The threat landscape runneth over, here’s what we need to do

• Automation needed to keep up, but people are still crucial in the security equation
• The skills shortage and a culture of secrecy make Asia ripe for the picking

ADVANCED Persistent Threats (APTs), malware targeting zero-day vulnerabilities, state-sponsored attacks, cybercrime toolkits and increasingly sophisticated cyber-attacks – it would seem all gloom-and-doom for cybersafety, especially in Asia where IT security budgets are being reined in.
 
The industry has not given up, of course, arguing that the security equation today should take into account both man and machine – we need both technology and people to work together to secure networks against attacks.
 
Throwing technology at the problem just doesn’t cut it any longer. As Matt Alderman, vice president of global strategy at Tenable Network Security, puts it, “When you think about what our biggest danger is, it’s us as humans – because we’re the one clicking on attachments … we are our own greatest threat.”
 
But one can’t ignore the need for technology either. At the recent RSA Conference Asia Pacific and Japan (RSAC APJ) in Singapore, there was an increased emphasis on threat intelligence and identity management rather than perimeter defences.
 
RSA president Amit Yoran laid down the foundation for that discussion in his opening keynote, and that particular theme reverberated with the various security professionals Digital News Asia (DNA) spoke to at the conference.
 
Threat intelligence involves sharing information of an attack or breach to help prevent similar attacks on other networks. Identity management covers security controls on the access a user would get based on the identity of the user, the security of the endpoint accessing the data, and the conditions of the network the endpoint is accessing that data from.
 
A 2015 Verizon report on data breaches indicated that security information and event management (SIEM) technology only detected 1% of breaches, with the company stressing that more needs to be done in monitoring networks for anomalous behaviour and malicious activities.
 
“The perimeter is shrinking, therefore perimeter defences are not going to work – so it means we need another way to do it,” says Alderman.
 
This requires a shift towards inward proactive detection, instead of passive outward prevention, argues Jack Chan (pic), a security strategist at Fortinet’s FortiGuard Labs.
 
“Everyone starts with the perimeter, you have your firewalls in place … but we’re seeing more [security] moving inside the network,” he adds.
 
Furthermore, the networks in today’s organisations are not just the infrastructure you have on-premises but also encompass the cloud. Boundaries have blurred.
 
Thanks to the cloud, “we’ve now transformed into an inverted network,” says Munawar Hossain, director of product management for data centre security and content security at Cisco Systems.
 
The weak link: Us
 
Identity management and threat intelligence now complement traditional SIEM technology to secure networks. All these now require high degrees of automation to cope with the number and sophistication of attacks.
 
And let’s face it, humans are just being overwhelmed. An average of five malware events occurs every second, according to the Verizon report. Such a volume of attacks is making human analysis unfeasible, says RSA South-East Asia managing director Edward Lim.
 
“For example, in one of our centres we probably analyse 700,000 pieces of malware a week – it’s not humanly possible to keep up, and you need tools to do that,” he says.
 
Machine learning, coupled with threat intelligence, might prove to be the potent mix. Machine learning involves pattern recognition and algorithms that can learn to recognise and prevent attacks.
 
But that requires a rethink of threat intelligence, argues Tenable Network Security’s Alderman.
 
“I don’t think we’re anywhere near realising the potential of what threat intelligence can do for us,” he says.
 
“The problem is the threat intelligence data we get is not easily actionable by a machine or software – it requires a human to take a look at it, make a decision, and then do something with it,” he adds.
 
This human-sized gap is more acutely felt in Asia, where there is a distinct skill shortage in threat analysis.
 
“In Asia Pacific, where we have that gap in skills, we don’t have that analyst sitting there, available to look at all this data coming through,” says Alderman.
 
RSA’s Lim agrees, saying, “The challenge is there are not enough people who know how to analyse and respond to threats.”
 
The CIO/ CISO role
 
Traditionally, the chief information officer (CIO) or chief information security officer (CISO) used to be the primary caretaker of security. Now, security is increasingly becoming a C-suite issue, involving the CEO, CFO and the COO (chief executive, financial and operating officer) as well.
 
“We are seeing a trend towards business-based outcomes,” says Phil Rodrigues (pic), vice president of British Telecom Security, Asia Pacific, Middle East and Africa, at BT Global Services.
 
“IT is not something only for an IT manager, it’s important strategically for the CIO, COO, CFO and CEO,” he adds.
 
However, the CIO still has a key role to play – that of convincing the rest of the C-suite and key decision-makers in his or her organisation of the importance of security.
 
“Every CIO and every CISO is on an ongoing journey of trying to communicate to their board that it’s got to be about risk,” says Rodrigues.
 
This means it is even more critical for CIOs and CISOs to be able to justify their budgets, says Alderman.
 
“The problem is not that they can’t get the budget, the problem is that they don’t know how to justify the budget,” he says.
 
“CISOs have to understand how to build their case on [the need] to do something different, and then they’ll be able to move into the direction of actually fixing the perimeter problems and doing the right things,” he adds.
 
This feeds back into the business mindset towards security, where point solutions are procured without thinking about the big picture – often only coming from a hurried need to fill a perceived gap or comply with regulation.
 
“A lot of customers are rushing to act because of the pressure to act, due to regulatory requirements or security incidents,” says Lim, who also admits that security vendors’ marketing hype affects purchasing decisions as well.
 
Next Page: Asia in the crosshairs