Part 5: The IBM “Immune System” Approach: a Security Chastity Belt?
It has been awhile — I apologize! I have been busy attaining accreditation from the world’s largest security vendor, IBM! At IBM they speak about an “immune system” approach as opposed to “layers” and it’s a remarkable difference.
According to them, many companies have as many as 85 security solutions in place! Lots of protection, the full armament: so that should be good, right? The short answer, unfortunately is that this creates its own problem as it is now overly complex and few have sufficiently adequate resources to manage all this technology. Even if you have good resources, IBM reminds us that 60% of attacks are insider threats, and of those, 15% inadvertent and 45% deliberate. Surprise, surprise, but the dark web is an awfully good place to sell insider information! So, what is one supposed to do?
Remember our earlier discussions about assets and their value to your business? How would your business fare if you didn’t have them is a good introspective review. For this, a good product from IBM is their Guardium database tool. With this tool we search for assets in an organisation (sometimes you just don’t know what you don’t know) which can be ranked or placed into a contextual value to your business. They can be then locked down, encrypted, and behavioural analysis can be done to see anomalies. Remember Jeopardy and Watson?
Well, you still need help though and there is definitely a skills shortage out there. A survey of 419 companies in 13 countries showed it took an average of 214 days to identify malicious activity and a further 77 days to contain that activity! So let’s put in a SIEM (security information and event management) protocol to get a read on security threats. But even once this is in place, a Cisco study showed that with all the alerts you get, most of them false positives, security staff only manage to investigate 56% of these alerts!
Ok, so let’s go back and do another checklist to gauge where your security stance compares to best practices:
Passwords, Patch Management, Backups
Firewall, Spam/Web filter, Endpoint/AV
- Defence in Depth:
DLP, SSL, Anti-DDOS, IPS, CASB
- Managed Detection and Response:
Log Aggregation, Correlation, Human Threat Intelligence, IDR, Intrusion Containment, Remediation
Policy Update, Notifications (internally and to compliance agencies), Interface with Enforcement agencies
So there’s the list: you probably do A and B. Maybe some C. D is an expensive area and E is relatively new and unknown. (Please note PIPEDA regulations in Canada as of November 1st require breach notification to the Privacy Commissioner and affected entities with log retention for 2 years. Oddly, it doesn’t have more regulations and rules about prevention/detection/remediation but who am I to complain?!)
But thankfully there’s a solution! Yes, you need a SOC (security operations center). But that solution comes at a hefty price, and you’re too small to justify 8 bodies at $100K/year (per Gartner) .
So are we doomed and merely marking time until our fate is dealt? C’mon, don’t worry, if you get fired, someone else will hire you (we’ve already identified the skills shortage!)
I jest! Yes, there is, in fact, a cost-effective solution: SOC as a service. And more on that next blog.
Check out my previous posts here: Part 1: The Landscape of Security in 2018, Part 2: Five Areas for Complete Coverage), Part 3: What to Expect in a Security Assessment and Part 4: Planning Your Security Architecture
This is the fourth in a series of internet security posts which are intended to assist security aware business people. My name is Bruce Thompson and I have been in the telecom and IT industry for over 30 years. I have numerous security certifications from industry leading vendors and associations. If you’ve been following these blogs up to now, you impress me as a cyber security concerned person willing to pursue this field. I find speaking to people like you interesting. Please feel free to contact me anytime at 604-331-2502 or email@example.com