Just as technologies and capabilities for attackers have improved, so have technologies and capabilities for defenders. This gives us a unique opportunity to move toward security systems built on a foundation of broad-based visibility, depth of data collection, the ability to learn through correlation and context, and then dynamically apply controls.
The Industrial Revolution changed the world forever, creating faster, better, and more efficient sectors of the economy. Drawing on parallels to this important period of history, much has been written about the “Industrialization of Hacking” which has created a faster, more effective, and more efficient sector aimed at profiting from attacks to our IT infrastructure. Fueled by the convergence of mechanized and process-driven methods, economic and political incentives, weak links in the security chain, and new vulnerabilities in evolving business models, hackers are executing more sophisticated and damaging attacks. This era is profoundly changing how we must protect our systems, driving us to think about how to evolve our approach to cybersecurity.
As security professionals, we need to follow a similar trajectory to hackers and apply lessons learned from the Industrial Revolution to become faster, more efficient, and more effective in our sector: a “Protection Revolution,” if you will.
Hacking has evolved over time and protection will evolve over time as well. It requires moving across a scale of controls that include static, human intervention, semi-automatic, dynamic, and predictive, as outlined below:
- Static –Many traditional, point-in-time security technologies work this way with defenders needing to wait for vendors to update protections. This approach worked fairly well when basic PC viruses were the primary method of attack. But today, in and of themselves, they don’t provide defenders with what they need to properly assess their security posture and make adjustments in real time. In some deployments, however, these process-laden controls are intended to be static to meet regulatory compliance mandates. And while they do provide a baseline of protection, they still lack the agility to protect and scale in a constantly changing environment.
- Human intervention – Visibility and intelligence is available, but defenders still need to manually change controls. Labor-intensive intervention isn’t sustainable given the pace and complexity of attacks and the cybersecurity skills shortage. Although static controls are the reality of most organizations today, more Security Operations Centers (SOC) are being built to compensate for the lack of flexibility and agility of these controls and a dearth of trained internal staff. Reliance on human intervention to make security adjustments is no match for modern threats that use new methods that make it easier, faster, and cheaper to launch attacks, penetrate the network, and change rapidly as they progress through the enterprise.
- Semi-automatic – Highly-sensitive data is precisely the type of data that well-funded and fast-moving attackers target. Unfortunately, practitioners lack confidence that they have the right intelligence to make decisions. They tend to revert back to human intervention, leaving open a window of opportunity for attackers. In semi-automatic environments protection begins to evolve, but it is not sufficiently standardized, mechanized, and process-driven to be as effective as required.
- Dynamic – Dynamic controls are about high degrees of automation, where security systems automatically respond to threats. Automation was at the heart of the Industrial Revolution and it is at the heart of the Protection Revolution. It is the only way to combat modern attacks that circumvent protection using methods such as port/protocol hopping, encrypted tunneling, droppers, and blended threats and techniques incorporating social engineering and zero-day attacks. With dynamic controls, security practitioners increase degrees of automation based on ‘adaptive trust’ or increased confidence in devices, users, and applications over time.
- Predictive – Predictive doesn’t necessarily mean seeing an attack before it happens, but leveraging machine learning and advanced analytics to learn and improve intelligence continuously, leading to the prioritization of controls, protection, and remediation. The foundations of predictive technologies exist but are in their early days. Over time they will continue to evolve and improve, unleashing the full power of a new era in protection.
