The Internet may have transformed every aspect of business and personal life but the truth is that it is still in its infancy. As a result, there is a clear lack of sophistication and maturity regarding the way the Internet is used and abused today.
Data security is without doubt the primacy concern. The continuous innovation in the way in which businesses and individuals operate online is only matched by the level of invention and diversification in the hacker’s armoury. Mark Kedgley, CTO, New Net Technologies, argues that the only way to win the Internet Security war is to approach it like any traditional war, with a variety of tactics to win each individual battle and a clear focus on intelligence.
Mark Kedgley, CTO, New Net Technologies :
What will make businesses and individuals take the online security threat seriously? Right now, whether it was the hacks of federal targets like the IRS and the Office of Personnel Management or the news that a major league baseball team had been hacked by a rival, suddenly there is a serious awakening to just how much confidential personal and corporate data is at large – somewhere – on the Internet and just how vulnerable that information could be.
The problem is that while fear is rising, few people have any real idea how to counter the threat. And of those that do have an understanding of security best practices, many do not have the stomach to implement and operate these to an effective level.
Which is why so many are willing to embrace any ‘silver bullet’ on offer from the Cyber Security Market. From Anti-Virus (AV) software to Next Generation firewalls, Threat Intelligence networks to Sandboxing, the market is muddled and those tasked with deploying technology are confused. While security responsibility is slowly creeping out of the wiring cupboard and onto the board agenda, most companies still perceive security best practice to be too complex, arduous and time consuming to deploy and can be easily enticed by the latest security promise.
But each new wave of technology is nothing more than an inspiration or challenge to a determined hacker. A recent example that illustrates this point perfectly was the Rombertik malware, clearly engineered to undermine the highly expensive and – certainly as far as the vendors of such products would have you believe – impenetrable sand-box technology. While this might be deemed a rare, one-off exception to the general rule, the knowledge is out there and will be commonplace within months. As such, the attack surface is continually evolving, with new weak-spots inexorably being exploited. So where does that leave those organisations that believed by investing in the latest prevention-technologies they had security nailed?
To be blunt, there is no way to guarantee a company will not be breached. In fact the only option is to complement any threat prevention measures with a way of rapidly detecting breach-activity before it causes any significant damage – from stealing customer information to gaining invaluable intellectual property, or just wreaking havoc across the corporate network. And that means evolving from an emphasis on stopping the breach, to one of stopping AND spotting the breach.
The good news is that this model is beginning to gain traction. According to Gartner, 40 percent of large organisations will have formal plans to address “aggressive” cyber-security business disruption attacks by 2018. In its “Attack on Sony Pictures Is a Digital Business Game Changer” report, the firm says that while there are currently no companies adopting such a strategy, which would see CISOs and business continuity managers (BCMs) increasingly move from prevention to detecting and responding to attacks, attitudes are changing, fast.
Indeed, there is a wider effect of raised awareness as a result of these high profile breaches, with Gartner insisting these events’institutionalise more-proactive thinking about cyber-security risks’. This attitude will without doubt affect the way individuals perceive suppliers, customers and business partners alike and will ensure far more people at every level of the business are attuned to the issues of online security.
However, expecting just 40% of companies to have made this shift by 2018 is not good enough; it is time to get real with respect to combined breach prevention/detection and plan for the inevitable successful attacks right now. Companies need to embrace a combination of intelligence, process and technology. Merging security best practices with intelligent automation of functions like change control and breach detection enables a company to successfully identify and track every single unexplained and unexpected change or action across the infrastructure, without being overwhelmed by noise, in order to respond fast to suspected incidents. It is only by spotting and, more critically, responding to these breaches that any company can attempt lock down against the raging cyber threat today.
Over time this situation will change. With time comes sophistication and maturity and, without doubt, cyber security behaviour will become more of an essential, basic life skill, like learning to cross the road safely. Consumer awareness will also continue to rise and those companies failing to adopt the right approach will be named, shamed and pilloried. But how long will this take? Five years; ten? Even longer, perhaps. In the meantime there will be a constant process of balancing the ingenuity of the foe with the dogged determinedness of the friend; organisations will get better at attaining security best practice; and, hopefully, it will become less onerous to get that best practice in place as technology solutions evolve.
However, one message remains clear – no one can expect to stop every single new breach. Whether the security threat is internationally funded terrorist organisations, governments, industry competitors, organised crime or even still the clichéd teenage geek, it will continue to expand and also evolve. And facing this kind of future, any organisation not prepared to mobilise a full range of tactics to both stop – and spot – a breach will, inevitably, end up as another casualty of the Internet War.