More than 1,200 new security companies have been founded in the past five years. Investors assign them record valuations. Domestic spending on cybersecurity protection is heading for the $100 billion threshold by 2017. Smart professionals are streaming into the sector.
Yet massive data breaches keep grabbing headlines and stoke a public trust crisis.
The world sees more than 80,000 new malware threats each day, and as an industry we share more data than ever for the common good. We’ve embraced data analytics. We build and deploy a cascade of security tools. So why isn’t the security industry winning?
Mobile and cloud computing promise vast new benefits, as does the nascent Internet of Things. But to make them real, we security experts must pivot to something new. We have plenty of data – some say we’re awash in data – but we don’t derive enough insight about how to win. It’s time to stand the conventional wisdom on its ear.
It’s time for security strategists to sift, read, and respond to threat data differently, even though we may evolve away from cherished, traditional strategies. Ninety-eight percent of incoming threats are low priority, but security solutions often don’t classify them or highlight the other two percent that are real trouble.
What’s the effect of reading data differently? For example, you can deduce a lot about cyberattacks by knowing where and how they were launched. If a malicious piece of malware is part of a “mass blast” action by a nontargeted source, it’s likely in the 98 percent. Let an automated response handle it. If that same incoming malware is deemed part of a targeted campaign, that’s different. It has a unique signature. Time to escalate that case to human security analysts.
Another example: We can use data to focus on incoming attack campaigns happening right now, rather than a sea of ex post facto “indicators of compromise” – which generally report bad news after the fact.
We’d be better off assessing and categorizing each threat alert as it arrives. Abandoning the conventional wisdom that all threats are created equal. Deriving insight from a cyberattack’s probable path, target, and agenda. Security managers can be more effective when they watch a dashboard – an intelligence readout – that reports rare and uniquely threatening events as they happen, as opposed to an emailed, undifferentiated laundry list of threats already detected.
We now know the criticality of moving in the “golden hour” after a hack. Action in that crucial window can pay big dividends in damage control and limit data loss. Moving to a more discriminating defense strategy makes us more secure.
A strategy shift this fundamental takes courage. It is only natural to defend old methods many of us helped build and sell. But public perceptions driven by screaming breach headlines demand change.
We must encourage organizations to invest in better-coordinated security solutions that present fewer gaps in the armor. That means a combination of new technology and new people and processes – experts with fresh eyes, inclined to analyze data differently and manage threats with more finesse and discernment.
And private security firms must change their game, too. Security companies agree implicitly that better knowledge of attackers is useful. We need to get explicit about making that idea real. We can and must retool our systems and processes to do so.
The industry must resist chasing down every last threat with the same emphasis and focus on the few with true chaos potential.
Can we make these changes? Thinking different is always harder than retreating to the tried and true. But the stakes have grown too high for that. Something has to change.
Looking at data differently, leveraging it to go on offense, and providing best-in-class products to make it happen is how we defuse the trust crisis in computing today. It’s how we lead. It’s how we change the game.
Chris Young is general manager of Intel Security at Intel Corporation. Follow him on Twitter @youngdchris.