More information in more places. Higher-value information targets. And an increasingly sophisticated and well-funded set of opponents using APT techniques to secure their prize.
Most people chartered with responding are very much aware of the new challenges -- but what to do?
While there are no simplistic answers, there is a clear consensus emerging that this is no mere matter of better technology; it requires a deep and thoughtful organizational response -- a new way of doing things in the new world.
The latest evidence comes from the SBIC -- the Security for Business Innovation Council -- in their new report "Getting Ahead Of Advanced Threats: Achieving Intelligence-Driven Information Security". The SBIC is a subset of very bright and passionate security leaders in Fortune 1000 settings that regularly gather to make strategic recommendations for the community at large.
Sponsored by RSA, we've seen a number of useful reports on relevant and topical corporate information security subjects. This one is worth reading -- simply because it sketches out a roadmap of how security leaders will need to go about building their new organizational response in this new world.
Like anything else, the challenge essentially boils down to organizing for success around a few new principles.
That being said, I do spend a fair amount of time at the interface between the security world and the rest of the world: business, strategy, other technology disciplines and so on.
My sense is that most security professionals realize their world is changing fast, and they could use a bit of help in articulating to others why this matters, why a new approach is required, what it means, what should be done, and so on. It's in that spirit that I offer up my thoughts.
Given my predilection for over-simplifying things, I tend to write two equations on the whiteboard to get the conversation started.
Old school: new threat = new response
New school: new organizational threat = new organizational response
Conventional wisdom is that what's new about APTs isn't a specific threat (such as malware), it's how the attacker goes about their business: low and slow, social engineering, etc. In a nutshell, the attackers are now organizing differently.
Hence the need for a new organizational response.
National Security Analogies Abound
Frankly, it didn't sound very approachable.
Since then, I've come to appreciate the power of defense analogies for one simple reason: we are now essentially fighting a war against organized attackers. The domain, techniques and goals might be different, but -- at a high level -- it's now armed conflict in cyberspace.
As in any large-scale conflict, the tactics will quickly evolve, as must the responses. Needless to say, it's not going to go away anytime soon. And the sooner we can put our countries (companies!) on a "wartime footing", the better.
The sine qua non in this world is actionable intelligence: knowing what's probably going to happen ahead of time, and far enough in advance to take corrective action. That's how wars are generally won. And many believe that's how this particular war is going to be won.
Deconstructing Actionable Intelligence
Double-click on the concept, and you'll get two related themes. One is the "input side": the ability to figure out you've got a potential problem faster than before. The other is the "output side": now that you suspect there's a problem, how quickly can you effectively react?
The fundamental challenge -- at least in my mind -- is that we haven't constructed most information security functions to be really good at those two behaviors as their first and foremost goal. We've historically thought in terms of static and slow-moving threats, and correspondingly static and slow-moving responses.
In this new world, speed is everything.
If you're a student of WWII history, you're familiar with the Maginot Line.
The French constructed an "impenetrable barrier" of defenses along the border between Germany and France. And the Germans then used their motorized capabilities to simply go around their defenses.
And On To The SBIC Report
The full report is worth downloading, reading and passing on to others, but -- at a high-level -- there's a lot of just plain and pragmatic common sense here.
For example, the suggested high-level approach has six components: start with the basics, make the case, find the right people, build new information sources, define processes and finally automate key components.
Personal note: it's funny when you see people go directly to automation and sort of attempt to bypass all the steps needed beforehand -- almost as if there was some sort of magic technology bullet that could make the world's problems go away.
In this schema (as with most schemas) automation and the associated process controls is a final step, and not an initial one :)
Dive down deeper in to the first step (starting with the basics) are such familiar tasks as inventorying your assets, examining your existing response processes, and having a current risk assessment in hand.
The report suggests different approaches for constructing the value proposition, identifying and engaging with key stakeholders, and the desirability of looking for "quick wins" at the outset.
The third step is finding the right people: keeping in mind that the profile going forward is very different than in the past.
The report describes the key role as "cyber-risk intelligence analyst" who can blend an understanding of threats as well as business context, and can make specific recommendations on how to remediate threats.
Given that this critical skill set will undoubtedly be in very short supply for the time being, the report suggests approaches for building this capability from existing skill sets.
With the mandate and the team in place, you're on to the next step: building wider, deeper and more current sources of information.
It's at this point in the journey that new-school security starts to look awfully similar to the world big data analytics and data science: working to create predictive models of what's likely to happen next by aggregating as many useful data sets as possible.
Data creates insight which necessitates action; and you're on to the next phase: defining the processes you'll use to evaluate and act on the information you've gathered.
The processes themselves will likely not be static; they too will need to be continually evaluated and evolved for effectiveness -- with a strong bias towards speed and agility vs. rigidity and formality.
Finally, we can consider automating portions of the new environment, and the report does a good job calling out some suggested areas to consider. Personally, I don't think "automation" fully captures the gist of the concept here, it's more around introducing technologies that greatly magnify the capabilities and effectiveness of the core security team -- and not minimize their importance.
I Think I've Seen The Future
To paraphrase William Gibson: "the future is already here, it's just not evenly distributed". As part of EMC and RSA, I've gotten a glimpse into what the advanced practitioners are doing, sort of as a preview of what more people will likely be doing before long.
Both are using big data; sometimes *really* big data -- like multiple petabytes of security information. In the world of big data analytics, we talk about modifying workflows and applications to capture and leverage the insights of data scientists. In the new world of security, we talk about improving response processes to capture and leverage the insight of the new security analysts.
When you meet a company that's really proficient at data science and big data analytics, you're struck by the fact that it's not that unusual for them -- it's just the way that they do business in their world.
I think that -- before too long -- we'll look at the new world of information security and saying the same thing: it's just the way we do business in this new world.