InfoSec spending must evolve as front lines blur

It's time for organisations to rethink how they allocate security budgets, and to acknowledge that preventative measures are no longer effective enough to ward off attacks.

Today, more resources tend to be required to combat attacks in-progress and clean up the mess in the aftermath than our front-line defences.

Traditionally, organisations built a solid shell around their data and expected it to be safe.

But for more than a decade now, attacks have been increasing in volume and sophistication and as such tend to be more successful.

“We see 8,000 security events every second, 50,000 every minute - that’s 23 billion security events,” said Andrzej Kawalec, CTO for enterprise security services at HP, at the opening of the company’s new global security operations centre in Sydney last week.

Organisations generally spend around 70-80 percent of their security budget on prevention technologies, such as firewalls, while around 20 percent is spent detecting intruders and monitoring for unusual behaviour. The remainder is spent cleaning up after an attack and restoring data.

Cisco expects these numbers to reverse over the next decade, with only about 10-20 percent being spent on prevention and the vast majority spent dealing with active attacks.

“Traditionally, security was some antivirus on the desktop, and content gateways and firewalling around your datacentre. Today, the number of connected devices is growing exponentially and everything that is connected has an IP address, which can potentially be used to attack the network,” said Glenn Welby, general manager of security at Cisco.

“Only three years ago, our CSO John Stewart used to say there are three types of companies, those that have been penetrated and know it, those that have been penetrated and who don’t know it and those that are yet to be penetrated. He doesn’t use the last term anymore - they have all been penetrated,” Welby told SC Magazine.

Another factor is the maturing of a black market for zero day vulnerabilities, which can leave even the best protected systems completely exposed, according to a report published last month by non-profit think-tank RAND Corporation, titled Markets for Cybercrime Tools and Stolen Data.

Zero-days, it explains, are exploitable vulnerabilities that a software vendor is not aware of and for which no patch has been created. Zero-days are thus desirable for hackers because everyone is vulnerable to exploitation."

According to the report, if a security researcher discloses a vulnerability to the software vendor, they could earn around $10,000. However, if they sell the same information on the black market, they’d get closer to $100,000.

One study highlighted by the report shows that once a zero-day is disclosed, the number of malware variants exploiting it increases 183-185,000 times, and the number of attacks increases 2-100,000 times.

So keeping abreast of newly discovered zero days is important, but it won’t help if the zero day was first used to attack your organisation. In that case, it could be months or even years before the attack is discovered and plugged.

There are ways to predict some attacks regardless of the technology, according to Nick Wilson, general manager of enterprise services at HP South Pacific.

“We are gathering information from unstructured data ... to find geopolitical threat intelligence that is targeted at our clients,” said Wilson, explaining that HP scans social media, public forums and chatrooms for hints about potential targets or attack vectors.

“This kind of communication goes on in the hacker community all the time. We grab it and build a profile for our clients, we can provide them with actionable intelligence,” Wilson said.

HP may be able to monitor some of the hacker community but even with it’s fancy new security centre, it’s unlikely to be monitoring the newest enemy, which was unceremoniously outed last year by whistleblower Edward Snowden.

With our worst, most paranoid expectations confirmed, we now have to add so called ‘friendly’ governments to the list of potential attackers. This means the front lines of this battle are blurring rapidly and security investments will have to evolve along with the new threat landscape.

“I think you are seeing a change of spend as people become more aware, as they come to realise where they really need to spend their money,” added Wilson.