Security budget allocations have remained the same for the past 15 years, despite the fact that threats have completely changed, says Shlomo Kramer, founder and chief executive at security firm Imperva.
“Most of the security spend is still allocated to network firewalls and antivirus (AV) systems, but attacks are no longer broad, notoriety-seeking and naïve; they are very targeted, sophisticated and well-funded,” he told Computer Weekly.
AV and network firewalls are no longer enough to address the whole range of new types of attacks, says Kramer, who has been working in information security since the late 1980s.
“Organisations spend billions of dollars a year on AV, but they will be in big trouble if they are hit by 100 different kinds of malware and their AV system can recognise only four of them,” he says.
However, enterprises are beginning to understand that they need to start reallocating security budgets to next-generation technologies that are designed to tackle new and emerging threats.
Aligning security investment with threats
Security suppliers are developing new methods for protecting data on the endpoint, in the network and in datacentres from a growing number of web-based threats, which are the top enterprise threat, according to Microsoft data.
“We are seeing suppliers developing new technologies to provide additional layers of security, such as datacentre security products, that we have not seen before,” says Kramer.
At the same time, existing security stacks are being revamped in an effort to better address the new kinds of threats that businesses are facing.
“Among businesses, we are finally seeing a reassessment of how they invest in security,” he says.
Kramer believes the corrective actions by some in the past 12 months are just the start of a much longer corrective cycle aimed at realigning security investments with security threats.
Suppliers are partly to blame for the misalignment that has grown over the past 10 years, he says, as they have contributed to the confusion by claiming their products were able to do more than they could.
Organisations spend billions of dollars a year on AV, but they will be in big trouble if they are hit by 100 different kinds of malware and their AV system can recognise only four of them
Shlomo Kramer, Imperva
Logical buying decisions
“Another problem is that for many organisations, buying security is a bit like buying insurance, in that decisions are often emotional rather than logical,” says Kramer.
“It is also easier to renew existing contracts than to reassess your whole security strategy and look at new-generation technologies,” he says.
However, some companies are now finally making that move because the financial, economic and political threats have become much more immediate and much more serious, Kramer points out.
These companies understand that regardless of their size, they will lose sensitive commercial data if they do not put adequate layers of protection around their key information assets.
“Companies are beginning to base budget allocations on detailed analysis and much better judgement than they have in the past,” says Kramer.
All organisations have to face the reality that they are no longer buying a general insurance policy against something that might happen, he says, but a system that is necessary to protect against something that will hit them if they are not protected.
By understanding this change, Kramer believes security purchasing decisions will become less emotional and more like other purchasing decisions, based on detailed analysis and business need.
“We are seeing a major shift in awareness at the executive level, with executives wanting to know about their vulnerability to specific kinds of threats that have emerged in recent years,” he says.
Kramer believes that cyber threats have finally reached the level of executive managers and the board, who are now engaging more with information security professionals around specific threats.
He expects this new awareness to help engender more dynamic and progressive thinking about the allocation of information security budgets in future.
In terms of strategy, Kramer says organisations need to recognise that they will be penetrated, so they should identify their key information assets and ensure these have the highest level of protection.
“Start with your most valuable information assets in the datacentre and work your way outwards,” he says.
Looking to the future, Kramer says the network security stack is the most advanced and there are the beginnings of revolutions around the network firewall to detect stealthy applications and regain control, and around content control to find new ways of identifying malware in the network.
Regarding endpoints, mobile devices have introduced a whole range of new endpoints that enterprises have not had to deal with before.
“Problems we have had on the desktop will be multiplied many times over on mobile platforms because malware on smartphones is more dangerous because it is a more personal device and can provide attackers with information such as where you are,” said Kramer.
It also potentially gives attackers access to corporate email systems, enterprise apps, call logs and even voice conversations, he said.
Kramer believes that mobile platforms will demand some of the greatest innovation in security technologies, as will modern malware that has evolved well beyond the capability of traditional AV.
Another important area of innovation, he says, will be security technologies for protecting big data in on-premise and cloud-based datacentres, including protecting and controlling access to software as a service (SaaS) applications and other cloud-based services.
Finally, on the management side, Kramer says security information management systems (Siems) are having a lot of difficulty in coping with advanced persistent threats (APTs) and delivering value to the business.
“Businesses need to look to next-generation Siems with real security intelligence that is capable of delivering on the promise of correlating events to identify APTs, which will mean a lot of innovation in this area as well,” he says.
To discuss these and other topics further, Kramer is to take part in the Hall of Fame panel discussion at Infosecurity Europe 2013 at Earls Court, London, 23-25 April.