Building a 'cyber photofit' of attackers
One of the most common concerns at the moment is the shortage of cyber security skills.
Most companies simply don't have enough skilled staff to manage their cyber security challenges, which are only set to increase as technology usage grows and attacks continue to multiply.
So says Greg Day, VP & CSO, EMEA at Palo Alto Networks, who will be presenting on 'Crowdsourcing to beat the bad guys' during the ITWeb Security Summit 2016, to be held at Vodacom World in Midrand from 17 to 20 May.
Because of this, Day says businesses need to transform their approach and to become as automated as the attacker. "Businesses today typically have an analogue approach to cyber security, in that they rely on people. Conversely, attacks are mostly automated - looking through this lens it's not hard to see why businesses are on the back foot when it comes to preventing breaches."
Building a 'cyber photofit'
In order to become more automated, businesses need better fidelity of information on the attacker. "For example, the more we see the whole attack picture the more accurately and confidently we can identify and prevent it. Imagine looking for a criminal just by hair colour and type."
To fight traditional crime, says Day, law enforcement uses photofits, or reconstructed pictures of an individual, made from composite photos of the criminal's facial features, made up of as much detail as possible to make them uniquely identifiable. "If we can crowdsource information to build an accurate picture of the attacker, we can better tell who, out of the seven billion people on the planet, is that criminal."
He says more accurate intelligence is needed, that allows more precise detection and reduces the massive false positive load businesses deal with today, as the result of looking in isolation for the criminal's distinguishing features and relying on humans to match the pieces of the puzzle together.
"How many false positives would you have if you were only looking for one specific attribute that may be common across a significant percentage of the population? Businesses have the insight on what is really happening to them but we need to gather that insight and look at the big picture, or build a cyber photofit as it were."
According to Day, organisations should accept that being attacked is a reality. "As with many things, there is no guarantee that we can stop 100% of attacks, but at the same time we shouldn't simply give up. I see too many businesses starting to over-focus on responsive capabilities, when in reality each company needs to decide on their own balance point."
Day says a tough decision for businesses is whether or not to change what has worked in the past. "Cyber security and IT itself are very dynamic, yet there is often a desire to hold onto legacy methods as they are known to have worked in the past and this gives false confidence when the challenge is evolving. We need to continue to look for and apply state of the art cybersecurity, whether that's concepts, processes or technology."
At the core of this is changing our thinking, he explains. "Just a few years ago security was seen as sacred to each business, today many still don't share what happens to them for fear that it is a sign of weakness. However, we are seeing more companies go public when they have breaches and this shows a change in thinking - whether that's to better stop or respond to an incident."
"Ultimately the more we work together, the more efficient we can be. Those of us working in cyber security outnumber the cyber criminals, so we need to collaborate as effectively as they do in order to out-resource them. If we can do this we can drive the costs of security down, and drive up the costs for the attacker."
He says by 2019 the number of addressable IPs is set to nearly double, and the volume of attacks looks unlikely to slow down. "Unless we collaborate and automate real attack events, security practitioners will only further drown in poorly qualified security alerts, taking longer and longer to find the critical few."
Key to success is identifying an attack as it happens or as shortly as possible after, lessening the impact on business. "If, as often happens today, it takes the business months to spot the attack in all the noise it has to deal with, then commonly the business impact is high as the attacker has had the time they need to find and exfiltrate whatever data they were targeting."