State of Information Security - What we don't know is KILLING us

For those interested in Information Security, there is a LOT of information out there. In addition to the shows, conferences and seminars, there are vendor briefings and webinars, analyst White Papers, industry studies like those from Verizon and Mandiant, websites like Ars Technica and Dark Reading, dozens of blogs by leading security professionals and several thousand people and organizations worth following on Twitter.

The fact is, we know a tremendous amount about the state of the threat environment, and the impact of both new threats and old vulnerabilities, literally on an hour-by-hour basis.  And it is critical information, knowledge every security professional must have just to do their jobs. We need current information on the various species of malware in the wild, the exploits that are being leveraged, the patches that are available (and the ones that aren’t) and the social engineering and phishing strategies that make most successful attacks possible. This is the kind of knowledge that allows organizations to target their resources most effectively, to learn from the failures of others, to be prepared for new attacks as they are detected, and to build viable and effective strategies and policies to best protect their data, their customers and their employees.

But if you stop and think about it, what we know isn’t all that valuable.  Every attack we read about, every exploit that is analyzed and patched, every vulnerability announced, every new strain of malware, all of it consists only of attacks that have been discovered. In essence, we know a great deal about the failures, but much less about the successes. In a sense, it’s like real-world crime. All the criminals we know are in prison – that is, they failed at crime.  The successful criminals, the ones that we should be most worried about, are invisible because they have not been detected yet.

That’s very much the position of the modern information security professional. We spend our days hardening our networks against the attacks we know are in play, train our users to be aware of the tactics of hackers that have been discovered, and monitor our networks for the signatures of known malware and hacking tools. But what we really need to do is to think about the attacks that no one has detected yet, the ones that are silently compromising networks, stealing data and money and trade secrets RIGHT NOW.

The modern security infrastructure can no longer be dependent on third-party knowledge, signatures and history. The attackers are smart people, and they move fast.  They have a stockpile of zero-day exploits and powerful hacks of which the security community is unaware.  Predicating your organization’s information security on stopping attacks that have already been stopped cannot provide real security, but rather a false sense that we have “done all we can”.

There is no complete answer, and perhaps there never will be.  But our side isn’t just standing still.  There is much more that can be done.  Security intelligence platforms such as Securonix are powerful tools to detect previously undetectable attacks.  By integrating all the available network, identity and security systems data and applying an advanced set of behavioral analytics, Securonix can detect suspicious and anomalous activities without having to detect the actual network breach.  Securonix doesn’t keep the attackers out – you have plenty of tools for that, and they work as well as can be expected.  Securonix prevents the attackers from doing catastrophic harm once they’ve compromised your other defenses.  And at a fraction of the cost of an enterprise SIEM solution, adding the power of Securonix to your security stack is clearly an important step in protecting your network.

It would be a crime not to!