In blog 1 of our series, we examined three realities that are driving enterprises to embrace an adaptive approach to security -- an idea coined by Gartner and explained in the report, Designing an Adaptive Security Architecture for Protection From Advanced Attacks.
Pardon the cliché, but as my mother was fond of saying, “An ounce of prevention is worth a pound of cure.” As someone who believes in a proactive approach to good health, I believe that this ounce of prevention applies to other areas of life as well, but sometimes we have to think beyond just prevention.
In the security world, some believe that it’s a given that the bad guys will get in, so let’s stop worrying about prevention. That’s like saying that you believe it’s inevitable that you’ll contract a serious disease, so you just work on treating the illness when it takes hold and not bother to work on preventing it in the first place or not monitor yourself along the way. I tend to disagree with this perspective. In this blog post, we’ll take a look at how some security professionals think, and why they need to change their mindset in some key areas and embrace an adaptive approach to security to mature their defenses.
“Blocking and Prevention Solutions Will Keep All the Bad Guys Out.” I’m a big advocate of good nutrition, regular exercise, and sufficient rest. But even if you take these basic preventative measures, life can still throw you a curve ball. You may catch a rare disease while vacationing on an exotic island or injure yourself while participating in a triathlon. In much the same way, enterprise security teams believe that investing heavily in blocking and prevention solutions is a surefire way to keep bad actors out. However, the problem is that today’s well-funded and technologically advanced bad guys churn out complex and sophisticated attacks faster than most security vendors can release products to stop them. Ten years ago, we saw approximately 25 instances of malicious code at my organization. Today, that number is just under 500,000.
While preventative controls are important against opportunistic attacks, most of today’s most destructive threats are low-and-slow targeted attacks that can circumvent traditional signature-based defenses such as antivirus technology. Basic prevention alone is not enough. This is something that enterprise security organizations need to accept. The fact is, no matter how much enterprises spend on blocking and prevention solutions, they can never keep 100% of threats at bay. Some are always bound to get past current defenses.
“There’s Nothing We Can Do Once the Bad Guys Are In.” In the security world, it’s true that some malware or creative hacking will make it past enterprise defenses. So what do you do? When it comes to your health, you make sure you get regular checkups and see the doctor when you experience symptoms instead of letting things get worse. In enterprise security, the next mindset change that needs to occur is to realize that detection and response are as important as blocking/prevention technologies. Without effective support for these processes, attacks will have longer dwell times, leading to more serious damage. Clearly, enterprises are beginning to move in the direction of continual detection, monitoring, and response. Gartner estimates that by 2020, enterprise security teams will allot 60% of their budgets to rapid detection and response solutions -- up from less than 10% in 2014.
“Our Security Products Don’t Have to Communicate.” As enterprises struggle to protect themselves against the next new attack, they are drawn to the promise of the latest shiny silver-bullet product. In health, as in security, there’s no magic cure-all. All too often, the silver-bullet approach results in a mash-up of siloed solutions that can’t communicate with each other. But this best-of-breed approach can still succeed by designing in data integration and process and policy orchestration.
Here’s a health-related comparison. HIPAA (Health Insurance Portability and Accountability Act) sets standards for health information privacy, security, and communications format in an effort to enable electronic exchange of patient data. Now specialists and other practitioners can easily share and analyze medical records without any manual effort and come up with an effective course of treatment faster.
The premise behind an adaptive security infrastructure is much the same. If the technologies are connected and enabled to exchange insightful threat information and context, security teams and processes will be more effective both in the short term and long term. So if you allow me to slip in a different analogy, it isn’t just a silver bullet, but rather a bunch of bullets -- and what we’re really trying to do is make them fit in the same gun.
“Incident Response Only Needs to Happen on an As-Needed Basis.” Getting back to health again, what happens if you have a car accident or suffer a severe injury? These types of incidents require immediate attention and response. In our everyday lives, we make the assumption that incidents like these may happen, so we create a proactive continuous response process. We visit the doctor for annual physicals, get the right tests, and see specialists if we develop a condition. And, yes, occasionally we might end up in the emergency room.
Many enterprises have an “emergency response” consciousness. They look at incident response as something that happens only when a security event is discovered. A bad actor introduces malware or compromises a corporate asset, a security team is pulled together to investigate and remediate, and then everything goes back to normal. Today, this ad hoc approach is not an option. The new normal is the continual risk of compromise, which demands continuous response. Finding the bad guys and stopping them from doing further damage must become an ongoing endeavor with formal plans and optimized processes that feed learnings back in to improve policies, processes, and technologies. This feedback loop is the key to adaptive security.
Get On The Adaptive Security Bandwagon
“If you can change your mind, you can change your life,” said William James, the father of American psychology. This certainly rings true in the realm of security. By adopting new ways of thinking about security, improving the capabilities of existing systems, and integrating key innovations, enterprises will be well on their way to better security.
Stay tuned for blog 3 of this series, which will address the specifics of what it takes to create an intelligence-driven security operations center (SOC).
To learn more about Gartner’s research in this space and approaches for implementing adaptive security, view this webinar featuring Neil Macdonald from Gartner and me as we talk about the Adaptive Security Architecture concept.