Adaptive Security Demands A Shift In Mindset: Part 2 In A Series

By adopting new ways of thinking about security, improving the capabilities of existing systems, and integrating key innovations, enterprises will be well on their way to better security.

Brett Kelsey, VP & Chief Technology Officer, Americas, Intel Security

June 24, 2016

6 Min Read

In blog 1 of our series, we examined three realities that are driving enterprises to embrace an adaptive approach to security -- an idea coined by Gartner and explained in the report, Designing an Adaptive Security Architecture for Protection From Advanced Attacks.

Pardon the cliché, but as my mother was fond of saying, “An ounce of prevention is worth a pound of cure.” As someone who believes in a proactive approach to good health, I believe that this ounce of prevention applies to other areas of life as well, but sometimes we have to think beyond just prevention.

In the security world, some believe that it’s a given that the bad guys will get in, so let’s stop worrying about prevention. That’s like saying that you believe it’s inevitable that you’ll contract a serious disease, so you just work on treating the illness when it takes hold and not bother to work on preventing it in the first place or not monitor yourself along the way. I tend to disagree with this perspective. In this blog post, we’ll take a look at how some security professionals think, and why they need to change their mindset in some key areas and embrace an adaptive approach to security to mature their defenses.

“Blocking and Prevention Solutions Will Keep All the Bad Guys Out.” I’m a big advocate of good nutrition, regular exercise, and sufficient rest. But even if you take these basic preventative measures, life can still throw you a curve ball. You may catch a rare disease while vacationing on an exotic island or injure yourself while participating in a triathlon. In much the same way, enterprise security teams believe that investing heavily in blocking and prevention solutions is a surefire way to keep bad actors out. However, the problem is that today’s well-funded and technologically advanced bad guys churn out complex and sophisticated attacks faster than most security vendors can release products to stop them. Ten years ago, we saw approximately 25 instances of malicious code at my organization. Today, that number is just under 500,000.

While preventative controls are important against opportunistic attacks, most of today’s most destructive threats are low-and-slow targeted attacks that can circumvent traditional signature-based defenses such as antivirus technology. Basic prevention alone is not enough. This is something that enterprise security organizations need to accept. The fact is, no matter how much enterprises spend on blocking and prevention solutions, they can never keep 100% of threats at bay. Some are always bound to get past current defenses.

“There’s Nothing We Can Do Once the Bad Guys Are In.” In the security world, it’s true that some malware or creative hacking will make it past enterprise defenses. So what do you do? When it comes to your health, you make sure you get regular checkups and see the doctor when you experience symptoms instead of letting things get worse. In enterprise security, the next mindset change that needs to occur is to realize that detection and response are as important as blocking/prevention technologies. Without effective support for these processes, attacks will have longer dwell times, leading to more serious damage. Clearly, enterprises are beginning to move in the direction of continual detection, monitoring, and response. Gartner estimates that by 2020, enterprise security teams will allot 60% of their budgets to rapid detection and response solutions -- up from less than 10% in 2014.

“Our Security Products Don’t Have to Communicate.” As enterprises struggle to protect themselves against the next new attack, they are drawn to the promise of the latest shiny silver-bullet product. In health, as in security, there’s no magic cure-all. All too often, the silver-bullet approach results in a mash-up of siloed solutions that can’t communicate with each other. But this best-of-breed approach can still succeed by designing in data integration and process and policy orchestration.

Here’s a health-related comparison. HIPAA (Health Insurance Portability and Accountability Act) sets standards for health information privacy, security, and communications format in an effort to enable electronic exchange of patient data. Now specialists and other practitioners can easily share and analyze medical records without any manual effort and come up with an effective course of treatment faster.

The premise behind an adaptive security infrastructure is much the same. If the technologies are connected and enabled to exchange insightful threat information and context, security teams and processes will be more effective both in the short term and long term. So if you allow me to slip in a different analogy, it isn’t just a silver bullet, but rather a bunch of bullets -- and what we’re really trying to do is make them fit in the same gun.

