Peter Allor, security strategist at IBM, describes how mobility, cloud and social media have altered the security atmosphere and what Asian companies are doing to counter new threats.
How has the security landscape changed in the last two years? Have mobility, cloud and social media worsened the security atmosphere?
The threat is being portrayed as invincible and so advanced that we are defenceless. This is not an accurate portrayal. The threat has moved in two directions, one attacking enterprises on enterprise written websites and mobile applications, and the second, in attacking with sophisticated attacks through spear-phishing and social media.
This evolution of the attackers to these types of attacks and then downloading additional vectors once they breach an enterprise has changed the landscape.
Correlation of security information has allowed enterprises to better address this landscape change and to allow you to identify attack indicators and potential for compromise.
Information (both structured and unstructured, social data) is seeing endless growth in volume, variety, and velocity, and veracity as organisations seek to leverage big data solutions to gain deep insights and make their businesses more agile. This has opened the door to new vectors allowing the enterprise user to trigger downloads of malware into the network.
How are enterprise-class organisations protecting themselves today? What has changed in their security strategy?
Organisations today deploy a variety of security controls to mitigate risks, so they avoid situations where shutting down the whole network becomes the only solution. These include firewalls, intrusion detection systems, intrusion prevention systems and vulnerability scanners.
All of the individual security controls are good at what they are supposed to do, and they are properly deployed at almost every organisation today. But these controls alone are not sufficient protection from the "bad guys". The fact of the matter is security technology and experts are getting smarter, and so are the attackers.
Also, another thing you notice these days from the cyber attack patterns is there is a shift from a target of opportunity towards a target of choice, where attackers are continuously or even patiently planning and executing advanced persistent threats (APTs).
While use of the new technologies of mobile, cloud and social media collaboration does expose the risk factor for companies and their data, the trick is in how to use these new technologies with a more thorough and mature security mindset (or mental posture). For instance, analytics. Analytics does not just have to be limited to analysing data for business objectives, the concept of data crunching can also be applied for security purposes, which improves the scope and scale of investigation. In other words, with security intelligence, companies find clues, loopholes, malicious or incompliant activity that would have gone unnoticed and undetected, hidden deep in the throes of an organisation's data.
Increasingly, government-related agencies are also getting involved in the security scenario: either as perpetrators or victims of cyber attacks. Are there lessons in the government's defence approach that enterprises can learn from?
Organised crime, sabotage, espionage, terrorism, civil disobedience and the theft of intellectual property are issues that have moved from the physical world to the digital one because the reliance and ubiquity of the Internet has made cyber attacks on people, networks and systems both possible and effective.
Today, all the data and systems we have exposed to the Internet have produced new opportunities for malicious attacks. These opportunities have likewise produced an associated class of attackers who are often well-funded, motivated and innovative. They conduct reconnaissance, are more operationally proficient, frequently use custom, never before seen malware and will often do whatever they can to mask and hide their activity.
Whether or not cyber attacks are politically and socially motivated, they cause damage far beyond the single intended victim. Even though information security continues to evolve in sophistication, attacking networks and stealing confidential or classified information has arguably become easier thanks to popular new technologies that have introduced loopholes in enterprise security.
Current conditions have spurred organisations to become smarter by adding advanced technological intelligence into their online defences, which in turn requires new infrastructures capable of using sophisticated analytics to scale visibility across broad data sets, both diverse and complementary, in real time.
How do you see Asian companies approaching security vis-à-vis their Western counterparts?
Considering the global onset of cloud, mobile and social media, the key difference in security approaches is the attitude and commitment a company has in maintaining its security posture, regardless of wherever it operates in the world.
While many organisations remain in crisis response mode, some have moved beyond a reactive stance and are taking steps to reduce future risk. These forward-thinking companies see themselves as more mature in their security-related capabilities and better prepared to meet new threats.
Companies with advanced and competent security profiles share a few distinguishing traits. These include: clear recognition of the strategic importance of information security in the organisation and anticipation of increased spending on security over the next few years. Its business leaders are increasingly concerned about security issues, with mobile security a major focus due to the high rate of mobile workforces and wireless device adoption. Their attention has also shifted towards risk management and reducing future risk, and less on managing only current threats and regulatory issues.
As such, these traits illustrate the security maturity of an organisation as well as its ability to handle or avoid a breach. For instance, because the senior management recognises the need for a coordinated approach to security, advanced companies are more likely to have a dedicated security head with a strategic and enterprise-wide purview. Security issues are not ad-hoc topics but a regular part of business discussions. This, in turns, builds a more pervasive risk awareness across the business, where all employees take a proactive role in protecting their organisation. On the other hand, companies lacking a dedicated security leader suggest a more fragmented and tactical approach to security.