We Will Be Hacked: The New Normal for Enterprise Security

Have we reached the day when CEO’s need to send a company-wide memo with the title “We will be hacked”? In a word, yes.

Let us be clear: The implementors and researchers we chat with – those in the enterprise Security Operation Centers (SOCs) and Managed Security Service Providers (MSSPs) – aren’t advocating giving up. They’re not advocating abandoning a strong security posture that involves lots of expenditure and lots of expertise. What they are advocating is admitting the limits of all the security that money can buy.

To date, enterprises have adopted a posture that breaches are flat out unacceptable and heads must roll. Case in point, Target certainly didn’t fire their CEO because the board assumed all along that “it could happen to us.”

But let’s face it: If the goal is zero significant breaches, the enterprise has lost.

(Source)

Defense Array

And these hacks are happening despite a bristling arsenal of available defenses. Start with the lowly firewall and less-than-lowly next generation firewalls (NGFW), like Palo Alto Networks or Check Point. After that comes the Intrusion Prevention Systems (IPS) – somewhat a cousin of NGFWs – like McAfee, (Cisco) Sourcefire, or HP.

Then you have the antivirus solutions like Symantec, McAfee, or Kaspersky. The effectiveness of these is hotly debated, but they certainly catch “some” malware. More recently, you have solutions like FireEye that are more behavior based and “detonate” malware in a virtual machine sandbox while watching for suspicious activity (like trying to phone home to North Korea).

And then there’s a raft of endpoint detection and response solutions (and response is critical), like Mandiant, CarbonBlack, Guidance Software, RSA, or CrowdStrike.

All these often feed data into a SIEM, like QRadar, ArcSight, Splunk (which is more than just a SIEM), LogRhythm, or McAfee, where data can be correlated (often with threat feeds) and security people can be alerted.

You might want to troll the Enterprise Security Startup Landscape while you’re at it. Make sure Network Access Control is all fired up. Add a tablespoon of Data Loss Prevention in there too. Maybe a jigger of DDOS mitigation and a glop of Enterprise Mobility Management, and you’re ready to rock and roll, right?!?

You’ll still get hacked.

Buying Even More (Probably) Won’t Save You

All that technology is great. The expertise to get maximum value from it is even greater. And if awesome new technology comes out that fills a gap – that can catch stuff that all the other programs miss – by all means, buy it.

But here’s the thing: Every time we do a security research project we hear that organizations don’t even have all the security features turned on for the stuff they’ve already bought. And there are good reasons why that’s the case.

Take, for example, unauthorized software. Your IT department could probably flip a switch today and block any process that hasn’t been whitelisted (aka preapproved) from running. Sounds great, right? What it means is if the creatives in your marketing department or your software developers download and install any whiz-bang-make-their-job-way-easier tool from the Web, they’ll suddenly find themselves unable to access email, hit intranet sites, or even browse the Web. They’ll be quarantined.

And when that happens, they’ll scream that they’re being hamstrung in doing their job. And IT will lose. Keep in mind, Gartner predicts that by 2020, 90% of technology spending will happen in the business groups rather than IT. Companies are far more afraid of going out of business due to lack of agility and innovation than lack of security.

The Big Shift

But with the super high-profile hacks we’ve seen, in 2015 I think it’s safe to say that more CEOs will be going to their security teams and asking, “How do we increase cybersecurity?” And the security teams are very quickly going to respond, “We need to invest more in knowing we’ve been breached and eradicating the intruder.”

Corporations are going to realize that it can happen to them.

They’re going to understand that they can’t stop every invader at the gate.
They’re going to invest in indicators of compromise.
They’re going to invest in isolating compromised systems and users.

Is the security market ready?

To what extent are security vendors shifting focus and shifting investment in their product portfolio away from pure defense to detection and mitigation?
To what extent do traditional security vendors know what’s best of breed in this area and what game changers are incubating in startups?
To what extent are security vendors developing innovative solutions that detect and mitigate without throwing up walls that stop employees from getting the job done?

Based on our research, security vendors are out of sync with what the security professionals in organizations are looking for in terms of features that increase cybersecurity without being so intrusive that they’re not even allowed to be enabled. And if the traditional vendors don’t nail this, the startups are coming over the hill – probably founded by someone who left a big vendor that had one too many sacred cows to invest in fighting the next battle.

Don’t miss out on other tech sector focused articles or competitive intelligence tips and best practices. Sign up for our newsletter today!