This part of Art Gilliland’s keynote encompasses his view of the measures for preventing breaches, and the highlight of the role of intelligence for this.I think we need to define a new defense in depth for us. And part of that is building our capabilities at each stage of their value change (see right-hand image). And so, obviously, we do some of these things. We help to try to teach our users how to be less vulnerable. How can you interact with the Internet without hitting on the links that’s going to download the virus to your laptop? We spend money building capabilities to block the adversary, keep them out, whether it’s identity, whether it’s anti-virus, figure out your control. But we spend a good amount of our resources to try to keep the adversary out of the organization. We need to be building technologies to help us find the adversary after they’re inside and before they’ve stolen data. And why is that? If we put all our money and all our chips in one category, in the blocking technology, they are the best in the world and they only need to be right one time. And so finding them after they’ve gotten inside before they’ve stolen data is important. The second part is they are still going to get past that; they are extraordinarily good at evading us, and we see that in the data: 94% of the time someone else tells us they’re inside. And so – building more capabilities to protect the sensitive data we have (see left-hand image). And yes, there are physical attacks that are occurring, but I think for the vast majority of the folks in this room the real challenge for us is information theft. Customer information, our sensitive IP that helps us be more productive – that is the risk we face. And then the last part of this is capabilities for responding after they have won (see right-hand image). The amount of money we spend in breach response can be massively mitigated if we can remediate faster and if we have a plan for how we’re going to talk to our customers, how we are going to sort of save our reputation as we go. Our job as security professionals is to mitigate the damage created by these breaches.
So that’s how we build this new defense in depth. I was very curious when we went through this process as we’re starting to evolve the thinking as we work with our customers, and granted this is a simple model, simplification of the model, I was interested: “How much do we spend as an industry today in these categories?”And we found out something very shocking in the research. We spend five times as much money in the infiltrate to block the adversary as we do in the entire rest of the chain. 86% or so of our expenditures go into blocking the adversary. And so we’ve built our defenses as a big shield around us, hoping that they won’t get in, but we’ve already defined that they are the best in the world and they only have to be right one time.
And this is where I think the big data benefit comes to us: understanding what’s happening, seeing what’s going on allows us to find the adversary after they’re inside and before they’ve stolen data. And that’s going to be a critical capability for us as we move forward with this type of adversary, this market-based adversary.
As you think about how we spend, even in this case; and I’ll give you one quick diversion, I apologize for this, one quick diversion about it: if you think about how we’re spending, even in our place, are we using the intelligence we have?
We already know, as we talked about earlier, that 84% of the breaches attack the application layer. If that’s true, then application security should be fundamental. But how much of that 5 times of the blocking are mitigations to protect that application layer still?
Focusing on the data, what the data tells us, and then trying to figure out what we need to do about it is part of the question, but we’ve got to act on it. And if we can act, if we do act with that data, then the promise of these big data platforms that we’re talking about is extraordinary.The ability to pull data in from all different sources to really consolidate the intelligence, whether it’s from inside the organization or outside the organization, bringing that context together, so that we can understand what’s happening and really make a more informed decision because of that idea, is going to change the way we think about that.
And we’re currently working with customers to watch sentiment of their employees and of the outside, combine that with the access, abnormal access patterns that you might see in your environment, and with sentiment and access you can try to find those malicious insiders.
Other organizations are pulling data from cyber criminal networks to try and look for and scan for their sensitive information that might be sitting out there on the Internet to better identify if there has been a breach.
And we also have recently talked about the ability now to collect information, not only from your internal systems, and pulling all your intelligence from your internal systems, but also from the cloud environments you might be adopting, whether those are salesforce.com, or Box, or pick your cloud service provider, to be able to get a much better picture of the context that exists within your environment.
So, as a veteran of this industry, I am actually pretty excited about the promise that big data has for us. I think if we can figure out a way to make it actionable, that is going to be something that really changes the game for us. But I think we can make it matter more than that. I think we can make big data matter more for security. And to do that we need to make sure that our ecosystem is as efficient at finding, creating and sharing intelligence as our adversary’s ecosystem.
And so what I would pose to this audience and to our industry is a challenge. If you think about the capabilities we have today, with cloud computing and the power that that allows us to harness for building collective processing power, and you combine that infrastructure that we have out there, this cloud infrastructure, with the power of big data to analyze information.
My challenge is this: I think we can get a lot better if we share our information, analyze it in a central location. Big data as the basis can give us the power to build a platform for jointly analyzing security data, for sharing that information. And if we do that, I think we can make my daughter right, and we can fight and win together. Thank you very much!
Read previous: Criminal Education 2: The Cybercrime Ecosystem