Story image

Security: From hunted to hunter

Tue 12 Feb 2013
FYI, this story is more than a year old

Albert Einstein once said that if he were seeking a needle in a haystack, unlike others, he wouldn’t stop when he found a single needle but he would look for all the possible needles.

That’s a well-advised approach for security analysts; after all, the accepted position today is that miscreants will get in.

The challenge is to identify the breaches and deal to them as soon as possible, thereby reducing the window of opportunity for damage to be done.

If the needles are the attackers, then the hay is the mass of connections, data, exploits, networks, malware combinations, devices and people who populate the online world.

The art and science of information security technology has taught us that attackers are ingenious in their exploits.

Identifying and quantifying risks has therefore always presented a thorny problem with the deck stacked against those who seek to defend, and in favour of those who seek to attack.

A further challenge is increasingly sophisticated cybercriminals tend to know what methods defenders are practising – and therefore employ strategies and tactics which are deviously innovative.

The problem:

While technologies and processes to prevent attacks are necessary (common ones include antivirus, intrusion detection and firewalling), the early detection of anomalies is increasingly important as this can be the sole signature of a ‘new’ attempt to break in – simply because the attackers are likely to be using methods or exploits which won’t be stopped by these various technologies and processes.

That raises the necessity for security monitoring across the full spectrum of what is encountered on the network and the internet.

The immediate issue is one of complexity and volume.

Factor in too, the enormous range of threats faced by companies using information technology and the possibility of gaps appearing in the armour of organisations which may have the most secure individual components.

Compliance isn’t enough:

High-profile security breaches are not uncommon. Some of the world’s most recognised companies, which have invested in, and passed all legally binding requirements for data security, still fall victim to cyber attacks.

This is a stark reminder that regulatory compliance, while necessary, is not sufficient. Again, attackers probably know the law just as well as the compliance officer does - and therefore know how to circumvent it.

A better-equipped security team achieves compliance almost as a byproduct of their central focus and keeps the network safer.

Next-generation SOC:

Businesses are recognising the necessity for security monitoring, borne out by Gartner indicating that some 22% have or are in the process of implementing a monitoring system; a further 21% plan to do so in the next year to 24 months.

While the attention that security monitoring is receiving is appropriate, the question is once again begged: do traditional SIEM solutions do enough to keep smart, well-resourced and determined attackers out?

Since attackers likely know what these solutions are looking for, the answer is ‘no’.

By: Shaun McLagan, GM, RSA ANZ, the Security Division of EMC.

Recent stories
More stories