Cyber security news has been almost universally dispiriting for the last few years as the barrage of new exploits has created a sort of ‘breach fatigue’. As I wrote in this column, cyber security has been a losing game of whac-a-mole for years as the malefactors manage to pop out of new security holes faster than IT and their software suppliers can plug the last batch. With the knee-jerk IT response of reflexively adding another security product to patch the latest hole, the game has also been a costly one for businesses and end users, which have collectively spent billions of dollars on an increasing array of products and annual upgrades to address each new threat category and set of exploits. Of course, this has made the escalation of breaches quite lucrative for the security-industrial complex, both established multi-billion dollar firms like Symantec and McAfee (now Intel Security) and startups like Fireeye and Palo Alto Networks, that have racked up multi-billion dollar sales and stock valuations in the past few years.
Yet the spending has arguably been a waste. The unrelenting onslaught of cyber criminals, with the successful escapades demonstrating the need for dramatic changes to security product designs and substantial upgrades to enterprise systems and practices. Fortunately, some in the industry see the need as Intel and its McAfee division illustrated by outlining a new security architecture at the recent FOCUS conference.
As I detail in the column, Intel used keynotes by GM Pat Calhoun and CTO Mike Fey to explain the firm’s integrated security architecture and power of automated information collection and sharing between myriad security systems, what Gartner Research Director Lawrence Pingree calls “intelligence awareness”. The idea is to build security systems that continuously inform each other of new detected threats and adapt their behavior in real-time. This prevents spread of detected and remediated threats via alternative distribution channels. For example, once a PC anti-malware system detects a dangerous PDF attachment, why not have a content filter block all files matching the signature at the network edge?
Another critical aspect of a data-driven security design is linking incident detection with response. Says Fey, “Don’t just ring bells and blow whistles, but take action on indicators of attack.” It seems obvious, but so many security systems are just noise machines, logging alert after alert making it impossible for stressed and overworked security staffers to analyze them all. Indeed, that’s one factor the led to the Target incident: the company’s security team either missed or didn’t appreciate the severity of warnings issued by its newly deployed FireEye system.
Intel’s strategy, and similar approaches using aggregated data from myriad security systems, promises to finally give businesses and IT security teams the upper hand against cyber attackers. I agree with Fey that by basing security systems on an extensible architecture of linked and communicating systems, security researchers and operations teams can accelerate the rate of defense innovation and deployment and finally squelch the wily moles before they have a chance to pop up from another hole.