Nik Whitfield, CEO, Panaseer, talks to Intelligent CISO about why it’s time for organisations to take a proactive approach to security to stand a chance of staying ahead of modern cyberthreats.
The last decade has seen a huge surge in cyberdefence technologies. Like an arms race, with every increasing or new threat organisations layer on a new solution or product hoping to create a blanket of cover thick enough to keep the bad guys out.
They then sit, wait, monitor, hope to detect something bad as quickly as possible and finally react when a discovery of something happens. However, collectively we have now reached a point where this just doesn’t work as it is no longer an effective approach.
It is an outdated equation where you will never have enough resources to respond to the ever-evolving intelligent adversary and with most business taking on average about 197 days to detect a breach on their network, the analogy of ‘shutting the gate after the horse has bolted’ springs to mind.
If you are to stand a genuine chance of combatting threats successfully and addressing the myriad of compliance issues facing all industries, you need a different playbook. With limited budgets and resources, and demands for insight and proof, organisations must move from firefighting i.e. monitor, detect, react to fireproofing i.e. prepare and protect, developing a robust, proactive cyber strategy.
Industry experts agree – earlier this year Markets and Markets issued a report that outlined that the proactive security market is undergoing tremendous growth. Its report outlined that the market is expected to grow from US$ 20.66 billion in 2018 to US$ 41.77 billion by 2023, at a Compound Annual Growth Rate (CAGR) of 15.1% during the forecast period.
Enabling your strategy to evolve isn’t easy, which is why we commissioned analysis from 451 Research to provide insight into the industry opportunity for proactive security – as well as the key hurdles that organisations need to overcome to successfully shift their focus.
A profusion of tools and data
The profusion of tools and data with their operational silos obscures the true state of the organisation’s security posture. Gathering asset data from across the organisation is deceptively difficult. The problem starts with the myriad of operational silos that have to be crossed – on-premises and externally hosted devices and applications, mobile devices and tethered desktops, servers and endpoints, and virtual and physical devices.
Coordinating a unified asset inventory involves cross-organisational management support, as well as techniques that likely differ from one domain to the next. Useful data abounds in management systems dedicated to each domain – but they often don’t share this information across silos or with each other. Operational structures, meanwhile, create their own silos of administrators and managers tasked with specific jobs, further inhibiting the sharing of data across the organisation.
Technology and operations silos may never disappear. However, modern methods of data collection, management and analysis at scale can overcome many of these barriers to comprehensive visibility and action. Today’s techniques support collection from multiple and varied sources for centralised analysis that can provide multiple views into the data depending on the need.
Many organisations are already pursuing the integration of this technical threat and vulnerability data, but the modern business can (indeed, must) go further still.
Metrics can be developed that show progress toward proactive investment and goals to ensure preparation and protection against risk. Together, these factors can help prioritise defence and vulnerability remediation and ensure its competent management. Whether to provide an overview of the organisational posture as a whole or to serve a specific function, modern platforms can help bridge gaps, introduce useful metrics that embrace multiple factors and give clarity that reveals where action can have real impact in any domain.
An over-reliance on people
Organisations have historically attempted to forge a proactive security strategy by relying on experienced people to manage all the disparate tools, data and operational groups. Security operations teams live this every day with monitor-and-respond approaches requiring people to triage alerts, interpret incidents and respond to security problems.
Relying on staff becomes strained as the organisation grows and complexity from the profusion of tools and data increases. Qualified security operations personnel are hard to find and expensive to hire. In addition, trying to keep up with and close security issues – alternately stressful and mundane without better tools to help handle the load – can lead to burnout and make it more difficult to retaining critical staff.
There are three clear problems with an over-reliance on people when implementing a proactive security strategy:
- Manual processes are not reliably actionable
- Manual processes are not sustainable.
- Failures can damage the credibility of security teams.
The good news is that automation and analytics have advanced in multiple realms to shift this reliance away from people and take advantage of what technology can do better. These advances are now available to arm teams with proactive security strategies to better prepare and protect the business as well. Orchestration and automation technologies are being implemented to help monitor-and- response operations to overcome this major people issue – the same must happen with prepare-and- protect strategies.
A ‘one size fits all’ mentality
It’s not just that no two business infrastructures look alike; it’s also important to recognise that multiple groups participate in a proactive security strategy and that these groups have their own interests, priorities, needs and requirements. For instance, security operations can identify concerns and problems that require attention, but it is often IT operations that must define, test and deliver remediation actions. Business leaders, meanwhile, want to know what it will take to protect critical assets and priorities and at what cost.
Proactive security measures identify high-priority exposures, threats and risks to the business, correlates them to specific assets, and helps identify appropriate privileges and controls in facilitating access to and use of these assets. IT works with security to identify and track priorities and puts proactive measures into operation, enabling tasks to flow into IT operations processes to ensure their proper execution. The ability to provide diverse views into data relevant to all these interests is critical to the success of the collaborative effects of proactive security.
Previous lopsided investments
To date the lopsided investment in reactive measures tacitly acknowledges that proactive measures have too often failed to deliver on their promise to protect the organisation. The plethora of tools and data, over-reliance on people, operations products that cannot be tailored to the business and infatuation with reactive measures have made it difficult to commit to proactive security.
Fortunately, technology that supports a strategy of prepare and protect is catching up and helping to provide a balance. Advances in data management and analytics enable security operations to readily gather data from multiple sources, rationalise differences between these sources and present customised views into the data. All of this can be done with higher speed and accuracy than was possible in the past.
Organisations investing in prepare-and-protect approaches are more resilient to attack and are better able to isolate and recover from attacks when they do occur. The fact is, opting to ‘monitor and respond’ at the expense of ‘prepare and protect’ is a poor strategy from a security performance and cost standpoint, especially as we reach a point where the cost of containment and response can far exceed the investment in resilience.
This is clearly illustrated by the global impact of the 2017 ‘NotPetya’ outbreak, which ranges as high as US$10 billion – yet the vulnerabilities exploited in many cases had already been resolved for years in many older operating systems.
Advances in data gathering, rationalisation, analytics and automation have now made a proactive strategy more actionable now than ever before. Organisational infrastructures are becoming more complex as billions of smart devices coupled with a growing diversity of technologies demands an approach that can scale.
Adversaries, too, recognise how their strategies must adapt. The risks are too great to ignore. The technology is available; the time is now to act – before organisations become even more overwhelmed with what may face them tomorrow.