes us look like we don’t know what we’re doing; the business is running out of patience. Second, the investments in event and information management haven’t failed exactly, but they do seem to have “hit the wall” (or “the bonk”, as they tell me the cyclists call it). Value has been extracted, but it’s taken a lot of sweat; more value appears to be possible, but as strictly human effort. It looks daunting. And then there’s factor three – the drumbeat of reporting on successful breaches. In a world where business leaders could interpret quiet as “there really isn’t that much of a problem”, it made sense to just buy sensors. (How often are we getting hit? How often is data leaving?) But it’s increasingly clear that we’re all targets, and we’re easy to breach, so it’s the right time to shift focus to prevention – to risk management.

view counter
Dr. Mike Lloyd is Chief Technology Officer at RedSeal Networks. He has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 20 patents on security, network assessment, and dynamic network control. Before joining RedSeal, Dr. Lloyd was CTO at RouteScience Technologies (acquired by Avaya), where he pioneered self-optimizing networks. Lloyd was previously principal architect at Cisco on the technology used to overlay MPLS VPN services across service provider backbones. He joined Cisco through the acquisition of Netsys Technologies. He holds a degree in mathematics from Trinity College, Dublin, Ireland, and a PhD in stochastic epidemic modeling from Heriot-Watt University, Edinburgh, Scotland.