Cyber threats will always get ahead of defences, which is why organisations need a strategic approach, says Gartner...
analyst Lawrence Orans.
"Organisations need to be proactive in spotting threats and preventing or mitigating damage," he told the Gartner Security & Risk Management Summit 2011 in London.
The challenge for IT security professionals is choosing the best combination of proactive tools from five broad categories of network discovery, network behaviour analysis, specialised threat detection, penetration testing and network forensics.
Network discovery tools identify all devices connecting to a network, and typically highlight that 10% to 25% of network endpoints are unknown, said Orans.
"In some cases, organisations have found rogue wireless access points, cash registers, security cameras and gaming consoles connected to their networks," he said, all providing potential entry points for intruders.
Network behaviour analysis tools establish a baseline for a network's traffic and raise alerts whenever there are deviations from normal patterns.
These tools can help IT security professionals identify targeted attacks and to fine-tune intrusion detection and prevention systems and firewalls.
However, businesses that do not have predictable network traffic patterns may struggle with a high number of false positives, said Orans.
Penetration testing, he said, can be extremely valuable in getting the attention of senior management by highlighting vulnerabilities and demonstrating exposure to risk.
These tests are also useful in helping IT security professionals to identify internal threats and to prioritise the most dangerous vulnerabilities, said Orans, but 70% are outsourced because of the high skills requirement.
Network forensics also requires advanced skills and is still a very niche market that tends to be outsourced in the form of a service.
Such services enable organisations to capture all information on a network, which is useful for post-incident analysis to establish the cause and effects of cyber attacks, said Orans.
Organisations considering network forensics services should pay particular attention to how quickly stored events can be searched and analysed before choosing a supplier, he said.
Finally, specialised threat detection is aimed at providing businesses with assurances that they have not been targeted by threats such as spyware or advanced persistent threats (APTs).
This type of security software typically analyses the source of network traffic, examines the payload or looks at the traffic itself to see if it conforms to normal or expected patterns.
One of the biggest problems with specialised threat detection, said Orans, is that it requires highly skilled users and constant use to stay on top of rapidly evolving threats.
Apart from intelligence agencies or the like, few organisations will need all of these proactive security technologies, said Orans.
In choosing the most appropriate technology, organisations should assess the business impact of attack on each of their system to identify which are critical.
"If impact on an attack would be high, the organisation should look for the best-of-breed product available in the appropriate technology type," said Orans.
For the rest, IT security professionals should look to existing security systems to ensure that they provide protection that is "good enough", he said.
Read more news from the Gartner Security & Risk Management Summit 2011:
- Gartner: Best defence against social media threats is monitoring and education
- Gartner Research: Software asset management standards and best practice adoption
- Gartner: CISOs must use risk to show the value of security to business goals
- Gartner: Keep encryption simple and standardised to cut cost and complexity
- Layered security is best, but don't overlook the obvious, says M86 Security