IT security “fire drills”, supported by executive management and the risk committee should be conducted regularly in organisations, in order to understand the appropriate course of action in advance of a security breach.
So says Neil Campbell, group GM for Dimension Data’s Security Business Unit who points out that technologies and services focused on incident response – rather than just incident prevention – should be one of the trends high on the agendas of security professionals in 2015.
This is the top trend on the list of Dimension Data’s team of security experts, following daily interactions with clients. Data breaches such as the March 2014 Target hack, the biggest retail hack in US history, as well as allegations of state-sponsored hacking, are a strong warning that organisations need to move beyond focusing purely on the prevention of security incidents, and start to concentrate on what they will do when an incident occurs.
“It’s inevitable that security incidents will occur. It’s therefore critical that organisations begin to focus on identifying what we call ‘indicators of compromise’, putting a comprehensive incident response plan in place, and performing regular IT security ‘fire drills’”, explains Campbell.
He points out the regular fire drills – or rehearsals – will ensure that, in the event of an incident, IT and management teams are clear about what needs to be done, and the business is less at risk. This includes recovering evidence, identifying and resolving the root cause of the incident (not just the symptoms), and undertaking a forensic investigation.
So what other issues are on the watch-list in 2015 for IT security professionals?
Matt Gyde, Dimension Data group executive – Security Business Unit says, “We’ve identified what we believe to be five of the most significant trends in our industry for 2015. These are not the only areas where change is occurring. However, they certainly warrant discussion.”
He points out that a trend that did not make the top five list, but which is closely linked to each is the use of data and machine learning, which, when coupled with human interaction can create actionable and contextualised intelligence. “This enables organisations to make rapid decisions on how to protect themselves against a pending attack, how to respond during the attack, and what action to take post-attack.”
In the Target hacking incident, signs of the hack showed up in their event monitoring systems but had too many alerts overall and the importance of these signs were missed. Important to note that the CIO and then CEO were dismissed over this incident.
Managed security services move front and centre
For most businesses, identifying IT security incidents swiftly requires 24/7 coverage of the network environment. This can be costly; IT security professionals are scarce, and require regular training to keep abreast of ever-evolving technologies. However, there’s a drawback to the insourcing model, explains Campbell.
To become truly proactive about incident response, organisations need visibility of other networks and to be kept abreast of attacks occurring elsewhere.
Gyde agrees and says in recent years, security management and monitoring have become more complex and time-consuming. Today, you need to prevent what you can, and manage the inevitable compromises. This means optimising your detection, and response capabilities. Many businesses lack the skills required to detect and effectively respond to threats in this manner.
“Managed security services providers have teams of security professionals focused exclusively on identifying potential malware and monitoring thousands of clients’ networks for precursors to denial-of-service attacks. Incidents don’t happen out of the blue: usually there’s ‘chatter’ on the popular ‘dark Web’ channels beforehand. Dimension Data, for example, monitors these channels very closely which significantly increases the likelihood that we can forewarn our clients ahead of impending attacks.”
IT security gets cloudy
Both Campbell and Gyde predict a continued increase in the adoption of cloud services for security in 2015. “This holds true for software-as-a-service solutions, such as secure Web proxy, and secure email in the cloud. These solutions are particularly attractive as the implementation effort is negligible – you’re simply redirecting traffic to take advantage of the service through a consumption-based model.
“And the services are highly scalable. If you need to support 20 000 users today and you acquire a company and your headcount suddenly increases to 30 000 in six months, you simply amend your licence agreement, and your new employees will be up and running immediately.”
Application security in the cloud and cloud-based, distributed denial-of-service controls such as those offered by Akamai are other areas of growing interest.
According to Campbell, security of the cloud will become increasingly important as more organisations move their workloads to the cloud. “It’s no good adopting this model only to be told by your auditors a year later that your cloud provider’s security protocols aren’t up to scratch. I believe we’ll see cloud providers investing heavily in building rich network architectures that support the gamut of security controls, so that they can assure their clients that enterprise-grade security technologies are being applied to their workloads.”
Gyde agrees and says that there’s still some work to be done within the cloud industry and security. “The most secure platforms in the world can still be compromised by human error or poor management,” he adds and points out that another area that needs attention is integration with existing organisational policies and processes.
“It’s very easy for start-up companies to transition to the cloud as they have no legacy physical infrastructure, and can implement “greenfield” security controls. Larger, more established businesses find the prospect of cloud more daunting, as they’re unsure of how to adapt their security controls, policies, and processes to this model.”
From security technologies to secure platforms
2015 will also see the notion of security being a secure platform − rather than a series of point products or devices on the network – gaining traction. The expectation on security professionals will be to deliver a secure platform that allows the business to confidently run multiple applications, in a secure environment.
Gyde says for many years, organisations typically bought multiple security products from different vendors. While this helped create ‘defence in depth’, it also introduced complexity and potential risk. After all, 95% of successful attacks may be attributed to human error, rather than technology.
“Increasingly, organisations are weighing up their risks and making buying decisions that aren’t necessarily based on best-of-breed technology and are instead adopting a pragmatic, risk-based approach where they work with their existing infrastructure and partners to manage their risks to an acceptable level, rather than aiming for, but never achieving, ‘perfect’ security.”
The concept of cloud and its pay-per-use model is also relevant to this discussion. Organisations want to replicate the consumption-based approach of cloud in an on-premise model, either independently owned, or owned by a trusted service provider or vendor. Increasingly, organisations prefer security partners that are prepared to take on some of the financial risk, while also offering a flexible service construct, for example, one that allows them to turn on a firewall at short notice to deal with a specific event, and the spin it down when the requirement has passed.
The notion of a secure platform directly relates to organisations’ desire for a ‘single pane of glass’ through which to manage their security assets, delivered on-premise, hosted, or as cloud infrastructure. Essentially, this enables robust security to ‘follow’ an organisation’s applications, data, and workloads without any compromises or changes in technology or management being required.
This approach also supports and aligns with enterprise mobility requirements for corporate data to be accessible to users anytime, anywhere, and from anyplace.
Endpoint security back in vogue
Campbell predicts a resurgence in interest in endpoint security in the industry. “This is closely tied to the first trend we discussed − incident response − and the fact that some traditional network-based security controls aren’t as effective as they used to be.
“Security professionals will be looking at devices – whether they’re PCs, Macs, or smartphones – for indicators of compromise, and then enabling some form of incident response process. They’ll deploy technologies to endpoints to make incident response easier,” he says.
Application control is also expected to re-emerge as a key focus area for 2015. However, emphasis will be on identifying malicious activity on the endpoint, rather than malicious code. “While user awareness of information security best practices is a key priority, at some point someone is going to click on something they shouldn’t, so organisations must be proactive about managing the impact of such events,” Campbell concludes.