I’ve happily managed largely to avoid getting entangled in the New Year’s ritual of security predictions, since these can, frankly, be fairly boring. But for those who expect such, here you go: Attackers will continue to succeed. Determined adversaries will become even more so. Moving one set of playing pieces does not alter the objectives nearly as much as it refocuses tactics.
Two overall trends exemplify some of the more visible aspects of threat evolution. As common exposures go unresolved, the packaging of commoditized attacks becomes what may be fairly qualified as “industrialized.” At the other end of the spectrum, the more dedicated adversary learns how to adapt a sequence of activities – many covert, but some neither particularly stealthy nor “advanced” – to targeting high-value objectives.
Note these recurring themes that have played a role at either end of this spectrum:
- Intelligence matters. Adversaries collect it to better understand the target and identify opportunity. Defenders need it to shape effective response.
- Coordination is also important. A logical sequence of activity is a hallmark of the more dedicated adversary, while the packaging of multiple and often complementary attack techniques has become a signature of industrialization. On the defense side, however, the coordination of defenses and response has too often been lacking, which presents an all too reliable opportunity to the adversary.
- Intelligence and coordination are often flip sides of the same coin. Understanding the nature and context of attacks and how threat activity plays out are key to getting a better handle on intelligence. The coordination of response, meanwhile, depends on accurate insight into where and how response can best be applied.
Closing these two gaps – in intelligence and in the integration of defense – are becoming primary factors in shaping the security market. We have certainly seen these objectives emphasized in 2012. I expect these emphases to intensify in 2013.
“Hold on there a sec,” you say. “I thought you said intelligence and coordination.” “Integration” isn’t the same thing.
True enough. In one sense, coordination means getting better at being nimble – and security has not exactly done well at being nimble. The fact that, for example, 92% of breaches in the caseload reported in Verizon’s 2012 Data Breach Investigations Report were discovered by a third party (up 6% from the prior year), is testimony to that.
Regardless, one definition of coordination means (according to Wiktionary), “making different people or things work together for a goal or effect” – and this is has been a classic failure of security technologies. Prevention means a stronger defense capable of withstanding compromise – but far too often, we have failed to even so much as recognize the nature of compromise, to the point where prevention is no longer considered nearly as important as awareness and response. In fact, many of us are already so compromised in the strength of the posture we present to the adversary that we enable the industrialization of commoditized attacks. Meanwhile, our blindness is exacerbated not only by not taking advantage of a wider breadth of relevant information, but also by not making good enough use of the information we already collect. Adversaries of all kinds have exploited these weaknesses successfully.
Part of the problem is the nature of the security technology market, which has long been characterized by new widgets that arise in almost a knee-jerk reaction to the Latest Hot Thing. If the Thing is Hot enough, a bunch of widgets compete with each other for the same buzz (and beg us analysts to declare them a Market Segment). And as with many venture plays, a key objective of many of these startups is exit through acquisition. But acquisition of the Latest Hot Thing without a vision for how it integrates into a greater whole has caused problems for some acquirers, who seem at times only to have seen the opportunity to grab markets and revenue at the expense of long-term effectiveness.
When it comes to informed and effective response, this sort of approach is doomed to failure. Keeping intelligence and response tactics isolated and dysfunctional is one of the biggest overall exposures the adversary can exploit. (It’s also an aspect of the immaturity of many approaches to security product development, which is itself a problem that may lead to bigger issues in the future, as Jeremiah Grossman suggests.)
This, then, is why I believe defense must embrace a more mature and integrated approach – and it’s not that I’m particularly Pollyanna (or even optimistic) about this, given how poorly we’ve done with such efforts in the past. But I also believe this past failure is a good deal of the reason why integrated defenses are already making their appearance. It is an aspect of technologies that target “advanced” threats that are making a significant impact on the security product market – and which will continue to do so as intelligence becomes an ever-greater aspect of integration – while “next generation” defenses should, by definition, attack these weaknesses (as certain aspects of securing more capable mobile devices already do).
These are big goals that we’ve had as an industry for a long time – but the fact that “too difficult to distinguish which security actions or policies are working, and which are not” and “poor integration among security tools” were the top two frustrations with security technologies reported by working professionals in our 2012 research, suggests (to put it, um, gently) that we have a long way to go.
With these factors in mind, I’ll take a look in upcoming posts at how the integration and coordination of techniques are shaping new and emerging approaches to defense, and where “data-driven security” is headed today – beginning with my next post, in which I’ll take a look at the major players bringing “Big Data” and modern analytics to bear on security intelligence.