Manage Learn to apply best practices and optimize your operations.

Information security services under siege

Security professionals are disillusioned and desperate for some progress in the uphill battle against attackers. Is the security industry up for the task?

While tales of governments snooping into our personal information persist in capturing media attention, the real story is the erosion of consumer confidence as 2014 shapes up to be another year of catastrophic data breaches.

On the retail side, point-of-sale systems continue to be compromised, with Home Depot - and more recently Kmart - the latest to admit their systems were breached and credit records stolen.

Attacks against health care providers have also been on the rise, highlighted by the theft of approximately 4.5 million records from Community Health Systems, a Fortune 500 company and the largest non-urban provider of general hospital healthcare services in the United States. Even celebrities aren't exempt, as iCloud accounts belonging to prominent actors were hacked over Labor Day weekend with nude photos released and more offered for sale.

The fragility of information security has never been more apparent.

An information security services industry in crisis

The state of security is in existential crisis, with security professionals disillusioned and desperate for some progress in the uphill battle against attackers. Security vendors often tease us with solutions, but we are left waiting for that infamous Godot who never arrives. Compliance objectives, the dreaded checkbox, continue to drive purchases of traditional products, but even the money spent for those systems may begin to decrease as auditors realize many are worthless at actual prevention and offer limited detection capabilities. Information security can no longer depend upon that Maginot Line of basic security controls, hoping to keep attackers away from our most precious resources.

Success will come when security professionals behave more like epidemiologists.

As for the recent spate of retail attacks, it's only a matter of time before lawmakers are forced to step in to placate voters. These breaches only point out how pointless the compliance process has become. Most organizations "game" the audit, instead of actually using requirements as a method for validating their controls. Security's dirty secret is how this cottage industry has developed without actually improving security.

Shifting rapidly to meet demands

Nassim Taleb, the statistician whose work focuses on randomness, asserts that structures improve when exposed to volatility and disorder. Shouldn't information security and the information security services market learn to shift rapidly in response to a constantly evolving threat landscape? The recent trend in security products, using graphing theory or data science to help identify anomalous events, seems promising in this regard. But existing vendors won't readily jump into this new market, except through acquisition of the disruptors. It's the innovator's dilemma: Security needs different products, but established companies have no interest in changing their existing economic models. They will not shift their product lines, because disruption doesn't keep the lights on or the company in business. A traditional intrusion detection system company has no interest in innovating away from using blacklisting and signatures, because its main revenue source is the signature business.

There's an evolution taking place within IT infrastructures, but security seems to be missing it. Traditional controls are no longer sufficient as infrastructures are commoditized through consumerization, networks become software-defined and are outsourced to the cloud. Security must address this by folding itself into vendor onboarding processes and operations. Those who work with the business to build solid applications and fix vulnerabilities will, in time, ultimately replace those ego-driven professionals who seem to think exposing or exploiting a vulnerability makes them successful.

Favoring the paranoid

Natural selection favors the paranoid; therefore, the ultimate goal is omniscience into events, coupled with high-speed response.  We should also install layers of airbags into the infrastructure to soften those inevitable attacks. Success will come when security professionals behave more like epidemiologists, when our decisions are data driven and validated by scientific methods and not emotions or magical thinking. While traditional models are useful, they should be strengthened and standardized, with a focus on automating incident response. Taleb introduced the concept of antifragile, a state "beyond resilience or robustness," which can withstand disorder and randomness.  Only the antifragile enterprise, the one that can withstand constant attacks and become self-healing, will be truly resilient.

Next Steps

Uncovering enterprise weak points

Best practices for breach reporting

Countering cloud breaches

This was last published in November 2014

Dig Deeper on Network Security Best Practices and Products

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you believe you have the security tools you need to ensure your network's safety from attack?
I think our network is as secure as it's likely to get - though it's not as secure as I'd honestly like it to be (that's why I'm keeping tabs on quantum computing, which looks increasingly likely to be a real value asset in the future). All of our truly important data is kept in places that attacks physically cannot reach - after all, the best defense against any network attack is not being on the network.