In the continuing battle between cybercriminals and information security, the criminals currently hold the upper hand. They know almost everything about our defenses, but we only know about the threats that we can catch. We keep introducing new devices, greater mobility, and more storage places, which do help us work better but also increases the attack surface. Combating this advantage and turning the tables back in our favor means changing some fundamentals about our defenses.
Endpoint defenses have become a collection of antivirus, firewall, and process monitoring, often from different vendors, supported by frequent updates to keep them knowledgeable about current threats. This approach is complicated to manage, processor intensive, and sometimes out of date and vulnerable to emerging attacks.
To overcome the attacker advantage, we need a new approach, which combines these functions into a cohesive whole, whether from one or multiple vendors. Instead of frequent updates of virus definition files, we need real-time communications between endpoint counter-measures and other security technologies, so that you can get an accurate picture of who is attacking what and where, now.
We need much broader sharing of threat information, within your organization, within your local community, industry, region, country, and around the world. Threats are coming from multiple vectors and a myriad of sources, and broader threat intelligence sharing will be mandatory to getting ahead, and staying ahead, of cybercriminals.
The performance issue, which has long been a complaint of end users, needs to be firmly addressed. Scans that interrupt the workday, slow down the computer, and impact end user productivity need to be replaced with something more intelligent and adaptive to the user’s behavior. We do not need to scan every file and process every time, but should instead learn through observation what can be trusted and what is suspicious, to focus resources appropriately. Smart security processes can and should operate in the idle time between a user’s work, with the goal of zero impact to productivity.
Security operations need much better visibility into what is happening around the organization, and actionable information on what to do about it real-time. Forensic analysis is great for determining how to build better defenses, but less useful when trying to reduce response times from days or weeks to milliseconds. When an attack or compromise is detected, the affected system should immediately publish the information it has, so that others can block the malicious files and processes before they can spread.
Finally, we need to reduce the complexity of deploying, configuring, and managing security systems. Too many organizations have expensive security tools deployed in monitor or default mode, either sitting silently and watching the bad guys wander in, or generating an overwhelming number of alarms with no discrimination between important and inconsequential.
At Intel Security, we have been working on these issues, both internally and with partners. These are issues for all organizations, and for the entire security industry. A collaborative approach, including global and community threat intelligence sharing, data exchange between different technologies and processes, and improved performance, will accelerate time to protection and enable security teams to resolve more threats faster with fewer resources.