By Michael Vizard
The problem with anything relating to security is that it’s hard to justify exactly what the appropriate amount of investment is. All the security technology in the world doesn’t guarantee absolute security. But, of course, it’s a lot better to be forewarned if there is any hope at all of being forearmed.
For that reason the security industry’s focus is moving from not just trying to defend IT organizations from attacks, but delivering the intelligence that IT organizations need to defend themselves from attacks before they hit.
The basic idea is that while there isn’t a way to prevent the attacks from occurring, the meantime to remediation can be much faster. In fact, once an attack is detected, IT organizations could be alerted to not only what vulnerability that attack is trying to exploit, but also just how vulnerable their IT systems are to that specific type of attack.
Delivered via the cloud, these types of security intelligence services will be crucial if IT organizations hope to keep pace with increasingly sophisticated assaults. Instead of randomly launching broad sets of attacks that cyber-criminals hope will affect the broadest number of targets possible, hackers working for cyber-criminals or nation states are launching more sophisticated attacks that are aimed at specific organizations and, sometimes, specific persons in an organization.
Known as advanced persistent threats (APTs), these attacks are still a relatively small percentage of today’s attacks, but they are the most dangerous in the sense that they are usually designed to steal specific types of intellectual property. Unfortunately, that’s precisely the type of attack that many companies are the most ill-equipped to deal with, which is why organizations, such as the U.S. Capitol Police, are investing more in security intelligence.
According to Richard White, chief information security officer for the U.S. Capitol Police, investing in security intelligence services, such as those offered by IBM, Hewlett-Packard and others, is now a requirement to keep pace with attackers that are increasingly using more sophisticated tools, which include data analytics applications that can discover vulnerabilities more rapidly than ever before.
The degree to which security intelligence services can protect IT organizations is debatable. But without them, it’s almost certain that IT organizations with relatively small staffs will be overwhelmed, says White.
“These kinds of capabilities allow us to better keep pace with the volume of attacks we need to deal with,” says White.
In fact, the staffing issue is one of the critical requirements that security intelligence services are meant to fill. “When you look inside most organizations there isn’t anybody dedicated to hunting down attacks,” says Eric Ahlm, a Gartner industry analyst. “Security intelligence services fill a big gap.”
That gap, says Andrzej Kawalec, global chief technology officer for HP Enterprise Security Services, results in the average security breach costing about $8.5 million. To fill that gap, Hewlett-Packard just updated its ArcSight portfolio of security offerings to include threat detection and threat response management capabilities.
One security challenge that most IT organizations face now is a growing sense of fatigue. According to Kevin Thompson, a risk and intelligence researcher for Verizon, data breach research conducted by the telecommunications carrier shows that the vast majority of the attacks being launched, however, are relatively simple, but that can lull organizations into a false sense of security.
“The overall sophistication of most attacks is fairly low. There is, for example, a lot of targeting of weak passwords,” says Thompson. “At the same time the number of espionage-related attacks has gone up.”
Naturally, the competition to deliver the advanced warning systems needed to combat APTs has touched off a security intelligence arms race. Major security vendors, such as McAfee, Symantec, Trend Micro, Fortinet, Cisco and Check Point Software Technologies, are looking to differentiate their security wares based on the security intelligence services they provide.