Is Your IT Posture that of a Protector, a Detective, or a Warrior?

Sunday, August 19, 2012

Richard Stiennon

924ce315203c17e05d9e04b59648a942

A new survey from CounterTack (download here) has gotten a lot of attention recently.

The “Cyber-readiness Reality Check” survey is a first-of-it’s-kind exploration and explanation of the state of cyber-readiness inside the enterprise.

It reveals and corroborates the anecdotal evidence that many of us have been exposed to. We know that attacks against critical information are on the rise, we read about them everyday.

Last year’s successful infiltration of RSA set the stage and the revelation in June by Paul Sanger, writing in the New York Times, that the US and Israel are evidently engaged in crafting advanced malware, have shaken security practitioners to the core of their networks.

This survey of 100 IT execs with responsibility for security at companies with over $100 million in revenue reveals their perceptions about their own cyber-readiness posture and how it is not business as usual on the cyber battle front. I found it particularly interesting that 32% of security teams spend more than 50 hours per month studying malware permutations to identify attack characteristics.

This re-enforces what I have been seeing develop over the last 18 months. Large enterprises, especially banks, are recruiting reverse engineers to look at attack code – an activity that used to be the sole purview of anti-virus vendors and independent researchers.

84% of respondents acknowledge they have some degree of vulnerability to Advanced Persistent Threats (APT). This is low in my experience. I would say that less than 1% of organizations have adequate defenses in place against APTs and those are of the most secure types: intelligence agencies and defense contractors with air-gapped secret networks. If organizations truly understood the sophistication of APT style attacks this survey response would be closer to 100%.

The two areas identified that pose the biggest challenge to combating APTs were: disparate systems that don’t talk to each other and the team’s inability to gather relevant attack intelligence in real-time (both over 60%).

Integrating defensive technology to present one-pane-of-glass and automatic mitigation capability is an area that is going to see a lot of development resources over the next several years.

Gathering real-time intelligence and presenting it in a way that helps defender’s to respond is already an area of rapid development and is the fastest growing segment of the IT security market today. My research pegs it at a 100% annual growth rate.

This survey introduces the concept of personas – PROTECTOR, DETECTIVE, and WARRIOR – and asks respondents to rank what portion of their resources are dedicated to the activities of each persona.

The result: 58 percent PROTECTOR, 21 percent DETECTIVE, and 21 percent WARRIOR, who uses intelligence and real-time situational awareness tactics learned from the military. This supports the statements I have been hearing from leading IT security pros: that protection is no longer enough.

No military commander would go into a mission without a plan that can continuously evolve to account for inevitable and constant change. Commanders put heavy emphasis on real-time intelligence and situational awareness so they know exactly what is happening, as it happens – enabling them to adjust and optimize their plans on-the-fly. Enterprise should follow suit.

The attackers are going to breach your network to get what they want. The question is: how fast can you discover an intrusion, figure out what the attacker is after, stop the attack, clean up – and prepare for their return? After all, motivated attackers will be back.

The survey supports this observation, in that 92 percent of respondents agree that self-defense, in order to interrupt an in-progress attack, is a necessity. This is not to say that advanced protection capabilities are not important.

The trouble is that IPS, firewalls and anti-virus solutions focus on yesterday’s threats – only observed threats are subject to signature creation or blocking. That won’t necessarily thwart the attacks you face today. Look for advanced protection technology that proactively protects against zero day exploits or recognizes lateral movement within a network and blocks it.

This is the first survey that has posed questions about offensive measures by private enterprise. The results are startling but once again re-enforce what I have observed in my conversations with government and commercial IT security professionals. 21% of those surveyed responded that they were taking an offensive (WARRIOR) stance in their battle against attackers. And 54% believe they would be well served if they could strike back offensively.

From my experience this usually translates to incursions into attackers’ command and control capabilities. If one quarter of enterprises are engaging in this type of activity we have truly entered a new era of cyber defense that will entail the creation of new services and products to feed the demand: products that focus on identifying attack methodologies and thwarting them.

This survey is a snapshot during a time of rapid change as attackers invest in more and more sophisticated tools and methodologies and IT security vendors scramble to keep up. Enterprises have had to develop their own staff and tools to counter the onslaught. In order to counter these attacks they will be looking for ways to invest their finite resources.

80% of respondents believe that the enterprise could benefit from adopting a military-style approach learned from physical battlefields. If so, it means intelligence gathering, counter intelligence operations, measured in-kind response, and escalation, will become part of everyday security operations.

It’s a chilling but accurate picture. In addition to having a hand in reviewing the survey questions before they went out I had a chance to interview CounterTack’s CEO, Neal Creighton, at the RSA Conference 2012.

Watch the video to get an idea of how CounterTack addresses targeted attacks:

Possibly Related Articles:
12098
Enterprise Security
Information Security
breaches Enterprise Security Incident Response Attacks Advanced Persistent Threats hackers Intrusion Detection IDS/IPS Network Security Monitoring
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.