Today's threats are rendering signature-based defence useless. APTs make prevention-centric strategies futile, as we cannot protect against threats we have never seen before.
This requires a shift in mindset - from prevention, to information and people-centric strategies, mixed with internal monitoring and intelligence sharing.
So said Neil Macdonald, VP and Gartner fellow, speaking at an HP media event, in London, yesterday.
Macdonald said there are several trends - cloud computing, mobile computing and consumerisation - that are causing a loss of control by IT. This is also making security too cumbersome.
With APTs, companies need to change their approaches - malware has evolved past signature-based controls, he said.
"Organisations are largely unaware that data is being actively exfiltrated. They need to look at the anatomy and life cycle of an attack for advanced threat protection."
At the moment, they are way too focused on prevention, on vendor solutions, he says. "The notion is misguided; we cannot stop attacks - we must assume we have been, or will be, attacked."
Businesses need to focus on better monitoring and analytics, as well as diversion tactics - deception, diversion and disinformation - to disrupt the cyber attackers, and make it harder for them. "This would involve introducing fake vulnerabilities, networks and systems."
We don't make it nearly difficult enough; we need to raise the bar, explains Macdonald.
The good, the bad, the ugly
"Understanding what 'bad' looks like is important, so we can look for similarities - we can use AV and intrusion prevention for this. But this is woefully inadequate for previously unseen threats," he says.
What the industry needs to do, is to turn this on its head - invert the threat model. Understand what 'good' looks like and look for meaningful deviations from this. To do this, companies can use base-lining, anomaly detection and predictive failure analysis.
"Actionable, risk-prioritised insight is the goal; context-aware intelligence, distilled down to what to focus on." He says this will provide a risk-based view of the business, and compensate for the lack of control by IT.
Ownership and security
A big mistake businesses make is equating ownership with security, says Macdonald. "We need models for trust that don't rely on direct ownership. Control what we can, not what we should. The end goal is to protect the information, not lock down the networks and suchlike."
Ultimately, it's about protecting the confidentiality, integrity, availability, authenticity and possession of our data. "Change our mindset and move to an information-central security, including application security, as applications are the primary vehicle through which information is accessed."
In addition, add context to decisions, and use context to improve information security.
Private and public clouds make security controls obsolete. One way of security information stored in the cloud is to encrypt it at the source before it enters the cloud. That way, no one who doesn't have the key will have access to the information.
Also, virtualise security controls, and software-based security, so that security moves with the workload, says Macdonald.
He says software-defined security must involve abstraction, or the decoupling of a resource from the consumer of the resource - a sort of virtualisation. The virtualisation of these resources will allow businesses to define 'models' of infrastructure elements that can be managed without requiring management of every element individually.
Share
