Simply said, the information security industry can no longer sit transfixed as threats continue to morph and grow.
This year alone, attacks on commercial and consumer technology giants have put information for hundreds of millions of individuals at risk. Even some security vendors have been exposed.
Much like the “perfect storm,” in which three significant weather-related events converged with dangerous consequences, many IT organizations are experiencing three security-related events combining to threaten digital assets.
First, the rate of change in IT environments – the number of devices, users, applications and systems that connect to our infrastructure every day – is unprecedented.
Second, attacks are coming at a rapid pace and with an increasing level of sophistication. There were nearly 300 million unique viruses released last year and, according to data gathered by Sourcefire researchers, nearly 75 percent of these attacks were only ever seen on a single system.
Third, traditional approaches to IT security that most organizations rely on for protection were designed for a different time, a time when IT environments were stable and slow to change.
There's very little we can do to affect directly the first two factors. A changing IT environment is simply a sign of the times and a necessity to conduct business effectively. Organized crime, corporate espionage, and even malevolent nation-states that use deep pockets to spawn motivated and well-trained attackers are a reality in today's world.
However, we can have a very real and powerful impact on the third factor – our approach to network and computer security.
Most organizations deploy network and computer security technologies that clearly are ill suited for the demands placed on them today. Indeed, most security solutions are essentially “black boxes.” Proprietary and closed, they fall short in a number of ways:
Blind to the network. If new resources or systems emerge on the network, most security systems won't even notice, let alone respond. Network behavior – such as unexpected connections and sessions, an important sign of a possible breach – passes unnoticed.
Inflexible configuration. With little understanding of the assets they're protecting, most network security technologies, such as firewalls and traditional intrusion prevention systems, lack the context to understand the security implications of new events and the ability to change accordingly. Coupled with today's swiftly morphing attacks that result in threat lifecycles of mere hours, such systems are left further and further behind.
Stuck in a manual world. Most of these tools are labor intensive, requiring users to configure them manually, identify and investigate events manually, and even create reports manually. The level of individual involvement for such systems is high, making it impossible to keep up with the rate of change.
High cost of operations. There aren't enough hours in the day, and most organizations can't afford a large enough staff, nor want to use highly trained security IT resources, to endlessly fine-tune solutions to continuously track everything on the network.
As real-world experience demonstrates, static security tools quickly lose touch with the environment they're meant to protect. Security must evolve to better address the new reality of a rapidly changing environment.
Accenture's “Technology Vision 2011” report states: "Automation will quickly become a ‘must-have' component in the overall security strategy of every IT organization. There is simply no other way to detect threats swiftly enough, let alone to contain the damage and recover from it.”
In order to move swiftly enough, security needs to be agile – not static – so that it can dynamically provide needed protection.
To understand if your security infrastructure is agile enough to protect your organization, ask yourself if it offers the following four capabilities:
- See. Agility demands clarity, but too often traditional security is blind to changing conditions and new attacks. Agile security approaches provide deep insight, yielding visibility into assets on the network, operating systems, applications, services, protocols, users and network behavior, as well as network attacks and malware.
- Learn. Visibility generates data. Being able to make effective decisions in response to that data requires rapid learning. Learning involves the application of intelligence, generated both locally and collectively by the larger community, in order to gain perspective.
- Adapt. The only real constant is change. And how do most security solutions respond? They don't change. At least not without considerable effort, and generally at a pace that leaves resources wide open to successful exploit. The ability to automatically evolve and modify defenses to provide protection despite constant change is a must.
- Act. The ultimate responsibility of any security system is to protect sensitive assets and data. Malicious attacks must be successfully blocked. Policies – allowed applications, supported devices, prohibited activity – must be enforced. Suspicious or high-impact events must be prioritized and communicated to analysts.
With the ability to see, learn, adapt and act, we can protect today's complex and chaotic IT environments. With these capabilities, we can become agile.