Security intelligence and sharing lead to hacker disappointment
- 30 August, 2016 14:15
When we look at how cybercrime is being addressed globally, Bill Taylor, LogRhythm’s vice president for Asia Pacific and Japan says it’s a matter of following the money.
“When you look at international organised crime, it’s worth about $1.7 trillion a year. It’s made up six or seven key components. Those are things like counterfeiting, arms trade, drugs, people trafficking and smuggling, the sex trade,” he says.
While counterfeiting, including the production of fake goods such as fashion, is worth about $520B cybercrime is the second most prolific category at around $475B and it’s growing faster than any other category.
Most of the large crime categories are handled by specific agencies such as intelligence agencies and police forces.
“Whose decision was it to leave the second biggest transnational organised crime criteria to the IT department? That’s what we did. We said the IT department will fix it - it’s a half a trillion dollar problem but get some software and that will stop it all,” says Taylor.
Taylor says we’ve disregarded the cyber threat from a government perspective, a commercial perspective and a vendor perspective.
“Now we’re playing catch up,” he says.
Over the last decade, we’ve seen the emergence of various point solutions and SEIM systems. But these have either been too complex to deploy effectively or have not addressed the challenges at their root causes.
But Taylor says a new approach is emerging.
“There’s a new phase coming through, over the last 18 months. This is a culmination of the mistakes that were made and the ignorance surrounding these threats. We’ve seen many of these threats since the 90s. There were ransomware attempts back then – they’re not new. We chose to ignore it and focus on drugs and arms and other things.”
The good news is that a new approach is proving to be more effective says Taylor. This is the use of SEIMs but with greater intelligence. These are security intelligence systems that are built upon SEIMs – which he says were a good foundation that weren’t executed particularly well – but look at end-point and user behaviour, external threat feeds, compliance and governance.
Taylor observed that at the recent Garter Security and Risk Management Summit, there were about 44 vendors with stands in the exhibition space. He estimates 40 of those were offering point solutions. Many of those will either be merged into other solutions, acquired or copied into broader security solutions.
Important elements in building a security intelligence platform are the availability of data and programming expertise to get the artificial intelligence and machine learning right.
Taylor cited the consolidation we’ve seen in the network industry with a handful of large vendors dominating the market. He expects a similar market consolidation in security analytics.
“In five to eight years’ time, we’re going to see the culmination of many technologies coming under a broad front of three or four suppliers.”
While today, most networks use a combination of firewalls, intrusion detection systems and other appliances, the future will see them act as part of a broader security intelligence platform where the traffic and activity they log will be aggregated and analysed to provide useful information.
The consolidation of vendors will facilitate that as there will be fewer different platforms to integrate.
In addition, there needs to be broader interaction in the business sector where security intelligence is shared. Although some industries do this, others are more guarded even when information sharing would be beneficial. For example, sharing information about ransomware attacks in retail could alert banks to increase their defences and tune their security intelligence solutions.
Taylor says this gets you back to security being placed back with IT.
“It’s a half a trillion-dollar problem being handled by IT people. Executives say they’ve given the IT department $10M to spend to fix this. Nobody is going to be able to fix it because you can’t stop them from coming in. You need to build a sophisticated set of tools and have dialog between parties sharing information. The more you talk about it, the more the hackers are going to be disappointed”.
