More than 20,000 people have joined us in San Francisco this week for the annual RSA Conference, where I outlined how outdated approaches to security must adapt to keep up with new technology and evolving adversarial tactics.
At RSA, we see intelligence-driven security systems having three distinct properties:
First, the system must be risk-based
Fundamentally, risk is a function of three components: how vulnerable you are to attack; how likely you are to be targeted; and the value of what’s at stake. In a world of advanced threats, we must evaluate risk not just from the inside out, but the outside in as well.
“Know your enemy” advised the ancient Chinese general Sun Tzu, who also gave us this valuable nugget of advice: “When the trees move, the enemy is advancing.” 2,500 years later, that wisdom still holds true.
Knowing your enemy means that you must marry, more than ever before, a broader and deeper understanding of your material assets and internal environment with a wide range of external intelligence sources — both to recognize the full extent of your attack surface, and to expose the adversaries’ tactics early in their advance when we hear those faint signals or see those trees moving in our infrastructure.
In looking at your organization from the point of view of your attackers, you are more likely to spot critical vulnerabilities and be able to focus your risk mitigation efforts.
And remember, managing risk needs to be a dynamic and iterative process as facts and circumstances change, especially in the face of the consumerization of IT, mobile access devices, and the cloud.
Second, an intelligence-driven security system must be agile
Existing approaches to managing security operations lack the situational awareness, deep visibility and environmental agility needed to detect and thwart sophisticated attacks.
Today’s systems are a patchwork of controls subject to time-consuming updates serving up too much data and not enough intelligence. They are built around routine compliance reporting and regular audits, and assume that we can achieve a priori knowledge of malware signatures. This is what I have referred to before when I have talked about the siloed line-up of point products. This static and inflexible model breaks, it doesn’t bend. It has no resiliency.
Instead, we need a security model that provides for intelligent controls and advanced monitoring capabilities that understand normal states and patterns of user behavior, and comprehend transaction patterns to spot high-risk anomalies and events. We need to identify those anomalies in real time, for immediate response and risk mitigation. Ultimately, we will have to automate these analytics and responses. Fortunately, products and solutions that fit this model are already available. We must accelerate their adoption.
To maximize the effectiveness of agile security operations, intelligence-based controls and visibility capabilities must be deployed pervasively, internally, on mobile platforms or in the cloud – eliminating blind spots, and ensuring that no material asset is out of our reach, even if it’s beyond our control.
Third, the intelligence-driven security system must have contextual capabilities
An advanced system of controls and monitoring capabilities is effective only when a security event is delivered with complete context around it. In other words, the success of prioritizing and decision-making is dependent on having the best information available.
That’s why intelligence-based security systems need to rely on more than just log data used in traditional security event management. Organizations must adopt a “Big Data” view of information security in which security teams have real-time access to the entirety of information that is relevant to detecting security problems.
Fusion of Big Data with high speed analytics
From a security perspective, Big Data refers to vast data sets of unprecedented scale and formats, not just from security controls but including security-relevant information gathered from every part of the enterprise and beyond. The data must be correlated using high speed analytics to produce actionable information.
The age of Big Data has arrived in security management, enabled by advances in data storage systems, computing power and analytical tools. And with this Big Data capability, security teams can stop making investments and technology compromises that prevent them from having what they really need to be most effective in their jobs: ready answers to the most difficult questions about advanced threats, compliance, fraud and other risks. Security teams will have the power to recognize the enemy within quickly, isolate compromised elements of infrastructure, protect information assets and render attacks harmless.
New breed of cyber security analyst
We also need to champion and develop a new breed of Cyber Security Analyst.
As my colleague Rashmi Knowles put in her blog, we need to tap more military experience and military intelligence, “yet, the IT security industry typically doesn’t recruit from the military and focuses more on traditional IT security technical experience.”
This new breed of analyst must have the right analytical skills, big picture thinking and much needed collaborative people skills to ensure smooth information sharing with multiple stakeholders. They need to be offensive in their mindset— constantly evaluating external intelligence, tweaking security data models and finding new ways to identify and intercept threats on the horizon whenever possible.
Share collective intelligence
To date, information sharing has been severely limited by distrust, technology gaps and legal constraints. After years of talk, something good is finally starting to happen here.
Like everything else in technology, people are refusing to wait. Grassroots networks of likeminded communities are sharing security intelligence as never before. These networks are being formalized industry by industry. And they are starting to go viral as networks of networks are being formed with the various information sharing and analysis centers collaborating with the Department of Homeland Security to act as clearing houses facilitating the flow of intelligence.
RSA recently sponsored independent research on this topic: Getting Ahead of Advanced Threats: Achieving Intelligence-Driven Security, and I encourage you to read about the progress that is being made in the organizations of some of the most forward-looking CSOs around the world.