Traditional security approaches and technologies are failing to keep attackers out, indicating a need to rethink security, according to Ashok Sankar, director of cyber security at Raytheon-Websense.
“While we cannot guarantee 100% security, we can try to ensure that there is no undue harm, that attacks are contained and the impact is limited,” he told the RSA Conference 2015 in Abu Dhabi.
Echoing the keynote address by RSA president Amit Yoran, Sankar said traditional security strategies are failing to keep up with the continually evolving cyber threat landscape.
“We need to accept that determined attackers will get in and that we have to operate under the assumption of compromise,” he said.
However, Sankar said businesses are looking to reap the benefits of new technologies such as cloud, social networks and mobile to grow, reach new markets and gain additional competitive advantage.
“As technology innovations promise greater productivity and other business benefits, security cannot be a burden; it needs to enable business to navigate the risks these technologies pose,” he said.
Sankar said traditional approaches to security are making organisations more porous and vulnerable to attack, so they need to rethink security to become more resilient.
“I am not saying that we have to throw out the decades of hard work we have done because a lot of what we have and do is quite relevant, but we need to reframe our thinking and adjust our strategies to function in this new environment of conflict,” he said.
Educate staff about cyber threats
Because employees will use whatever devices and technologies they can to get their jobs done more easily, the role of information security professionals, he said, is to enable employees to do that securely.
“This means understanding their needs, explaining to them the security implications and coming to a consensus on what can and what cannot be done. If employees want flexibility, they must understand the responsibilities that go with that,” said Sankar.
It makes no sense to count breaches and threats any more. A more useful metric is dwell time – the time from breach to detection and containment Ashok Sankar, Raytheon-Websense
However, he warned that this is a process of transformation that takes time. “But we have to start somewhere. Security used to be a one-way dictation, but now needs to be a two-way conversation.”
In addition to understanding employees’ needs, Sankar said information security professionals need to understand the businesses they support.
“It is important to understand what are the sources of revenue, who the stakeholders are, what fuels our business, who buys from us, who is in our supply chain, what information is important to our business and so on,” he said.
Security as a business enabler
Allied to this, Sankar said that as the business increasingly looks to security as an enabler, it is more important than ever for information security professionals to bridge the traditional communication gap between themselves and business executives.
“By understanding the business, information security professionals will be able to engage business executives in terms they understand, and knowing what data the business collects, why and what is critical data helps devise sensible protection strategies,” he said.
Sankar said that by classifying data, information security professionals can segment different data types on the network and apply the greatest controls only to the most critical and valuable data.
“Our goal is to make it extremely difficult, if not impossible, to get to an organisation’s critical information, while ensuring authorised users have secure access and are not impeded,” he said.
Accepting the adversaries are likely to breach perimeter defences also requires a new kind of metric, said Sankar. “It makes no sense to count breaches and threats any more. A more useful metric is dwell time – the time from breach to detection and containment,” he said.
Identify security breaches through data analytics
To enable this, however, he said information security professionals need an enterprise view of exactly what is going on across the corporate network in a single place in real time.
“This will enable information security professionals to zero-in on any malicious activity and take fast, decisive action,” he said, which also requires monitoring user activities and understanding their behaviour so that anomalies can be detected.
“Attackers are increasingly roping in people with legitimate access to systems to get past security controls, but most organisations typically lack a view of insider activity and behaviour,” said Sankar.
“To truly understand what is happening in the enterprise and prioritise what needs attention, raw data is not enough – we need it in context to reduce the noise and generate only relevant alerts through the use of data analytics,” he said.
Sankar said that by understanding what is happening across the enterprise and learning what the attack profile looks like, information security professionals can set up appropriate policies and controls.
“Such adaptation is about taking learned behaviours and using that to our advantage to reliably contain and neutralise emerging threats so that critical data stays protected from threat or compromise wherever it resides,” he said.
By using this approach to achieve greater resiliency, Sankar said information security professionals can defeat adversaries and become business enablers.