“Incident Response Only Needs to Happen on an As-Needed Basis.” Getting back to health again, what happens if you have a car accident or suffer a severe injury? These types of incidents require immediate attention and response. In our everyday lives, we make the assumption that incidents like these may happen, so we create a proactive continuous response process. We visit the doctor for annual physicals, get the right tests, and see specialists if we develop a condition. And, yes, occasionally we might end up in the emergency room.

Many enterprises have an “emergency response” consciousness. They look at incident response as something that happens only when a security event is discovered. A bad actor introduces malware or compromises a corporate asset, a security team is pulled together to investigate and remediate, and then everything goes back to normal. Today, this ad hoc approach is not an option. The new normal is the continual risk of compromise, which demands continuous response. Finding the bad guys and stopping them from doing further damage must become an ongoing endeavor with formal plans and optimized processes that feed learnings back in to improve policies, processes, and technologies. This feedback loop is the key to adaptive security.

Get On The Adaptive Security Bandwagon

“If you can change your mind, you can change your life,” said William James, the father of American psychology. This certainly rings true in the realm of security. By adopting new ways of thinking about security, improving the capabilities of existing systems, and integrating key innovations, enterprises will be well on their way to better security.

Stay tuned for blog 3 of this series, which will address the specifics of what it takes to create an intelligence-driven security operations center (SOC).

To learn more about Gartner’s research in this space and approaches for implementing adaptive security, view this webinar featuring Neil Macdonald from Gartner and me as we talk about the Adaptive Security Architecture concept.

About the Author(s)

Brett Kelsey

VP & Chief Technology Officer, Americas, Intel Security

Brett Kelsey is the VP and Chief Technology Officer for the Americas for Intel Security. In this role, he has leveraged his business and practice development, technical expertise, and innovative thought leadership to evangelize Intel Security's go-to-market strategy across key customer segments in the Americas; drive strategic customer engagements; and provide customer feedback to product engineering to help shape the direction of our technology.

Mr. Kelsey is a well-respected executive in the information technology field with a successful career spanning more than 25 years. An internationally recognized expert, he is renowned for his exceptional ability to conceptualize, develop, and implement technology strategies for government and private-sector clients across the healthcare, financial, education, telecommunications, and power industries. He offers in-depth knowledge of information security practices, including complying with state, federal, and industry regulations, standards, and laws such as HIPAA, ISO, NIST, ITIL, CoBIT, Sarbanes Oxley, and GLBA. Additionally, he has served as Chief Security Officer in several government departments and financial organizations.

While serving as CSO, he led the corporate security program, which is focused on ensuring the integrity, confidentiality, and availability of critical information and computing assets, as well as managing risk to enable positive growth for the company's business. Brett also oversaw security in development practices, research in critical infrastructure assurance, electronic discovery, physical security, and internet security research.

Prior to joining McAfee Inc., Mr. Kelsey was the VP of dervice felivery for NWN Corp. by way of the acquisition of Western Blue Corp. At NWN, he led a team of over 75 technical consultants focused on delivering complex IT solutions in information security, cloud & data center computing, virtualization, end-point management, network infrastructure, and IT application modernization.

In addition, Brett was a founding partner and principal security consultant with S3 Group and managing principal at Lucent Professional Services (formerly International Network Services) where he led numerous Fortune 500 client engagements providing comprehensive security solutions encompassing risk and vulnerability identification, risk assessment and mitigation, and security program development incorporating infrastructure recommendations, policies, procedures, and processes to protect critical information, systems, and assets.

Mr. Kelsey has been called upon as an expert high-tech crime witness and certified computer forensics investigator examiner in numerous high-profile computer hacker arrests and convictions. He has served as a member of the Cisco Systems Technical Leadership Council, the McAfee Partner Advisory Council, the Microsoft Security Advisory Council, the Computer Security Institute (CSI), the Information Systems Security Association, InfraGard, the Information Systems Audit & Control Association, and the Project Management Institute.

In addition to extensive professional development and technical training, Mr. Kelsey holds certifications as both a certified Information Security Systems Professional and Certified Information Security Auditor.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights