Why we are losing the cyber security war and what we can do about it

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

If this year's attacks on Adobe, LexisNexis, NASDAQ, US Airways, and dozens of other large and technologically sophisticated US enterprises didn't provide sufficient evidence that we are losing the cyber security war, the ongoing breaches by Anonymous make it undeniable. Why are the world's most IT savvy companies unable to keep attackers out of their networks?

Several factors are tipping the scales in favor of cyber criminals. These include lack of (threat) information sharing; insufficient automation of threat and vulnerability remediation; the absence of correlation between compliance, security and risk posture; the need to perform continuous security monitoring; and the ability to process huge volumes of data in order to detect and mitigate cyber-attacks in a timely manner.

Fortunately, a new breed of security technology called Integrated Risk Management (IRM) platforms has emerged which can make threats and vulnerabilities visible and actionable, while enabling organizations to prioritize and address high risk security exposures before breaches occur.

Let's take a look at how IRM systems can level the playing field in the cyber security war.

Contextualization of Threat Intelligence

The sharing of sensitive threat information is essential to preventing a widespread attack across different verticals and industries. Cyber criminals are coordinating their efforts and are well versed in sharing vulnerabilities and attack methodologies, so to counter them governments and private industry must work hand-in-hand to quickly distribute information about threats.

While initiatives to introduce a Cyber Information Sharing law have failed, information sharing communities such as the Financial Services Information Sharing and Analysis Center (FS ISAC) and Red Sky Alliance are offering threat feeds that organizations can leverage to contextualize the threat information within their own enterprise architecture.

IRM systems are capable of consuming threat intelligence data feeds and cross-correlating those with organizational attributes such as control and configuration settings, asset criticality, vulnerabilities, patch status, etc. This enables otherwise labor-intensive work to be avoided and common attack patterns to be detected and analyzed automatically, which dramatically reduces the risk of exposure.

Automating Threat and Vulnerability Remediation

Most organizations rely on multiple, best-of-breed, silo-based tools (e.g., fraud and data loss prevention, vulnerability management or SIEM) to produce the security data necessary to detect or prevent cyber-attacks. This model generates a high volume, high velocity stream of complex data that must be analyzed, normalized, and prioritized.

Unlike adaptive authentication, which is being used to automate behavioral pattern analysis for fraud prevention in the payments industry, many commonly used security tools lack the capability to provide self-analysis. IRM platforms can piece together data from different sources, connect the dots, and detect suspicious patterns that would indicate a cyber-attack or data breach, instead of requiring security operations staff to do so manually.

Relying on manual processes to comb through mountains of logs is one of the main reasons that critical issues are not being addressed in a timely fashion. According to the Verizon 2013 Data Breach Investigations Report, 69% of breaches were discovered by a third party and not through internal resources. To make matters worse, 66% of the breaches took months or even years to discover. IRM can shorten the window attackers have to exploit a software or network configuration flaw.

Adding the Notion of Risk in Security

The majority of existing security products lack the ability to assign risk-based prioritization. They produce a wealth of logs, but do not indicate which vulnerabilities need to be mitigated first. Without knowing what risk a specific vulnerability poses for the business, it is difficult, if not impossible, to prioritize mitigation efforts.

Risk is influenced by three key factors: compliance posture, threats and vulnerabilities, and business criticality of the impacted asset. What organizations need is a context-aware, risk-based view across the enterprise, combining threat intelligence, vulnerability knowledge, compliance and business impact.

IRM systems enable big data automation, which encompasses data gathering from networked machines, third-party feeds and the platform's assessment engine. They provide insight into an organization's state of compliance, security and ultimately risk posture to achieve continuous compliance and continuous monitoring.

IRM systems also allow organizations to assign policies, classifications and business criticality to assets, propagating the attributes (e.g., risk) to all related assets, and then enforcing the attributes in a dynamic data-driven environment. By correlating these three key factors in a single data model, organizations can determine the risk associated with particular assets and prioritize remediation actions based on the actual risk.

Providing Continuous Monitoring

Cyber threats are unpredictable and cannot be scheduled like a compliance audit. Instead of a point-in-time view of risk, continuous monitoring of both compliance and security posture is required to increase situational awareness. Unfortunately, the majority of organizations are still using a check-box mentality as part of a compliance-driven approach to security. This method achieves point-in-time compliance certification rather than improving security.

Applying continuous (security) monitoring, implies an increased frequency of data assessments (e.g., on a weekly basis) and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. IRM systems use big data automation and correlation to reduce costs by unifying security management, streamlining processes, creating situational awareness that exposes exploits and threats in a timely manner, and gathering historic data which can assist in predictive security.

Making Big Data Actionable

While security monitoring generates big data, in its raw form it remains only a means to an end. Ultimately, information security decision making should be based on prioritized, actionable insight derived from this data. To achieve this, big security data needs to be correlated with its business criticality or risk to the organization. Once assets that require the highest priority for remediating threats are identified, organizations must ensure a smooth handoff from security operations to the IT department, which is responsible for mitigating issues. Any latency in this process can lead to critical delays in time-to-remediation, offering hackers an opportunity to exploit existing vulnerabilities.

IRM systems offer a closed-looped remediation solution via their own ticketing and exception processes as well as through bi-directional integrations with ticketing and patch management solutions. In addition, an IRM system's workflow engine enables organizations to collaborate across departments and business units, increasing operational efficiency and shortening the time-to-remediation.

IRM systems can deliver tremendous time and costs savings through increased accuracy, shorter remediation cycles and better overall operational efficiency. Ultimately, they can protect against and minimize the consequences of cyber-attacks and improve the odds for the good guys in the cyber war.

George is VP of Worldwide Marketing and Products at integrated risk management software vendor Agiliance.  

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags AnonymousIDSFirewall & UTMsecuritylexisnexisIPSintelWide Area Network

More about Adobe SystemsAgilianceThreat IntelligenceUS AirwaysVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Torsten George, Vice President of Worldwide Marketing and Products, Agiliance

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts