Eliminating security solution islands
With hundreds of different security products and new start-ups entering the market every week, one would think enterprises are well-equipped to keep attackers out.
But this is not the case.
During his keynote address at RSA Europe in Amsterdam yesterday, Stephen Trilling, senior VP and CTO at Symantec, noted that the best solutions on the market do identify and block many attacks, but fail to collaborate their defences.
Existing solutions are expensive to manage, they miss many attacks because they are short-sighted, and they require the organisation to undertake integration and monitoring.
"Each of these products is an island, attempting to detect attacks in isolation from every other product," he said. End-point solutions know nothing about what is going on in the broader network, while the firewall is oblivious to end-point risks, said Trilling. Likewise, e-mail and Web software scans inbound mails and Web pages but has no idea what these objects do once they are inside the enterprise, and while server security software will detect a failed login, it won't know that the same computer visited a suspicious Web site a few minutes ago, Trilling continued.
One would think that a security incident and event management (SIEM) system would counteract this myopic software situation, but Trilling noted that they are only as good as the data they collect. SIEM systems are designed to aggregate data from a single company and detect attacks over a limited period of time, he said, adding that they do not mine large amounts of data that can span weeks, months or years.
For Trilling, setting up a cloud-based repository of security telemetry is the ideal solution to this security software dilemma. This kind of repository can mine big data to detect threats that do not stand out immediately but are only noticeable after some time. This will allow for the detection of attacks that span multiple industries, he said. This approach also allows different organisations within the same industry to collaborate and share their experiences, and through this sharing, they can stay up to date with what is happening in the market, he said.
As a result, companies will spend less time on connecting the dots and integrating security offerings, Trilling said. In conclusion, he stressed that, as highly targeted attacks become the norm, we need a system with a world view - that fuses data from within the organisation and also looks at the intelligence from other enterprises, industries and geographies to detect threats that would otherwise be invisible.