Skip to main content

Security Intelligence - Reactive -v- Proactive

The RSA Conference bandwagon rolled into London this week, which promises to bring some interesting sound bites from the big players in the security sector.  Yesterday's opening key note speech from RSA's own Arthur Coviello, focused on some of the key challenges organisations face from an information security perspective.  The lack of skilled personnel, shrinking security budgets and the difficulties of ever complex risk management, make attacks more difficult to identify and overcome.

Coviello called for more of an 'intelligence-driven' security model to help evolve the traditional security operations centre into something more analytical and proactive.  Whilst being able to carefully understand and dissect and attack source, flow and impact, security intelligence could also be seen as just another level of reaction, albeit a more detailed one.



Intelligence-Driven Security


Security intelligence can be seen to bring together, several different sources of security information, from SIEM, identity and access management tools, perimeter defences (IDS, IPS, NGFW) and even HR systems.  There are several products available today, that aim to create a central warehouse of security data, so that analysts and operations teams can help to identify how and why data breaches have occurred, if insider fraud has taken place, or if a long term strategic cyber attack has taken place.  By analysing data from different sources, you can start to understand the threat landscape in a more detailed and conceptual way.  The same way a police investigator builds a case together, looking at evidence from different angles.

The major difficulty for many security operation centres, is the sheer bulk of security information they face - the age-old needle-in-a-hay stack problem.  This has been a failure of many SIEM solutions.  Whilst, they have great functionality in connecting and collating log and security data from different devices, all that serves to achieve is a greater pile of 'evidence' to shift through.  To overcome this, SIEM products then focused on speed of execution, with regards to free-form queries.  The ability to go from 1 million records to 10 records in milliseconds.  This is perfect...if you know exactly what query you want to execute.

As cyber attacks and even internal fraud and insider misuse becomes more strategic and complex, it will become impossible to use a signature and known-query approach to identifying attacks and attack parameters.  The next stage for security intelligence, is to start and use a more analytical, conceptual and behavioural driven approach.  This can help to add context to particular events.  If a particular user for example, always logs in via the corporate LAN, and then suddenly logs in from an untrusted public network, this could be assigned a higher risk rating, than if a field engineer, who always logs in from a public network, performed the same action.

Aiming for Proactive


However, one fact still remains.  This increased intelligence, is still reactionary.  The incident has potentially already occurred.  Data has already been lost, passwords have already been cracked, accounts compromised and brands damaged.

The main issue facing many information security managers and CISO's, is how to get security embedded into the organisation in a proactive way.  Let security become the default stance for the organisation.  Whilst CISO's need to acknowledge (and promote this message to other CxO's), that they will be attacked at some point, proactive (or offensive) security is a game changer.  It's a long term plan, which many will fail to achieve, mainly due to the lack of instant tangible results it can produce.

Proactive security needs to focus on both the tooling being used and the employees using it.  This will therefore require changes to the software development life cycle - how the software is tested, designed and released.  Many developers will see security as an add-on component, often being managed by a testing or post completion audit team.  Security should become a much earlier part of the design and code phase.  Code with security in mind, not the other way round.

From an employee and end user perspective, security should be entirely transparent (as acknowledged by a great post from HP's Rafal Los  - Security -v- Useability...).  If not it will be seen as inhibitive and complex.  Stealing a standard software design pattern analogy, security should be seen from a 'convention over configuration' mind set.  The application or process should be secure by default, not requiring additional or bespoke end user configuration changes.

Whilst intelligence driven security is the next step in managing complex security scenarios, I can only think it's a sticking plaster fix, for a more complex and long term problem.

@SimonMoffatt

Popular posts from this blog

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…