APTs and other types of sophisticated attacks are undoubtedly changing information security processes, technologies, and skills, but ESG found another interesting transition in progress: Given the volume, sophistication, and surreptitious nature of APTs, large organizations are apparently willing to adopt more automated security technologies as a means for attack remediation. ESG’s recently published research report on APTs indicates that 20% of enterprises believe this development will happen “to a great extent” while another 54% say this will happen “to some extent.” (See this link for more information about the ESG Research Report, U.S. Advanced Persistent Threat Analysis).
Why is this surprising? Since the introduction of Intrusion Prevention Devices, security professionals have had access to technical tools to block certain behavior or remediate problems automatically. For the most part however, many firms eschewed these capabilities for fear that a false positive would cause security tool to take a critical business application or network segment off-line. As a result, IPS devices were usually deployed in passive-mode – generating alarms but not taking any type of automated action.
The ESG data indicates that many enterprise organizations believe that sophisticated attacks and IT complexity make this “wait-and-see” security strategy obsolete. Security tools need to be smart enough to detect and react to suspicious behavior, anomalous activities, and attacks in progress. To me, this means:
1. Security intelligence is critical. Automated remediation depends upon extremely accurate analysis of mountains of data. In other words, security intelligence has turned into a big data problem that CISOs must recognize. This trend validates the vision of vendors like EMC/RSA (enVision, NetWitness, Greenplum), HP (ArcSight, Vertica, HP Labs), IBM (Q1, Netezza, SPSS, i2), McAfee (Nitro Security) and startups like RedLambda.
2. Reputation data must play a role. Aside from internal network analysis, security intelligence must understand if a source/destination IP address, URL, application, DNS record, or file is known to be suspicious or malicious. Reputation data from Blue Coat, Check Point, Cisco, and Trend Micro must be part of the mix.
3. Look for lots of R&D with security rules engines. It’s hard enough collecting and analyzing terabytes of security data – making accurate remediation decisions based upon this data analysis adds another quantum degree of difficulty. This is rocket science-type stuff that demands strong public/private cooperation. For starters here, the Federal government should be more forthcoming on its Einstein project and any other research it has done in this area.