IT Briefcase Exclusive Interview: Security Paradigms Shift from Prevention to Incident Response

There have been 3,833 publicly disclosed data breaches in the first nine months of 2017, exposing more than seven billion records which is causing harm to more than half the individuals in the US* that are now in danger of identity theft. Companies are also feeling the heat financially. For example, the average cost of a data breach is reaching $3.62 million according to a report by IBM Security and the Ponemon Instituteandcybercrime will cost more than $6 trillion annually by 2021 as estimated by Cybersecurity Ventures. The number of attacks are overwhelming defenses and no one system or network is immune.

• Q: With so many security products being purchased, why are security breaches still so prevalent?

A: For decades, security vendors have told companies, “buy my product and it will keep you safe.” Organizations have essentially placed all of their time, energy, and budget into trying to prevent bad things from happening. This focus on prevention has certainly helped reduce risk, but the growing complexity of IT, the increasing threat surface introduced by new applications and IoT devices, and the growing sophistication of bad actors has led us to a reality where breaches are inevitable. The idea of preventing all breaches is simply not possible. It is not a matter of whether a security breach will occur—it’s a matter of when, and how bad will it be. Organizations must shift their focus to incident response so that they can quickly and effectively respond to security events when they occur.

• Q: Why aren’t vulnerabilities patched more quickly?

A: The answer, I believe, lies in the increasing complexity of IT. Companies are supporting more devices, applications, and operating systems than ever before and the velocity of patch releases is unprecedented. Simply keeping up with all these patches is time-consuming. To make matters worse—and what is often the bigger issue—companies operate 24/7 and downtime is very costly. Typically, organizations must schedule and plan for infrequent and small windows of downtime so that they can do regular maintenance and apply patches. Even when patches occur in a runtime manner, there is still an operational cost to make them happen, as well as a risk that something could go wrong and bring critical systems down. Organizations constantly weigh financial and operational costs with the risk of unpatched systems. Sometimes the business chooses to implement patches quickly when the risk is perceived as high, but sometimes patches are delayed because the disruption is considered to be more costly than the patch is worth. There are also times when business-critical applications run on old and unsupported systems that no longer receive patches from the manufacturer.

• Q: Will artificial intelligence fix the problem?

A: AI is one of the hottest topics in the industry right now. Some vendors in the space would like you to believe their solution will enable security professionals to sit on the couch eating bonbons while AI keeps them completely safe, but reality will fall short of that. AI will definitely deliver the ability to monitor and correlate data to detect sophisticated attacks, but getting it set up properly to accomplish this is not a trivial task. For AI to work properly, the system must be told what normal traffic patterns look like so it can learn from that and trigger on deviations. AI holds a lot of promise, but people will never be eliminated as a critical part of the threat hunting and cybersecurity process.

• Q: Who should own the blame for security breaches? Is this a security team, or a business leadership issue?

A: Historically, the blame for security breaches has fallen on the CISO or their security team, but there is a growing trend of CEOs being held accountable. On September 7, 2017, Equifax publicly announced it had suffered a massive security breach. Within a few weeks, Richard Smith stepped down as CEO. Marissa Mayer lost her 2016 and 2017 annual bonuses and equity grants due to the breaches at Yahoo!. Due to the massive impact large-scale breaches have on brands, cybersecurity is quickly becoming a boardroom and CEO issue.

• Q: There are so many vendor solutions out there now. What should companies do to most effectively reduce their risk?

A: Companies should continue to evaluate and implement technology meant to prevent security incidents, as they offer a means to reduce risk. The big change that organizations must embrace is the adoption of incident response. They must begin to invest in people, technology, and processes intended to react to the inevitability of security breaches. Organizations must realize that strategies revolving purely around prevention will fail. When breaches occur, the organizations who are prepared and have access to network traffic analytics and historical forensic data will be best able to quickly identify the event, understand exactly what happened, and return to normal.

Bob Noel is Director of Strategic Partnerships and Marketing at Plixer. Noel has over 20 years’ experience in networking and security technologies, having spent time in senior roles with industry leaders such as Cisco, Cabletron, Extreme Networks, and Plixer. Noel is an international speaker, highly sought for his knowledge of network architectures and security, next generation data centers and virtualization, and the emerging dynamics of Software Defined Networking. His background expands sales, systems engineering, training, technology alliance and marketing leadership positions. Noel is currently located at Plixer’s headquarters in Kennebunk, ME.