In my previous blog I talked about the as-is state of enterprise security. Now I’d like to paint a picture of a much better future state that I believe is achievable, and then I’ll tell you how we can make that state a reality.
First, in our ideal future state attackers don’t just go away, and let’s be honest, regardless of how advanced our defenses become, attackers will still find a way to penetrate them. So in our future state, we will not totally eliminate compromises – they will occur. However, we envision a future state where enterprises will either block the attacks outright, or discover them within minutes or hours of compromise, rather than the months or years it takes to detect many attacks today. We further envision a future state where enterprises won’t need an expensive team of security experts or large numbers of proprietary integrations to achieve this level of protection. We envision a state where the customer will rapidly and cheaply be able to identify the who, what, when, where and how of each attack so they can contain it quickly and get back to business. Finally, in our future state, the Enterprise will no longer be an island – they will be securely connected with others in their industry, enabling them to harness the wisdom of their industry peers to better defend their systems.
So now that we have painted a picture of what the future could look like, how do we get there?
First, one thing is clear – such a future state could only be delivered as a service by a dedicated security provider. Enterprises are understandably focused on achieving their core mission – not on dedicating huge amounts of resources to hunting for hackers. Most corporations simply can’t attract or afford to hire the highly trained security experts that would be required to achieve the world-class level of protection that we envision in our future state. Nor do corporations have the bandwidth to monitor the attacker networks and understand their evolving methods of operation. Finally, no single corporation will ever have access to the breadth of security intelligence required to detect targeted attacks that often span multiple companies, industries and geographies.
On the other hand, a sufficiently large security firm can attract and hire such experts. Such a firm would have access to huge amounts of security intelligence – telemetry from multiple enterprises, across all major industries and geographies – and the personnel to track the major attacker networks. And by leveraging these assets and the right technology, and capitalizing on economies of scale, such a firm can simultaneously defend not just one network, but tens of thousands.
Alright, so what are the ingredients required to make such a service offering possible?
First, corporations will still need to deploy best-of-breed protection offerings to reduce their exposure. Point solutions like endpoint protection, host intrusion prevention, email and web filtering, firewalls, database monitoring, web application firewalls, and many others do block or definitively identify many attacks, and the best defense is to block the attack in the first place.
Second – and this is a key point – each these protection offerings must be modified such that they not only block and alert on definitively-identified attacks, but so they also generate security-relevant telemetry feeds. For example, in addition to blocking suspicious software using fingerprints, reputation and behavioral technology, an endpoint protection offering might also track what logins are being initiated from or to the protected machine. The offering might also keep track of all new software files are created on that machine and what key settings have been changed (e.g., security settings, account creation, etc.). And the offering might also baseline key activities on each system in order to detect anomalous activity. For example, the user of machine X usually checks email between 9am and 7pm Pacific Time while logged into the computer, so why did they initiate an email check at 3am while not logged in?
And to implement our vision, we don’t just need this security-relevant telemetry from endpoints. We need this kind of telemetry from every security sensor in the enterprise. From the email gateway we need the metadata on every inbound email – its sender, recipient list, a list of attachments and URLs embedded within the email, source email server IP address, and so on. We need telemetry on every outbound connection through the enterprise firewall. We need telemetry on every request to the database server. And telemetry from honeypots – from both traditional server honeypots as well as from more interesting honeypots like honey files and honey tokens – although that’s a different blog article.
So now your security solutions don’t just block threats, they become rich sources of intelligence, that, in aggregate, will help us detect attacks that would otherwise evade detection. And this intelligence can also aid in forensic investigations in the event an attacker gets through your defenses.
So now we have all of this telemetry – potentially exabytes from tens of thousands of different enterprises – what do we do with it?
More on this in my next blog. Don’t forget to post your comments.