Sergey Nivens - Fotolia
Bill Smith, senior vice-president of worldwide field operations at US-headquartered security intelligence company LogRhythm, doesn’t think the biggest security challenge the world faces today is a virus or a new hacking technique. To him, it is something basic. “Probably the biggest security threat facing us today is a lack of security expertise,” he told Computer Weekly in an interview.
“[In the US alone] more than a million jobs in the security space are open and you can’t fill them,” he says. “This is a big problem, because when it comes to security processes and practices and designing your security infrastructure, there is no threat out there so bad that we can’t protect ourselves from, but knowing how to do it is a challenge and there is a shortage of people who know how to do it right now.”
He suggests people are still relying too much on 1990s security. In other words, they are still only invested in firewalls and antivirus protection. “Today, that’s not even close to being secure enough,” he says. “Today, it is critical that we do continuous data monitoring; and we have to monitor things like behaviour and patterns and traffic and servers. We monitor these things first so we know when things don’t look right. Humans can’t notice it, but machines can.”
Multi-supplier approach to security
The question is, how many suppliers do you need to provide complete security? Can one security company fulfil all the security needs today?
“You need multiple levels of security,” says Smith. “Our technology, for example, would not be enough alone. And I don’t think any one supplier is enough, frankly. You need endpoint security, perimeter security like your firewall and IDF [intermediate distribution frame] devices, and you will need monitoring and detection as well.”
Bill Smith, LogRhythm
According to Smith, companies need more than software to secure themselves. “You need good processes and good practices,” he said. “According to a recent Verizon Security Report, more than 80% of breaches involve compromised credentials. Security is a combination of processes and practices, along with products. You need all these things to have a solid and comprehensive security posture.”
Security a collective responsibility
Smith says there is increasingly a feeling that cyber security is a collective responsibility, and everyone in the ecosystem – governments, industry, communities – has a role to play in it. For example, last year, when the Singapore government unveiled its cyber security strategy, it envisaged a framework of collective security, and roped in other governments from Southeast Asia to work together to make the region secure for individuals, governments and businesses.
Smith agrees with this proposition to a certain extent. He says this collective responsibility posture was reflected in the cyber policies popping up in many countries. He uses Singapore as an example, pointing to how it is trying to make everyone in the ecosystem play a vital role in security.
He says the disclosure laws being discussed in Australia and Singapore, which will require companies to disclose information about a breach if it crosses a certain threshold, are important. The affected company, he says, would then have to notify all its customers or clients that may have been exposed.
Continuous data monitoring enhances security
Smith says he admires Singapore’s cyber security policy, which emphasises data monitoring. “One of the big aspects of it is continuous data monitoring, where monitoring is required for all critical systems,” he says. “Those elements of the policies are very similar to what we see in other parts of the world. I would not say that that policies in ASEAN [Association of Southeast Asian Nations] are lagging behind other regions, but the region is lagging behind in adoption for sure, because other countries have been doing this for years.”
As far as Singapore attempting to build closer cooperation between ASEAN countries to combat cyber threats, Smith said its desired results would depend on “the details of the policy and how it is policed”.
“What level of accountability can we expect?” he asks. “The regulations also need to keep pace with the threat map because threats change over time. There needs to be evolution of these policies. I think it can work and I will say, at minimum, it should be a substantial improvement.”
The most important thing for Smith, however, is that the governments concerned are involved in the policies to drive accountability. “Policies should not be just recommendations,” he says. “There should be penalties for non-compliance. Unless there are penalties, companies won’t comply because it costs money to comply.”
The future of cyber security
Smith is sure about the fact that there is a big shift taking place in the cyber security landscape across the world, including in Southeast Asia.
“There is a big shift in the cyber security space from traditional security models towards things like behavioural anomaly detection, continuous data monitoring and analytics,” he says. “At the same time, I don’t think we will ever go away from that traditional security [model]. We still need that.”
Gartner has suggested that by 2020 we will have shifted from spending 10% of the security budget on monitoring and detection to 60%. “So around half of the industry budget is going to move into monitoring and detection,” predicts Smith. “We clearly will see more emphasis on machine analytics because humans simply can’t keep up with these problems, and computers have to get smarter,” he says in conclusion.