Cyber security has been a losing game of whac-a-mole for years as the malefactors manage to pop out of new security holes faster than IT and their software suppliers can plug the last batch. The game has also been a costly one for businesses and end users, which have collectively spent billions of dollars on an increasing array of products and annual upgrades to address each new threat category and set of exploits. The flip side being quite lucrative for the security-industrial complex, both established multi-billion dollar firms like Symantec and McAfee (now Intel Security) and startups like Fireeye and Palo Alto Networks, that have racked up multi-billion dollar sales and stock valuations in the past few years. Yet the spending hasn't prevented a weekly barrage of high-profile security incidents. Indeed, the litany of big corporate hacks -- Target, Home Depot, Paypal, et. al. -- underscores the need for dramatic changes to security product designs and substantial upgrades to enterprise systems and practices.
Every new exploit seems to unleash a flood of announcements touting niche products that allegedly saved their customers from the same sorry fate. In the security business, Monday morning quarterbacking is the norm. Yet many business and IT leaders sense that something's missing from the products security hucksters have been pitching for years. Simply adding to the existing product portfolio and reflexively following conventional wisdom that "defense in depth" without a plan to integrate and share information between various security systems has been a losing proposition: it wastes a lot of money without being particularly effective.
Despite promises of a quick fix, savvy technology leaders realize that bolting the latest, greatest security technology onto a creaky infrastructure with under-trained, over-worked staff won't work. After all, Target spent $1.6 million on one of the most advanced security products available, yet still missed the attack that cost a CEO and CIO their jobs. The problem is the patchwork nature of most security systems. Experts preach the wisdom of layered security, but but adding layers without a strategy is like adding varnish to a rotting structure, it just temporarily hides the problem. These strategic shortcomings haven't been lost on experts, as evidenced by announcements and presentations at the recent Intel Security (formerly McAfee) FOCUS conference. Keynotes by GM Pat Calhoun and CTO Mike Fey detailed the firm's integrated security architecture and power of automated information collection and sharing between myriad security systems, what Gartner Research Director Lawrence Pingree calls "intelligence awareness".
Next-Generation Architecture = Connected Platforms + Big Data
Recent exploits bolster Calhoun's contention that cyber criminals have been taking advantage of silo'ed security products and operations teams, making them easy to bypass. Furthermore, Pingree says the lack of automated intelligence sharing mean human and business processes can't respond fast enough to prevent breaches. Instead, in his FOCUS presentation, Pingree says security systems must become "adaptable based on contextual awareness, situational awareness and controls themselves can inform each other and perform policy enforcement based on degrees or gradients of threat and trust levels." Translated: security systems must continuously inform each other of new detected threats and adapt their behavior in real time. Pingree uses a familiar analogy to police APBs, where the first officer on a crime scene immediately radios a details about the suspects, alerting the entire department to be on the lookout.
For Intel, "intelligence awareness" translates to a new security product architecture that weaves the existing portfolio of McAfee products, including everything from PC software to data center firewalls, into a data collection backbone feeding a centralized repository used to correlate security anomalies from, across multiple systems. In practice this means that once a PC running an anti-malware suite detects an attack, say an infected PDF or image file, trojan drive-by browser download, or the firewall sees malware coming from a specific Web site, they share information to a central big data repository that then informs other devices. In turn, each security system, whether other PC clients, data center firewalls or cloud-based security appliances, adapt their policies and controls to block the newly-detected threat.
Intel calls its data exchange layer the threat intelligence exchange (TIE), but the idea of pairing big data analytics with fine-grained security event collection isn't new. The Cloud Security Alliance (CSA) issued a white paper last year outlining the ways big data could be used to improve security. Indeed, companies large and small have been aggregating security events from across thousands, or perhaps millions of endpoints and security appliances to build early warning systems that detect threats designed to fly under the radar of traditional security systems. For example, IBM pairs its QRadar Security Intelligence and big data platforms into a system that can analyze a multitude of data sources, DNS transactions, emails, documents, social media data, network packet capture and business process transactions, over years of activity to expose threats and suspicious activity hidden amidst the noise of millions of routine events. Likewise, Countertack collects and correlates data collected from thousands of endpoints to detect malicious behavior that might not be apparent by looking at a single system.
Intel's Fey contends that building next generation security products on an extensible, connected platform that weaves distributed data collection, big data analysis and real time incident response and remediation not only greatly enhances security, but increases the rate of innovation since new technologies and modules can build upon the existing security backbone. Perhaps key to Intel's approach, and indeed that of all next-generation security products, is linking incident detection with response. Says Fey, "Don't just ring bells and blow whistles, but take action on indicators of attack." Only when enterprises close the loop between detection, response and prevention in an automated and self-modifying system will they gain the upper hand on cyber criminals. Once whacking the moles becomes predictable and robotic, the moles won't stand a chance.
