Data Defenders Should Share Resources, Says Symantec Expert
Companies concerned about data security must cease operating as "islands" and share resources to ward off the rising threat of
criminals. That's the message that Stephen Trilling, senior vice president of Security Intelligence and Technology at Symantec Corp., had for attendees at last week's RSA Conference.
Addressing some of the 25,000 people at the Moscone Center in San Francisco -- record attendance for the annual security event -- Trilling said the future of data security will see every failed log-in, malware download and infiltration shared in a database to help companies and their experts identify common threats.
"What we need is a system with a worldview," he said.
In the address, The Future of Security, which was recorded last Wednesday and posted on the RSA Web site, Trilling noted that the fight against hackers is an "asymmetric" battle because the bad guys are able to methodically purchase the same security products used by their intended victims and search for weaknesses.
"Today's targeted attackers have the persistence and patience to execute plans over months and years and they are capable of changing their campaigns as needed to meet their targets," Trilling said. "What about defenders?"
The problem for companies, which often deal with threats inside their systems rather than keeping them out in the first place, is that they mostly do not interact with each other, and often their own system administrators do not have time to keep up with the latest information about threats.
A security product may detect a failed login, but will have no idea that the same computer just connected to a suspicious Web site 10 minutes earlier. While companies may want to help each other, there is currently "no easy way to leverage that."
"Managing security and keeping up with the latest changes in the threat landscape is expensive," Trilling said, and integrating security protocols is a complex effort. Meanwhile, targeted attacks may go undetected for months or longer.
In the security landscape of the future, Trilling said, security will be managed by providers who will "leverage great economies of scale," providing services that are not only less expensive but can also raise the capability, because they can tap into a vast database of information from a large customer base.
How Do We Get There?
A unified threat identification system will make enterprises' defenses stronger than the sum of their parts, Trilling said, by keeping a history of every connection and every executable file made from a particular machine, while collecting data not only from on-premise systems but from , remote and systems in a secure, multi-tenant database.
To protect proprietary information, he added, the system must be designed to meet global policy regulations with regard to privacy and data protection.
In one scenario, Trilling said, a computer from Company 1 connects to a particular FTP server. Later, after a targeted attack, a team discovers that same server was used in the attack. "The team can now go and mine Company 1's data to figure out what file was used in the attack, and to further figure out how did that file get in and, if it came from an e-mail domain that is suspicious, who else inside Company 1 also received e-mail from that domain?" Trilling explained. "We'll be able to connect the dots spanning industries or economic sectors."
No Silver Bullets
In an earlier address at the RSA Conference, Art Gilliland, senior vice president and general manager of Enterprise at Hewlett Packard, said his company's research of its clients showed that too many relied excessively on and hardware to protect their systems, while skimping on safe practices by smart managers.
Rather than chase "silver bullets," he said companies must invest in a trifecta of "people, process and technology." Companies that did so saw 21 percent better returns on their investment and saved on average $4 million more than other companies.
Based on assessments of 96 companies globally, HP found that most spent 86 percent of their security budget trying to block threats at the infiltration stage. Meanwhile, personnel had a minimalistic "check box" approach toward security practices and policies.
"Almost a quarter of the people implementing this strategy failed to meet the minimum security standards they set for themselves," he said. "They are aspiring toward the low bar of compliance. And 30 percent failed to even meet compliance."