In the dream world, a phalanx of capable security professionals meets the CISO as the limo pulls away. The team delivers a swift status update, deducing definitively that there is no risk to the organization. All patches are up-to-date, the sophisticated array of expensive next-generation technology has, of course, detected the malware lobbed at a few renegade employees overnight and the meticulously planned security training is proceeding well. Everything is ship-shape. There is even time for a latte before a meeting on the status of the on-time and on-budget mobile device deployment.
Back in the real world, the CISO (also network admin, head of digital transformation and go-to guy for broken technology) arrives late after abandoning his car in a residential estate two miles away. A chance meeting with Graham in Customer Support adds a ransomware infected laptop to his workload. Once at his desk, he opens a plethora of vendor dashboards. As many as ten endpoints ambiguously flash orange, two ‘unknown’ devices have snuck into places they probably shouldn’t, a basket of malware has been quarantined and forensically analyzed in intricate detail and, hidden beneath the open tabs, a potentially suspicious network event is quietly sidling up to the customer database. Unfortunately, it’s also now the staff meeting and this, combined with Graham’s encrypted business critical data (including family photos), means he doesn’t get time for the threat data until lunchtime. By which time, the customer database has eloped with the network event.
This is the reality for many, particularly those at SMEs where budget is thinner. The industry says security teams cannot plan strategically because they are busy dealing with the incidents directly in front of them. I would go further. Many cannot now even respond to what is in front of them, because there is simply too much.
Data was the great white hope. After all, by having access to more enemy intelligence, we can make better-informed decisions, right? Wrong. More data is just more data, humans have limits to how much they can process and ultimately, someone still has to press the buttons.
The sector is responding to this in a number of ways. Firstly, there are signs of a trend of stripping back on the number of solutions deployed. Layers are good practice, but with it comes numerous management consoles, which produce a never ending stream of separate threat feeds, pie charts, line graphs and reams of other intel. Nowadays, speed is vital to prevent contamination or stop malware from ‘side-stepping’ from its primary point of entry. An abundance of data from a plethora of different vendors who don’t talk to one another doesn’t help.
The second attempt to address the problem of ‘too much data, not enough action’ has been the gradual development of technology designed to automate decisions. Advancements in machine learning and artificial intelligence are perfectly timed to help not only cut through the vast swathe of information, but also take on the burden of some of the decisions that might otherwise have been pushed onto the IT team. It will be interesting to watch this trend develop and see how it impacts the human job, day to day.
Finally, is consolidation and innovation with the aim of unifying data at a product level. Big and medium sized vendors are either looking to scoop up smaller companies with specialisms or partnering with them. It is at the smaller end of the market where the real innovation is taking place in this issue, as these companies seek to create platforms capable of offering easily updatable cloud services. In effect, a unified central source of all threat intel and prevention, an app store for enterprise security, for want of a better descriptor. This requires a shift in mind-set, but one which has now gained unstoppable momentum as the cloud continues its march into areas once dominated by tin boxes and racks of twinkling lights.
Gradually over time, I think we will see less talk of data and more of outcomes. Data is obviously still crucial, after all humans and machines cannot make decisions without it, but in isolation it is not enough. Conversely, the market will evolve towards less distinct layers and towards an approach with lots of additional products plugged into, and reporting back from, a central unified platform. Not only will this help address the rising tide of threats, but it will also mean security professionals might have time for coffee in the morning.