Disruption key to data protection, says HP

Enterprise information security needs to go beyond traditional ways of thinking, according to Hewlett Packard

Enterprise information security needs to go beyond traditional ways of thinking enshrined in frameworks such as ISO27001, according to Hewlett Packard.

“If businesses carry on doing security the way they have been within budget constraints, they are going to lose,” said Art Gilliland, global security lead at HP.

Information security professionals need to recognise their adversaries are organised around a common goal of stealing data and are specialising in each stage of attack, he told Computer Weekly.

“They are participating in a global marketplace for cyber breach, with the market forces of organisation around value chain and specialisation driving investment in crime,” said Gilliland.

The result, he said, is that adversaries can typically far out-spend and out-innovate individual companies because crime is a profit centre, while for business, security is typically a cost centre.

The only way security professional and the industry as a whole can compete, said Gilliland, is to focus on disrupting adversaries and the cyber attack marketplace.

“A lot of the focus at HP is on what technologies, services and capabilities are required to disrupt the adversaries at each stage of an attack: research, infiltration, discovery, capture and exfiltration,” he said.

Read more about security intelligence

HP, like Microsoft and Adobe, believes that by shifting to a disruption model, the security industry is more likely to be successful in reducing the impact and effectiveness of cyber criminals.

“Companies need to build their own capabilities to disrupt each of the five steps in the typical attack process,” said Gilliland.

However, HP research has shown that most organisations are still focused on trying to keep the adversary out, with 86% of security budgets allocated to stopping infiltration alone.

“But if you are competing with the best cyber criminals, who only need to be right one time, it is inevitable that they will succeed in breaking in,” said Gilliland.

For this reason, HP believed it important to invest in capabilities to tackle other stages such as discovery, where businesses could develop a capability to find adversaries after they have broken in, but before they steal data.

“More investment in some of these other areas can help to create more layers of defence and more complexity for the adversary to implement their process and make defences a lot more effective, but still few organisations are doing that,” said Gilliland.

According to a data breach report by security firm Mandiant, 94% of organisations breached in 2012 were notified of the fact by third parties.

“Mandiant shows that, in 2012, adversaries were inside organisations for an average of 13 months before they were detected, and around eight months on average so far in 2013, so being more effective at finding them before they have stolen data would radically improve defence capability,” said Gilliland.

He admitted it can be difficult to re-allocate budgets, but suggested companies begin by identifying their most important data and protecting that in a different way to the rest of their company’s information.

Next, Gilliland said organisations should look at ensuring that budget increases are not allocated to the latest blocking technology, but instead invested in technologies that have a better return, such as those that reduce the average cost of a breach.

“Research has shown the average cost of breaches for companies that invest in technologies to enable them to find the adversary after they have broken in, but before they can steal data - is around half of the average breach cost for those who have not invested in these technologies,” said Gilliland.

HP’s research, in conjunction with the Ponemon Institute, showed the return on investment for security intelligence analytical tools is high, he said.

Gilliland believed that, for new investment, businesses should look first at security intelligence systems, next at systems that ensure better governance of access to sensitive data, and then technologies such as encryption and data loss prevention to disrupt adversaries.

Read more on Hackers and cybercrime prevention