Patrick Lambert describes the intelligence-based security model — a response to new attack surfaces that don't fit into the standard perimeter-defense model.
These past 15 years have seen the network security world adopt rules that aim at keeping businesses secure when dealing with online threats. Every model in use right now is based on having a perimeter and making sure that no unwanted material gets into your servers, your workstations, or worse, steals your data. This perimeter has evolved, but typically involves a set of firewalls that filter out unwanted traffic; routers and switches, which deal with network congestion, including potential denial of service attacks; and intrusion detection systems to make sure that if someone does try to get in, they are caught in the act. Unfortunately, recent years have seen the attack surface widen by a lot. The combination of mobile business workers, who are using tablets or smartphones outside of the corporate network, along with cloud adoption, means that your attack surface is no longer restrained to just a few network pipes. Now you have to deal with people connecting through wi-fi, cellular networks, ad hoc connections, and many online services. All of this means that suddenly, your attack surface has grown exponentially, and using perimeter-based defenses no longer makes sense. This is when you should start thinking differently about security.
One trend that is starting to grow and which is expected to become the norm in 2013 and beyond is called intelligence-based security. The idea is that you no longer deal with perimeters, DMZs, or any type of walls in order to keep your systems hidden from the outside world. When you deal with so many variables, with your corporate email hosted somewhere on the cloud, along with your office documents, collaboration tools, financial information, and so on, it's just no longer possible to securely wall all of these things, especially when employees expect to be able to connect to all of those services while on the road or through a vast array of devices. Instead, you need to assume that if someone is trying to get to a specific server that your corporation may be using, then they will likely find some hole in your perimeter. This is why intelligence-based security is so critical.
But what exactly is intelligence-based security? The concept first started to gain traction at the RSA 2012 conference when the EMC Corporation chairman Art Coviello hosted a talk about the topic. Instead of building your security around the idea that everything inside of a particular point will be secure, you need to think about risk-based approaches and focus on predictive analytics. This is a domain where anti-virus companies have struggled in the past, but now the heuristics that they provide are much more sophisticated. In the past, the only way an anti-virus solution could detect malware was if the signature of that particular malware was in their database. Now, with the help of heuristics, they can detect patterns and actions, see what the particular piece of software is doing, and analyze whether it is likely to be malware or not. The same concept applies to network security. The idea is that a typical IDS or firewall will work fine at blocking existing threats, but when criminal organizations try to target a specific system, they have the means to go beyond these existing threats. They are crafty, and can find weaknesses in any perimeter, especially if your business has so many cloud services and entry points.
Right now, most of the budget and time allocated by any organization is on prevention. Some figures, according to the RSA chairman, place over 80% of the effort on prevention, with 15% on detection and 5% on response. But incursions are inevitable. Instead the balance needs to be shifted, and this means rethinking that security model from the ground up. So what will 2013 bring us on this front? The first thing is for companies to start accepting that mobility and the cloud are here to stay. According to the latest predictions out of RSA, hackers will become even more sophisticated in the coming year, and those attack surfaces will keep growing. This means that the shift has to be done as soon as possible. In order to implement this new model, businesses need to come to terms with the fact that these security issues exist. There needs to be a much higher degree of cooperation in the industry, between security professionals, management, and IT. In an era of openness and connectivity, more focus needs to be put on quick detection and response, instead of relying on aging technologies.
At the end of the day, it won't be the organization with the most hardened firewall that will succeed in keeping online threats out, but those with the highest degree of awareness and understanding. An ecosystem of governments, vendors and corporations needs to cooperate and grow in order to counter organized crime. Only then will network security start on the path it needs to go in order to fight ever changing threat models.