In a sign of the times, Dark Reading published an article “Most Companies Expect to Be Hacked in the Next 12 Months”, which describes the results of a survey of enterprise security professionals. This survey is another data point in the trend of rising disillusionment and defeatism in security that is worth noting, but more importantly, addressing it head on by changing the way security operations does its business and the underlying security technology base it uses.
Three points jumped out from the survey:
- The level of pessimism in industry about being breached is at an all-time high. 52% of security professionals responded they are likely to be breached in next 12 months.
- An ever-creeping sense of defeatism is taking over the security industry. “Security is finally waking up to the new reality that’s more of a question of ‘when’ than ‘if”.
- Disillusionment with traditional endpoint security technologies is at an all-time high. 67% of respondents said they are evaluating their endpoint anti-malware software, to either augment or replace them altogether.
Clearly the level of pessimism and rising defeatism is symptomatic of a broken security technology base. This particular study put the number at 70% of companies surveyed that say they were successfully breached in the last 12 months with 22% saying they were successfully hacked 6 or more times.
The traditional security paradigm in the large enterprise space is Prevent, Detect, Respond. Prevention via traditional security approaches is widely acknowledged as a failed strategy. This in turn has given birth to the Detection industry, which has only succeeded in producing prodigious alerts and data dumps that under-staffed and over-worked security teams now have to wrestle with. Naturally following the failure in Prevention and Detection, successful breaches have ensued, which drives the real money-grabber – Response. Response teams, either organic or out-sourced, are a huge expense in security operations. Even worse, Response comes after — and typically long after — a breach has occurred and potentially loss of key data, such as customer records or proprietary plans.
Fundamentally, what I believe this survey points to, is the need to change the traditional paradigm of Prevent, Detect, and Respond to Contain, Identify, and Control.
Re-thinking the Security Strategy: Containment, Identification, Control
Containment is a core architectural strategy to mitigating damage from successful exploits of applications and compromised devices. Much like submarine design is architected to compartmentalize hull breaches, containment strategies can compartmentalize successful network breaches. Like a hull is designed to withstand only so much force before it breaks, software applications and users are the weak links on enterprise networks that will often break under pressure and exploitation. Containment limits the damage from software exploits and users that fall victim to spearphishing and other online attacks. The key measure of success in containment is limiting compromise of applications and devices so no sensitive data is successfully breached.
Detection is really a euphemism for collection. Most detection strategies today simply collect voluminous data and put the onus of interpretation and analysis on humans who are ill-equipped to do so. In fact, what security ops teams really care for is not detection, but rather rapid identification of threats in their enterprise that have evaded traditional prevention mechanisms. Empowering security teams to rapidly identify compromised devices and adversaries on their networks is far more useful than simply collecting data. The key measure of success in identification strategies is minimizing adversary dwell time on networks from weeks and months to minutes.
Response is inherently a reactionary and expensive activity. In the realm of security activities, response is the most expensive dollar spent in security and almost always unbudgeted. Without adequately trained response teams, enterprises will need to out-source incident response, which means incredibly expensive rates being paid to outside firms for only temporary benefit in cleaning up after an incident. Rather than chase adversaries that have been colonizing the network for long periods of time, strategic security ops teams seek to gain control over network breaches by staying in front of the adversary as they attempt to move laterally in the network. Control strategies works hand-in-hand with Containment and Identification strategies to rapidly eradicate identified threats on the network.
Calling All Change Agents
We know that change is hard to implement in organizations. But we also know that doing the same thing over and again and expecting a different result is Einstein’s definition of insanity. Clearly the survey referenced in the article points to despair and rising defeatism in security teams. We need to heed the warning signs and fundamentally re-think how we do security at an enterprise level and the aging security technology base in use today. Today’s strategic security leaders and change agents are adopting Containment, Identification, and Control strategies to enable security teams to regain the upper ground.
As always your comments and feedback below are welcome.