The postings on this site solely reflect the personal views of each author and do not necessarily represent the views, positions, strategies or opinions of IBM or IBM management. IBM reserves the right to remove content deemed inappropriate.
Opportunity begets reality: The evolution of threats on the internet
Today, there is a greater understanding of cyber security risks and challenges than ever before because it is hard to go even a single day without reading a story about an organization that has been breached. For many people the challenges around internet and computer security are also ones that hit close to home as identity theft and credit card fraud can seem almost commonplace.
Threats have made the transition to the digital world because it is simply a better means of accessing an end. Organized crime, sabotage, espionage, terrorism, civil disobedience and the theft of intellectual property are all issues that have moved from the physical world to the digital one because our investment in the internet has made these cyber attacks on people, networks and systems both possible and effective.
This trend is only going to continue because the unfortunate reality is that for attackers it is almost always preferable to be in front of a computer than physically at the scene of an incident.
The increasing sophistication of attacks
The two decades of the commercial internet can really be broken up into two decades of security threats. Much of the attack activity we saw during the early days of the internet was without focus, it was opportunistic and there was very little specific targeting of systems, organizations and individuals.
As a result, the security technology most companies deployed only needed to be as good or better than one's peers. If the attack is opportunistic, your organization needed to be a slightly more difficult opportunity.
Today, all that has changed and the data and systems we have now exposed to the internet have produced new opportunities for illegal and criminal activity, and that opportunity has produced an associated class of attackers that are well-funded, motivated and often times very innovative. They conduct reconnaissance, are more operationally proficient, frequently use custom, never before seen malware and will often do whatever they can to mask and hide their activity.
To warrant this type of effort, the types of data they target is also the data the organizations frequently consider to be most critical.
Essential to detecting and defending against sophisticated threats in both the physical and digital world is intelligence. If an attacker isn't going to merely give up if their first, second or thirtieth attack gets blocked, we have to adopt strategies designed to assemble a more complete picture of the threat.
The role of security analytics and intelligence
This is where we are seeing the convergence of internet and computer security with the big data and analytics space. The reality is that most organizations have an incredible amount of data relevant to security. They have data about threats on the internet, users and where they are going, about system configurations, about attack activity constantly peppering firewalls and intrusion prevention systems, about applications and their security vulnerabilities, about who is accessing what data, and then where that data is going.
Each of the actions an attacker takes as they move within an organization produces small, digital footprints and these footprints are the pieces of data that security teams are trying to do identify and combine to better understand the attack.
We work with some organizations that see over two billion security events every day and while you might believe such a number makes managing security impossible, the irony is that the more data we collect, the fewer incidents that actually require investigation. The more we understand about what is normal and what is not normal within an environment, the more clarity we have and the better we can identify deviations and incidents that require priority investigation and response.
Today it isn't good enough to merely block an attack, we are trying to understand as much as possible about who is attacking us, what tactics they are using and then developing a real understanding of what they are after and how to stop them before they get there.
Building for the future- new insights from big data
For many of the most advanced and forward looking organizations, the next step will be combing security data with other sets of data that had never previously been considered relevant, things like business process data and baselines around normal financial transaction behavior. If today's attackers are after the most critical data and systems, it means security intelligence will need to evolve to include a more complete understanding of the business and the processes within it.
If the attackers are going to continue to become more sophisticated and if the volume and variety of relevant security data is going to continue to explode, there are two essential questions organizations need to be asking themselves.
First, am I designing a strategy that welcomes and embraces more data from every relevant source imaginable?
Second, if the keys to detecting and defending against the threats of the future will be understanding and connecting data, am I building a new set of security skills within my organization that will position me for success not just today, but five years from now?
For more information from around IBM and the security world more generally, please feel free to follow me on Twitter: @BryanCasey_