There is a need for organisations to rethink their IT security budgets, as most are directing a huge chunk towards prevention rather than detection and response to threats.
So said Art Coviello, executive chairman of RSA, the security division of EMC, in a Webinar yesterday, when unveiling the company's new security analytics solution, RSA Security Analytics.
According to RSA, the new solution is a transformational security monitoring and investigative tool designed to help organisations defend their digital assets against today's most sophisticated internal and external threats.
In the Webinar, Coviello revealed that organisations tend to spend most of their IT security budgets on prevention. "Roughly 70% to 80% of the budget is spent on prevention; only 15% to 20% on the detection; and, inexplicably, only 5% to 10% on response."
Hyper-connected world
This should change, he said, as the threat landscape has radically transformed over the past decade.
"Over these past 10 years, we have opened up our infrastructures, creating a hyper-connected world. The amount of digital content we store has soared, going from one exabyte to one zetabyte. The bandwidth we have has gone from 100 000bps to 100 million bps. This increases the velocity of all that data," he said.
"In terms of applications - mostly client server and mainframe - now, more and more, everything is a Web app. And, in terms of mobility, you had your laptop; today we have a plethora of mobility devices - iPhones, Droids and tablets."
The result of all this, he added, is the creation of hyper-connected infrastructures. "We have opened up ourselves more than ever before. Sure, we have yielded tremendous increases in productivity for all our organisational mission goals, but we have also created these hyper-extended infrastructures. We have created those same openings to those who do us harm."
Complex criminal ecosystem
According to Coviello, roughly 10 years ago, organisations did not face a complex criminal ecosystem. "Ten years ago, we were dealing with script kiddies and people who were just trying to make a name for themselves by creating a nuisance.
"We didn't have these complex advanced persistent threat attacks from nation states trying to steal our intellectual property. We didn't have a host of cyber hacktivists who were interested in embarrassing us on a continuing basis."
However, the threat landscape and the sophistication has changed dramatically, he said, and the situation is only going to get more difficult, as more of these infrastructures move to the cloud, and as organisations allow more mobile devices into their environments and push more applications and data creations out to mobile platforms.
"But how has our approach changed? Unfortunately, nowhere near enough. We still have a very reactive security model."
He also pointed out that most organisations are using perimeter-based security models, which tend to be static and rules-based.
"We get no leverage from the controls because they exist in a siloed pattern. This reactive means of creating security infrastructure kind of made sense as IT evolved, but now we find ourselves in a position where we are not getting enough leverage from our control environments."
Rebalancing budgets
"Think about it for a second; if it is probable that we can be breached because of the openings we have created, doesn't it stand to reason that we have to rebalance our budgets so that we spend more on detection and response? If there is this air of inevitability of being breached, don't we have to have the ability to respond more quickly than ever before? Shouldn't that be where our main emphasis is?
"And, in terms of your security model, don't you have to have a more intelligent approach? You need to have risk-based approach; understand what is important to you, but not just protect your environment from the inside-out, also protect your environment from the outside-in - understanding where the threats are likely to come from so that you can detect them quickly enough."
In this new threat landscape, Coviello believes controls have to change. "They can't be static; they can't be signature-based; they must be far more dynamic and agile; they have to react to certain circumstances; and they can no longer be siloed. We have to get leverage from multiple controls if we have any chance of creating defence in depth. That means each individual control must give us context."
Big data approach
Today, he added, the only way we get leverage is through traditional information management and, quite frankly, analysing and co-relating logs is just not getting it done. That's why it is important to have a big data approach to security, and that's where security analytics comes in, he explained.
"We are not talking about just collecting log data...but all kinds of contextual information from across your entire control environment.
"This is what our Security Analytics solution is all about. Giving you the ability to detect the problems more quickly. To be able to respond and isolate compromised elements of your infrastructure. We are never going to be in a position where we can stop every single attack, but we can be in a position where we can shrink the window of vulnerability of all attacks; stop the attacks quick enough so that we can isolate the problems in our infrastructures; and render the attacks harmless before real damage is done."
Also speaking during the Webinar, Amit Yoran, senior VP, RSA, said the security monitoring market, in general, is in a phase of transformation.
"The days of signature-based and compliance-centric security systems, as a primary approach to the security of an organisation, are over. Anti-virus, intrusion detection systems and firewalls are not enough to give the invincibility and response to today's threats," said Yoran.
Share