The new school of cyber defence calls for security that is agile and intelligent, according to Art Gilliland, senior vice-president and general manager of enterprise security products at HP.
“It emphasises protecting the interactions between users, applications and data,” he told RSA Conference 2015 in San Francisco. “The world has changed and we must change the way we secure it.”
But the reality for many organisations is that they still have to protect infrastructure that dates back to an earlier, pre-cloud services era, said Gilliland.
Old-school cyber defence still has to be at the heart of what information security professionals do every day, while the new school is about adapting it to meet the needs of a changing IT environment, he said.
“Even though there is a new world that we interact with using new types of applications, there is a lot of our environment that we still need to figure out,” he added.
With this goal in mind, Gilliland said HP conducts annual research to identify the security challenges organisations are really facing.
“According to this research, the top vulnerability in applications today is misconfiguration, 44% of attacks are between two and four years old, and the top exploited vulnerability in the past year was identified and patched in 2010,” he said.
HP's research also showed that 87% of organisations that were assessed on how they manage and respond to their existing infrastructure challenges are below the benchmark.
“While we talk a lot about the advanced threat and new zero day threats, what we should be learning from the old school of security is that we still have a lot to learn,” said Gilliland.
Read more about incident response
- Most firms are not as prepared as they should be for responding to cyber attacks, says e-discovery firm Guidance Software.
- Even companies hit by cyber attacks do not have a good idea of the threats facing them because they tend to put their heads in the sand.
- Data minimisation is one tactic SMBs should consider as they develop and revamp data breach prevention and incident response plans.
- One critical component of any robust disaster plan is the incident response plan.
The first thing many organisations need to learn is that basic security hygiene must still be the top priority, he said.
“The second thing is that it is the people and the processes that make us safe because so many of the attacks are against old vulnerabilities that we know exist,” said Gilliland.
The third most important thing many organisations still need to learn is to focus on the security fundamentals, he said.
Gilliland said that in relation to those fundamentals, for the past five years, HP and the Ponemon Institute have published an annual study that correlates spending on different categories of capability with the estimated cost of data breaches.
The latest study found that a much broader focus on protecting the information that matters through things like the use of encryption will reduce the cost of breaches by 20% compared with the average.
“So identifying and understanding what information matters, figuring out where it is, and then putting encryption on that data had a 20% lower cost of breach,” said Gilliland.
Second, the study found that organisations that had built security intelligence systems to see, monitor and analyse what was going on in their environments had a 23% lower cost of breach.
Third, he said, building a capability to understand how to protect the business’s IT environment with advanced threat technologies was shown to reduce breach costs by 19%.
“In all the noise that is out there in the security environment, this correlation between investment and breach cost reduction provides a way of starting to think about how to allocate the budget,” said Gilliland.
Attacks have increased
But even with that input, in the past five years the number of attacks has increased by 176% and the cost of breaches has jumped by 96%, he said.
“That is because the adversary is professionalising. They are attacking us with greater efficiency with professionally produced tools and that is making it increasingly difficult for defenders.”
Another reason why defence is increasingly challenging is the fact that the world in which businesses are interacting and the infrastructure they are protecting is no longer just inside the organisation, he said.
“HP is one of the largest customers of Salesforce.com and there are parts of our business that actively use Netsuite, which means tons of our information and interactions are happening outside HP, and outside the capabilities we have to protect and see the data.”
In this scenario, the new school of security becomes important, said Gilliland. “It is not just about the infrastructure and what we are doing there, it is also about the interactions that are going on between our users and the ecosystem of services they are consuming from us.”
According to Gilliland, the only way to keep track of an organisation’s data and transactions as they move through multiple interconnected ecosystems is to break it into small pieces and gain visibility.
“So there is this concept emerging in the new school of cyber security of a cloud proxy to provide way of getting into the data stream,” he said.
Users not always people
But in the future, users will not always be people and so that proxy will have to enable businesses to see and analyse what is going on, and then enforce policy, he explained.
“Those are some of the challenges in the new school of cyber security, and so the other important part of the new school of security is the ability to collaborate,” he said.
“We are going to have to work together better to secure ourselves. We are going to share information, capabilities and intelligence, and that is going to help us.
“But we also need to bring forward the old school, and think about the infrastructure we have and how we deliver hygiene for that, how we configure that, how we invest in people and process, and how we focus on the security fundamentals that the research shows us can work.
“However, in the new school, it is going to be about interactions within our infrastructure as well as outside our infrastructure between users, applications and the data.”