Solera Networks and Trusted Strategies recently released a survey which concluded more than 85% of large enterprises (having 1000 or more network nodes) have had a major incident in the past 36- months or expect to have one in the next 36-months (http://www.soleranetworks.com/news/survey-despite-expected-attacks-most-networks-are-unprepared-for-quick-response/). The survey also found that more than 40% of large enterprises believe it will take 2 to 10, or more, days to determine the full scope of an incident.
At first glance the report paints a familiar theme of organizations needing “more security,” however, the hidden lesson from the survey is that security should be treated as a process, and not a product. “The trick is to reduce your risk of exposure regardless of the products or patches,” Bruce Schneier wrote in 2000. The fact that more than 85% of large enterprises have had or expect to have a major incident in a 6-year period should not be surprising, just as it should not be surprising that a retailer will have a major theft incident, or that you may be involved in a major car accident in a 6-year (or any other arbitrary) period. The reality is bad things have some probability of happening and the goal of “good security” remains to mitigate that risk.
While the survey does not include details of what technologies or services the respondents use, it does find that “few organizations are capturing and recording enough data to be useful during an investigation.” While the focus on the survey is the need for adding network forensics to help an organization respond to an incident, we could certainly broaden the scope of the conclusions to suggest that most companies may be focusing too much attention on prevention, not enough on response, and even less on detection. Detection is the key component that connects prevention and response as detailed in Bruce Schneier’s Secrets and Lies: Digital Security in a Networked World.
Detection, or threat monitoring, has many different flavors but at its core it requires that organizations monitor all of their logs, including Windows and Unix hosts, logs from firewalls, routers, and switches, application and database logs, and deploy intrusion detection systems to look for attacks on the network. In addition, organizations need the ability to analyze and correlate all of this event data and provide actionable alerts to IT security staff.
What is unique about detection vs. prevention and response is that of all three components, detection is the most easily outsourced to a service provider such as BT. Most organizations can enable effective, global, 100% passive threat monitoring within a matter of days utilizing BT’s Managed Security Solutions. If we accept the reality that security incidents will happen as a matter of course, then we should focus on security processes to manage risk. The Solera Networks survey is a great reminder that many organizations focus too much on prevention and are still thinking of security as a product.
Tom Le, Director of R&D, Managed Security Solutions Group, BT Global Services