A Provocative Dream: Is Proactive Security Even Possible?

For years, security experts have regarded preventative measures like firewalls as necessary band-aids, treating a symptom and not the disease. The dream, however, has always been an approach where instead of waiting for something to go wrong, security teams around the world are one step ahead of attackers, using the best information, tools, and analytics to preemptively thwart would-be assailants.

In other words, security teams seek to permanently switch seats at the chess table from the black side to the white side, becoming the side that always gets to make the first move.

Unfortunately, most security teams are still stuck in a reactive mode. They are rendered immobile by avalanches of alerts. They manually execute processes on antiquated systems which should be automated. They lack visibility of their increasingly complicated networks. They are isolated, often unknowingly, from their company and the industry at large.

What challenges must be overcome to truly create proactive security teams?

No Company Is An Island
In the interconnected sea of modern business, no company is an island. Any attack on your company has either been tried elsewhere, or soon will be. The challenge, therefore, is establishing a holistic vision of the larger business community and global ecosystem. Companies in financial verticals - or any vertical - all face similar challenges, but can be reticent to disclose details of attacks and compromises for fear of embarrassment or reputational damage.

Security teams can learn volumes from attempted and successful attacks on comparable businesses, and must pay attention to the security skirmishes being waged outside their immediate borders. Effective processes for sharing this attack data are a prerequisite. A few companies already offer services that paint a more global panorama of the attacker landscape across industries, and standards like STIX are helping to normalize the way this information is shared. This is a promising first step in a strong global defense, as this macro-level threat information is indispensable for our dream of proactive security.

On a smaller scale, security teams must develop a better understanding of the topography of their own companies. Many teams miss the infrastructure (the forest) for the packets (the trees). With your head buried in the packets, it is often easy to forget about the larger business you have been tasked with defending.

New Tools For A New Era
Tools and processes are often outdated, and needlessly so. I'll be the first to admit (if you will too): sometimes we just don't trust new tools and prefer to do things manually or by a convoluted, MacGyver-ed method. This will not work anymore.

Automation is the way forward, and requires controls that work seamlessly together. As a simple example, when a firewall sees something out-of-the-ordinary or malicious, it should be able to talk to a host and decide which to "auto-quarantine." This challenge is perhaps the most human of all, because it means security teams will have to learn to let go of some of the work they do manually, especially as the skill of automated processes outstrips them.

The simple truth is that one cannot defend what one cannot see. Visibility starts where we started above: at a global level. On the other extreme is raw packet data. We've already discussed what security teams should see at a macro level, but what of the smallest moving parts? Security teams need to be able to intelligently view the single big picture of what's happening, including firewall information, host control information, information on users, all the way down to the packet level.

Of course, taking this in as raw data is overwhelming. "Intelligently viewing" means having the appropriate dashboards, views, and insights, all fed by a granular level of visibility. Security teams should be able to understand the status of their entire business at a glance, with confidence that nothing is missing or being overlooked.

Conquering Alert Fatigue
Security teams are inundated with alerts. Each must be triaged, investigated, and resolved, usually using a mishmash of un-integrated processes. This makes it difficult to analyse root causes. Perhaps even more harmfully, on an institutional level, it makes it very hard to establish a default process for resolution - often, scenarios arise where only one analyst can solve a certain type of problem, in a way that is not well documented and hard to pass on to new analysts. Institutional knowledge is lost, and heaven forbid such a problem happen while that specific analyst is on vacation.

There is simply too much complexity and too many threats to expect analysts to keep up with this largely manual approach. The solution to this issue is a culmination of issues above: automation with powerful tools that have full visibility of your network means that problems can be resolved as you see alerts - or even before.

A Solution?
Security teams face challenges both external (knowing what is going on in the ecosystem, the industry, the world) and internal (understanding the company, effective automation of processes, and achieving real, full visibility, with a good view).

Solving one or a few of these problems is not enough. Proactive security - making the first move on the chessboard - will require that all these interdependent issues be solved together. This will mean more than just wise implementation of technology, much of which we already have, but a shift in our thinking as security experts to a larger view of the company, industry, and planet. It will take adopting a "CISO mindset" in which security is not a means to a business end but an integral and inextricable facet of the business itself.