The new fundamentals of security
Michael Fey, worldwide CTO, McAfee, Inc.
Much of this concern centers on the challenges of adapting existing security architectures to secure the always-on, always-connected enterprise. Common challenges include setting the right infrastructure priorities, the need to learn from and adjust to attacks, and the inability to enhance countermeasures as attacks are taking place. Unfortunately, I am certain that if we as an industry fail to address these concerns, we will continue to follow a course that ultimately takes us to failure.
As I contemplate the emerging threat landscape, I can't avoid the conclusion that the current model has us playing catch-up and clean-up to such threats resulting in failure for the industry.
But failure doesn't have to be our ultimate destination. We can prepare for whatever is over the horizon by enhancing our security architectures to prioritize our most important assets and account for the changing attack vectors threatening them. We can challenge resilient, real-time attacks with orchestrated, interactive defenses that share information across the enterprise and provide security teams information to defeat attacks – even as they are taking place.
During my keynote at RSA, “The New Fundamentals of Security,” I went into detail on how the security industry must apply a new set of approaches to protect the always-on, always-connected enterprise of the present and future.
Here's a quick recap of these new fundamentals:
The three R's: Riches, ruins and regulations
Not all of the changes required of our security infrastructures will come through a technical control or solution. Organizations need to rethink the way they engage in the strategic planning process for security. Security teams cannot succeed left on an island, trying to decide by themselves what the critical assets to the business are. Like managing any great risk faced by an organization, it requires cross-functional collaboration. Organizations with enterprises structured in siloes see this as an arduous task, but it does not have to be this way.
An exercise called “3 R's: Riches, Ruins and Regulations” the security team engages with these executives to identify where a thief would attempt to steal the company's riches; what information would ruin the company if it was leaked; and what regulation frameworks must the business navigate to remain in compliance. Based on the results of this exercise, the security team can develop a holistic security strategy based on priorities central to the business.
Evolution of an orchestrated defense
As we look to the future, it is clear that our defenses must evolve and adapt at a more rapid pace than that of our adversary's threats. Unfortunately, many of today's solutions are in siloes and thus lack the ability to share threat intelligence with the rest of the security infrastructure. This inability to learn, share and apply information between siloes undermines the enterprise's ability to evolve and adapt.
To illustrate this point, I often ask customers whether or not their security infrastructure is better off after blocking a piece of malware. Without exception or nuance, the customer answers, “No, we do not become stronger.” That's because most organizations deploy “trial and error” defenses, so-called because they block certain attacks, but fail to learn from them. This leaves other areas of vulnerability open to the next attempted attack, and the next, and the next, until the attacker is successful.
We need to build orchestrated defenses, composed of solutions that share what they have learned from each attack to better fend off and ultimately lock the attacker out of the organization. Our solutions should be able to share key information that strengthens the overall organizational security posture:
- Where did the attack originate?
- Who interacted with the attacker?
- What artifacts have been left behind?
- What processes were used?
- Was the attack packed, and how?
- What was the attack entry vector?
Finding answers to these questions allows us to evolve our approach from “trial and error” to an orchestrated defense taking both context and composition into account.
Interactive vs. historical approaches
The traditional approach to security has always been based on historical information. It's not enough that our solutions share information. To be more effective in countering threats, companies need to adapt to a real-time, as-it-happens threat environment with an informed, interactive security posture. The advisory works in near real time our defenses and understanding must also be in that same time scope.
The historical approach provides detailed reporting about an attack after-the-fact. The interactive approach provides information and insight on the attack taking place. The historical approach tells security teams how many times and in how many ways a particular threat has attacked them. The interactive informs them that yet another attack is underway, and empowers them to quickly put an end to it. The historical approach provides insights into the behavior and processes of yesterday's attacks. The interactive approach enables decisions and the ability to take action against today's and tomorrow's attacks.
While most security practitioners have the historical approach firmly engrained in their brains, the always-on, always-connected paradigm demands a mental shift to where our technology is already headed: the interactive.
Interactive security is the next step in situational awareness. It will bring a wealth of timely information right to our fingertips, allow us to act faster, and fundamentally change how we manage risk.
The three R's, the orchestrated defense and the interactive approach are the new fundamentals of security for the “always-on, always-connect” age. They are absolutely imperative to mitigating the threats facing us moving forward. If we take a detour off our current trajectory and make real change in their direction, we will be able to set ourselves on the right course to defeating these cyber threats.