Intel Security Group senior vice-president and general manager Chris Young (pictured) has challenged the information security industry to be courageous enough to change its approach.
“But it is difficult for us to change when we are trying to survive the status quo in our business,” he said at RSA Conference 2015 in San Francisco.
Although the industry is set to benefit from $100bn a year being spent on security, Young said it can no longer continue to confuse hard work with results.
“The reality is that we are being outplayed in our industry, but the good news is that it is not ‘game over’ for us,” he said.
Young challenged the security industry to learn from the example of Oakland Athletics baseball team, which famously turned itself into a winning team by changing the way it operated.
A different approach to security
In 2002, the Oakland As were also not winning, he said. They had the third-lowest payroll in all of US baseball and could not afford to buy their way to a winning team.
The team’s journey to success is detailed in the book and film Moneyball, which is well-known for popularising the use of data analytics in professional sport.
Read more about data analytics in sport
- Analytics are gaining a high profile in sports media, but some fans and commentators say the stats just aren't what they're looking for.
- Wearable technology is a big industry thanks to the ‘quantified self’ movement. It’s now giving a boost to professional sports data analytics professionals.
- The world of sports is rapidly embracing data analytics techniques. Businesses have a lot to learn from professional teams' experiences.
“But that is not all they did. The Oakland As also challenged their own assumptions and put new approaches in place to tackle the problems they faced,” said Young.
A lot of what the Oakland As did, he said, contains potentially useful lessons for the information security industry.
Like the baseball team, Young said the security industry needs to think differently about the problem, it needs to act differently, and it needs the courage to see the changes all the way through.
“What is really instructive for us in the security industry is that the As did not just apply analytics to their problem, they looked at the data they had very differently,” he said.
This enabled them to discover that the usual measures of value in baseball were overblown and that the traditional statistics, such as home runs, were not all that mattered in fielding a winning team.
“They found new measures, such as on-base percentage or the ability to control the strike zone, as a better predictor of the ability to win the game,” he said.
According to Young, the Oakland As exploited market inefficiencies in a business that had been based on more than 150 years of conventional wisdom.
“They acquired low-cost talent in many cases, changed their operating model and got a huge return on their investment,” he said.
Gain attack insight and act on it
Although the information security industry has embraced the concept of data analytics for some time already, Young said the question is why the industry has not yet written its own Moneyball story.
Despite sharing more information and having more threat intelligence than ever before, he said the industry is not getting enough new insight into what really matters.
He said the real value lies in finding truly malicious and focused campaigns, not just looking at indicators that are suspicious or finding attacks that are merely opportunistic.
“We need to think differently about the data that we've got, and we can start by stopping the process of chasing down massive amounts of new information without purpose,” said Young.
Instead, he said, organisations can be more focused on value by, for example, linking significant attack campaigns to security alerts.
“That would require companies to understand the type of attacks that are relevant to their particular business and industry, but think about the value of being able to prioritise actions based on that insight and understanding,” he said.
Read more about security analytics
- Security analytics tools are not meant to replace existing security controls and applications, but rather complement them.
- Mobile security SaaS provider Lookout is betting on its cloud-based big data analytics capability to attract enterprise customers.
- Major data breaches keep happening, even though businesses have security analytics tools.
- Security data analytics will be mainstream in the enterprise by 2016, predicts Arbor Networks.
The challenge, said Young, is putting that insight and understanding into practice in company tools, processes and people.
“It is about measuring value and focusing on quality of information, rather than quantity of information, so that if we use the baseball equivalent, we could actually field the team and the players that will give us the highest probability of getting runs and ultimately winning the game,” he said.
Hunt down the biggest security threats
Giving an example of how organisations can change the way they look at data, Young said they can look at the data for the probable path of attack, rather than chasing down every alert.
“One of the things that is unappreciated about the story of the Oakland As is that they put their new insights into practice. They changed not only the way they recruited players by going after rookies and veterans, but they also fielded their team differently. They changed the way they operated,” he said.
The result of this change is that the Oakland As went from a losing record to winning 20 straight games and setting a new American League record.
“This is certainly a story we can learn from in terms of how we can challenge our fundamental assumptions around security and do things differently with a lot of the tools and people we already have in place,” said Young.
Information security professionals need to have the courage to stop chasing down every alert, he said, and instead trust the security architecture to deal with 98% of what is coming at the organisation.
“Then take the talented people in the security team to go on offence, think like an attacker, and go hunting for the 2% of threats and attacks that you really care about,” he said.
This approach requires a different mindset to the one most information security professionals have, he said, and may involve using security technologies differently to get better results from new insights.
“If we think differently about the information we have, if we put it in context of the attacks we really care about, if we operate differently by putting new practices into place and have the courage to see it through, I believe that we could write our own Moneyball story for the security industry,” he said.