Are you drawing the right conclusions from your favorite security vendor’s 2013 threat report? Some do, but I talk with a lot of security executives that miss the opportunity to use these reports as stimulus to re-examine their security strategies. The importance of threat reports are what the trends of user activity mean to your security practices and not-so-much the details of individual threats.
Anti-malware vendors publish research to educate you on the prevalence of new threats, emerging threats against new platforms, and the risks of users making poor security decisions. This must be an effective demand-generation tool to entice customers to buy more products to protect against emerging threats because every security vendor with a marketing budget seems to produce a threat report highlighting nefarious attacks against popular technologies. It is a dangerous cyber-world out there!
“Wait a minute!” says the cynical security exec. “You are my favorite anti-malware vendor and I interpret this report as confessing that you are not protecting my business against these threats. If your defenses were that good, and I’ve paid good money for your technology, then these threats would not be so prevalent and persist year after year. But your own threat report tells me these threats are running rampant. Now you want me to buy more products?”
Before you do that, here are three questions to ask when using threat reports as stimulus in re-examining your security strategy:
Can you get more out of your incident response plans? If there is one message that resonates from threat reports, it is that you will absolutely be subjected to threats that evade security defenses. Most enterprises devote significantly more resources to prevention than to incident response. Some of you have lovely incident response plans loaded with cross-functional procedures to be unsealed in times of cyber-duress; some of you have learned that incident response is a part of daily standard operating procedures that can be streamlined and is seldom an isolated event. Think of applying critical patches and how long it takes to coordinate help desk organizations, application administrators, network managers, security operations, end-users for desktops, quality assurance teams, asset management groups, etc. Solving incident response issues that threat reports imply are inevitable can also benefit prevention efforts and IT operations. Threat reports tell you that you are going to have incidents in 2014, build in the visibility and agility to streamline security maintenance and incident response – even if it means a bit less for prevention.
Is your security approach for a physical-oriented infrastructure the right approach for mobile and cloud platforms that threat reports insist are under siege? This is a toughie for most security executives that have been raised on perimeter defenses backed up by layers of host security, network filters, and SIEM-driven analytics. It is not practical for you to manage host-based security software downloaded to a user’s phone or tablet. Use the threat report trend on new platforms (treating the cloud as a platform) to re-examine how to evolve your security architecture to keep pace with rapidly evolving user activity. You may find a strategy of shifting security to the network and application security to the cloud is more pragmatic for you and threat reports provide the test cases to help you get there.
Can you balance new approaches to security with the demands of compliance? Security and compliance are two different subjects and your security strategy should never stop at the limits of compliance. Regulatory and industry mandates are double edged – they dictate security best practices learned from the past, but are inflexible and often ineffective when it comes to securing against emerging threats and new platforms. Most of you are at the point where your mission is to control the costs of ticking the boxes of a compliance checklist, while reserving budget allocations to protect the business against new and emerging threats. The 2013 threat reports can be your ally in justifying the needs for platform coverage and new approaches to your security strategies. Compliance mandates don’t tell you that you need to extend security initiatives, but threat reports and your business needs do.
If you are a skilled and lucky security manager, then you still have money in your budget for contingencies and to address emerging threats. We are entering Q4 so that money needs to be put to work soon - you need to use it or lose it before 2014 arrives. The 2013 threat reports can be invaluable tools to re-assess how and where your security dollars are spent to ensure your business has the flexibility to safely launch into 2014.
On a personal note, it is good to be back blogging with Computerworld after a too-long hiatus. I look forward to meeting and talking security with old and new friends!