In our two previous blog posts, we explored two major trends facing the security industry today- the need for information security professionals to find their business voice and the overwhelming demand for skilled security personnel. A third major trend is the growing use of threat intelligence. Organizations are often starting or expanding their threat intelligence capabilities. These capabilities are varied by providers, but mostly involve monitoring the internet for indicators that a particular company, its products, services, web sites, or personnel are being targeted for attack. The indicators might be actual chat or email transcripts mentioning the company or its officers, stolen information from the company, evidence of malware inside the company, command and controls systems receiving information from the company or any of dozens of similar information indicating an active threat. Attacks range from distributed denial of service to kidnapping, and include malware, advanced threats against company intellectual property and more. The trend here is the instantiation and growth of threat intelligence operations ranging from 2-3 person shops operating during business hours to larger 24X7X365 global operations. This is a capability formerly limited to military and government watch centers and is rapidly becoming a defacto operating requirement for global 500 businesses.
Because our software and systems still aren’t fundamentally secure, a combination of threat intelligence and log analysis known as continuous monitoring has started to become broadly discussed, which leads to the fourth trend. Continuous monitoring builds on the SIEM (Security Incident and Event Management) tools implemented to analyze log data and moves it to a continuous level of deeper analysis looking for any evidence of malware or attack. By looking broadly across the enterprise attack surface, continuous monitoring hopes to find early indicators that something bad is happening. Response activities and teams can then investigate and determine whether there’s an event, what it means, and how to manage it.
These last two trends are closely related and have similar implications. Threat intelligence and continuous monitoring required access to vast amounts of data needing a mix of automated and manual analysis. They require 24x7x365 teams of people to review analysis, determine and execute response. The end result is a large and growing cost center with very little relationship to the profitable side of a company’s bottom line. This cost grows worse as the size of the team; the volume of data, and amount of analysis grows with each new addition to the company’s systems and business lines. Companies need to outsource these services, and focus on how the input from these services can be used within their companies to manage risk and deal with specific incidents.
Todd Inskeep is a Senior Associate at Booz Allen Hamilton. He leads Cyber Security Assessments at client companies measuring, managing investment, and enabling improved Cyber security programs. Todd has served on the RSA Conference Program Committee since 2002.