In the wake of digitalisation, companies will no longer be able to handle the increasing levels of cybercrime through manual intervention. Too many factors need considering in order to prevent the risk of a malware infection or the loss of intellectual property. Malware is becoming increasingly intelligent and more complex, and it uses stealth technologies to operate covertly, changing its ‘signature’ to avoid detection. If you consider the speed with which ransomware was able to spread in companies in 2016 and recently with WannaCry, the question as to who is winning the cat-and-mouse game no longer needs to be asked.
Many companies believe that by stacking new appliances on top of appliances, they are doing everything they can to prevent their networks from being compromised by the new generations of malicious attacks. But adding all that hardware is giving them a false sense of security. It’s akin to saying, ‘What we have isn’t working, so let’s get more of it.’
What has changed? Is the sophistication of the threats simply outpacing the technology designed to stop them?
To answer these questions, let’s look back. A decade ago, IT security was limited to virus scanning in combination with a firewall on the network perimeter. The corporate HQ with its data centre was protected like a fortress with almost insurmountable walls. The situation that I see in companies today is largely unchanged. The only difference is that the wall has been raised with the addition of newer devices, such as IPS hardware, boxes for URL filtering, another appliance for advanced threat protection, one with sandbox technology, and so on. Up to 70 different security products can often be found in companies nowadays. But the question remains: can the fight against cybercrime be won with this kind of equipment?
IT security involves too much manual work
This arms race creates problems of its own: not only are companies fighting against unknown attackers from outside, but they’re also struggling to maintain control over the mass of appliances. The various security solutions from different manufacturers need to be administered. Ongoing activities include patch management, software upgrades, the administration of locations, training measures to stay up to date — not to mention new requirements that emerge with the implementation of cloud strategies and the increased bandwidth demands. The dilemma is intensified due to a persistent shortage of IT security specialists.
Something that is worse, however, is the fact that the wall is made up of appliances that only cover their own individual facets of security. You could say they are posted on different battlements, providing isolated defence without working intelligently with one another. This means a lot of manual work is needed to evaluate and correlate the logs from the different systems and feed them into a common SIEM system. Valuable time, that should be spent fending off threats, is lost. The manual filtering of hundreds of logs, and the recognition of the threats that may be hidden in these logs, is simply too time consuming, which, in turn, makes it difficult to gain the upper hand in the fight against malware.
Meanwhile, attackers have not been standing still. They are no longer simply using brute force to attack the wall of appliances. Instead, they look for the weakest link in the security chain, and that is the user. And users have become easier targets, since they can now be found well outside of the secure boundaries of the corporate stronghold, thanks to mobility, using a wide range of different devices, many of which the company does not control. The fortress is ineffective for these users and their devices.
Disparate systems do not provide a complete picture
Due to the new, intelligent attack patterns in use today, different layers of security are required. In order to bring the current protection tactics up to date, priority must be placed on the intelligent interaction between the systems. At the moment, appliances from different manufacturers are not even capable of ‘speaking the same language.’ The different protocols and operating systems on which the security solutions have been implemented prevent communication between the systems and make it difficult to correlate the log data.
If, for example, the sandbox does not talk to the module that’s supposed to recognise malware in cross-site scripting, the company may witness signs of an attack in different locations. However, an overall picture, which is now necessary to identify advanced threats, can only be obtained by bringing all the different information components together. This means the situation remains challenging, however, as a SIEM system can often only recognise that a network has been infected with malware after it has analysed the data.
Automation is the magic word
To ensure that systems can intelligently work together, it must be possible to link the various security solutions together in a manufacturer-independent manner. An example: the advanced security solution that monitors Internet access identifies a client as being infected with a botnet. In an ideal situation, this information would be passed on to the client software, which would then trigger the removal of the malware. Such interaction reduces the manual outlay for IT security and the workload of the IT department is reduced, which in turn provides it with the time it needs to focus on important forensic tasks or causal research.
The future of IT security should therefore look like this: thanks to the intelligent interaction between different security components, it would be possible to recognise what is happening in the network in real time, even during an attack, and take countermeasures. Defensive measures would be taken without any manual intervention by IT. Signs are already visible that users are following this vision: the consolidation of providers in the security market is evidence that companies are compelled to reduce the number of appliances from different manufacturers in favour of more ‘unified’ solutions that are simpler to administer and provide higher security.
Companies will therefore benefit from focusing on just a few providers, whose solutions offer highly integrated security via a platform approach — actual integration, not simply a dotted line drawn between systems on a PowerPoint slide. Faster recognition and effective prevention of malware infection is thus possible, and administrative outlay is also reduced. Manual administration, which is prone to errors and the time-delayed patching of systems, can therefore be removed with the use of modern cloud-based approaches, in which security updates are automatically installed with much higher frequency. And if artificial intelligence is used in a security system, 100 percent automation can be achieved. The implementation of this vision is already within reach, thanks to the cloud.