Each set of defensive technologies, in addition to organizations themselves, operate as separate fiefdoms, often unable or unwilling to share information with each other to more dynamically identify novel security threats. This was the current state of security as outlined by Steven Trilling, CTO for Symantec, during an RSA Europe keynote address given this week in Amsterdam.
Moving forward, however, a more effective approach to enterprise security will be outsourced to experts “who can leverage economies of scale…but also result in large improvements in protection because the security provider has visibility across an entire customer base”; enterprises will no longer operate as separate security siloes and “will become part of a community” that leverages multi-organizational intelligence to better defend the entire digital ecosystem. This provider will also integrate disparate security products for the customer, easing this burden that many organizations now do on their own.
“As a result”, Trilling predicted, “in our future to be, attacks – including even the very most complex targeted attacks – will be discovered in mutinies or hours, rather than in months, years, or never.”
To achieve this, Trilling said all of the transactional network data –from login attempts to emails – should be recorded and stored in one place. This central repository would collect event and transaction data from on-premise, cloud-based, and mobile device systems, and would serve as a massive historical intelligence source that can be leveraged to help prevent future attacks, as well as aid in subsequent forensic investigations.
The vision, as he put forward, was a “massive global sensor network” that would gather intelligence from hundreds or thousands of organizations and would be a large sea change from how security and event information is gathered and interpreted in today’s environment. “What I’m proposing is many orders of magnitude larger and more complex [than SIEM]”, Trilling explained. “I’m talking about a massive, cloud-based, multi-tenant repository of security telemetry – a repository that can be mined using Big Data techniques that don’t span hours, but weeks, months or years. I’m talking about attacks that can only be detected by connecting the dots across multiple enterprises. Show me a SIEM product that can do that.”
By contrast, as the world exists today, “targeted attackers have the persistence and patience to execute their campaigns over months or years”, Trilling noted. “They deploy sophisticated social engineering techniques to target unsuspecting victims”, and each campaign can be tailored to suit their needs.
On the other hand, as Trilling explained, are the defenders, who “are fighting an asymmetric battle”. Information security professionals have access to hundreds of technology-based solutions to prevent attacks, but so do the attackers, “who have the blueprints to our defenses” he commented. “So right out of the gate we are at a disadvantage.”
Point security solutions like email filtering, firewalls, and anti-virus will remain requirements in future enterprise security, Trilling predicted. “The problem is that each of these point security solutions is an island”, each with its own console and view of the security landscape, along with generating massive amounts of log data. “In most cases”, he lamented, “these security products don’t interact with each other. In many cases, companies do not have the time or the expertise to examine all of this data.”
It’s not simply a matter of integrating these products to share information, as the Symantec CTO explained. With an ever-increasing number of security technologies on the market, the complexity involved would be nearly insurmountable.
Add to this a lack of administrative manpower, said Trilling. They are not only an expense to employ, he argued, “and these administrators don’t always necessarily have the time or the background to keep up with the newest capabilities of the attackers, or learn their latest techniques”. The problem is compounded even further but targeted attackers, and their persistence, which makes network infiltration a foregone conclusion when an organization is signaled out by an attacker.
Correlating the data produced by these “myopic systems” using security information and event management (SIEM) systems is not a solution to the problem, Trilling asserted. “SIEMs are only as good as the data they collect”, he said. “If the security products that feed events to them don’t see a targeted attack – or don’t detect an indicator – then the SIEM probably won’t see the attack either. Furthermore, SIEMs can only correlate events that fit into their limited time window – typically a few minutes to a few hours.”
SIEMs, as Trilling concluded, might detect the occasional attack, “but they hardly solve the bigger problem”.
The new approach the Symantec CTO laid down was not a simple reinvention of SIEM, he insisted. SIEM, as he explained, aggregates data from a single organization and detects attacks over a short window of time. “They do not mine months of archived telemetry to detect attacks”, Trilling said to draw a contrast.