by Scott Millis – Chief Security Strategy Officer at ISC8
Prevention is a tremendous strategy that can radically reduce the chances that corporate networks get infected, but the quaint old saying actually implies some further wisdom that one might apply toward building Security Strategies for companies and clients. Namely, the “ounce-to-pound “reference is there to remind everyone that prevention is easier and less expensive than the treatment (cure). That is why todays corporations have made investments in preventative measures and perimeter technologies such as firewalls, intrusion prevention systems, endpoint malware agents and whitelists, sandboxes, email filters, URL filters and the like.
Ultimately, while these are all prudent measures that are needed, they prove not to be 100% effective in preventing networks from getting infected. In fact, Gartner recently published a research paper that may be prophetic in this regard: “Prevention Is Futile in 2020: Protect Information via Pervasive Monitoring and Collective Intelligence”. In addition, at their recent “Security & Risk Management Summit” in National Harbor, Md., they even went so far as to claim: “All packets across the network are suspect. It’s extremely hard to detect compromises and infections in corporate resources, so monitoring should be considered a basic means to detect attacks. Gartner estimates by 2020, 75% of IT budgets will be set aside for rapid detection and response approaches, up from less than 10% in 2012”.
That is an astounding prediction! Even if this is only directionally true, say perhaps 40-50% of corporate IT budgets are re-allocated, instead of 75%, are we ready for this? From a strategic/budgeting perspective, this means that corporations will have to figure out how to spend LESS on the traditional prevention activities, people, and systems, and MORE on the detection side of the equation- unless one believes IT budgets will swell to absorb these much higher costs.
Activities and people can be re-focused, but information systems need to adapt to a new purpose; detect bad behavior or malware attacks so security professionals can do something about it before it’s too late. “Too late” means that corporate data has already been exfiltrated, modified, or stolen, and/or corporate IT systems and networks have been disrupted or otherwise compromised.
Of course, corporations may have a few years to get there, but it will turn out to be an incredibly difficult journey for those CIO’s and CSO’s that don’t start planning now. In a future post I’ll share some ideas for a roadmap that might be helpful.