Prevention, detection and response: the cyber security industry

 

It is no secret that the evolving and furious frequency of cyber attacks has been winning the war against cyber security defences.

Prevention, detection and incident response are the 3 key principles surrounding security, both physical and digital.

There are constant breaking news stories surrounding hacking scandals, most recently Yahoo. The Internet giant lost 500 million customer details back in 2014 but it wasn’t detected until last month.

The question is when, not if an organisation will be hacked.

But is the tide turning in cyber security’s favour? Information Age spoke to John Bruce, CEO of Resilient (an incident response company) about the current state of the industry, what the current threats facing public and private businesses are, and the future of cyber security.

John Bruce, CEO, Resilient
John Bruce, CEO, Resilient

What are the current threats cyber attacks pose to businesses?

It’s getting progressively worse.

I was presenting yesterday to a group of fellow IBMers and I used a piece of data that I often use from PricewaterhouseCoopers (PwC), who every year publish a report based on something like 10,000 organisations around the world.

One of the questions is: how many attacks have you faced in the last 12 months.

It has been growing dramatically over the last 5 or 6 years to the point where I think last year there was 59 million attacks on 10,000 organisations.

>See also: Hand in hand: cyber security and industry 4.0

When you monitor how quickly a company gets attacked it’s astonishing just how quickly, it’s a matter of seconds.

What we find is when we do work with our customers is they’re under constant attack and a lot of those attacks are automated, scams are probing for vulnerabilities in order to exploit them.

As soon as they’re exposed the attack commences. With that kind of number it’s clear that people are going to get breached.

It’s not a question will I suffer an attack or will it be successful? It’s a question of when it’s successful what do I do about it?

It seems that there is a degree of complacency in the boardroom when it comes to matters of cyber security. Is this the case?

I think ignorance more than complacency to be candid.

When you talk about the boardroom they’re folks like me. They have grey hair, they grew up without the Internet and the degree of knowledge and competency around cyber is usually not front and centre for them.

They are used to grappling with other challenges.

I think boardrooms, certainly in the last 3 to 5 years have become much more aware that cyber is a landscape; just like the physical landscape that they have to understand and contend with.

>See also: Busting the 7 myths of cyber security

This results in a better appreciation of the type of challenge that their organisations face, and the resistivity to do something about it.

They might not generally have the expertise to know independently without any guidance what they’re best to do, but the CISO’s of this world their job is to educate their boards and get their support to take care of the problem.

What cyber security measures are in place?

Prevention, detection and incident response.

All you can best do is buffer yourself against these attacks. It’s been classic truism for many years that good security is about the combination of protection, detection and response.

So you try and stop bad things from happening to you – prevention – you try and detect them when they are actually on their way, and then of course you have to respond when you detect them.

What was fascinating to note, which is why we formed the company is that whilst there’s plenty of technology available for prevention and detection – and it continues to improve – it’s a constant battle in order to produce more sophisticated incident response technology.

Certainly, over the last decade the ability for organisations to detect when an attack has been successful has improved dramatically, but oddly when it came to incident response generally people are left to their own devices.

We live in a world where attack is the order of the day.

They’re going to be successful at some juncture and then you’ll be required to respond with high degrees of efficiency and expertise. This needs to be done in seconds, minutes and hours, not days, weeks or months.

And yet all the security industry’s generally done to provision customers is to give them prevention and detection [and not response].

>See also: The UK’s new National Cyber Security Centre

We are spending billions of dollars every year, $70 billion a year on prevention and detection and then when it comes to incident response as an industry we’ve generally said to the customers, good luck.

That’s just not right so we formed Resilient to provision our customers with highly sophisticated software that enables them to respond with the same degree of expertise that one gets when you’re trying to prevent these attacks and subsequently detect them.

Can you tell me about Resilient’s incident response platform?

If you think about the physical world, once the alarm bell goes off people have to come running.

In cyber terms that means technology has to be engaged immediately. What this system does is it takes alerts from a vast array of sources, most popularly from SIMS, which is a category of detection technologies.

It takes alerts from these various technologies and translates that alert immediately into prescriptive workflows that you now need to undertake in order to remediate this attack.

It describes to you explicitly step-by-step what to do in order quickly resolve the issue.

>See also: Placing cyber security at the top of the boardroom agenda

In fact the most sophisticated organisations already have what they consider standard operating procedures for how one quickly comes to terms with these attacks and how to handle them.

But they usually document them in a literal form, or a word document in a server.

What we do is we take those standard operating procedures, and we incorporate them in with our best practices. The result is very expert instructions on what your best to do to defeat the attacker.

Where does the future lie for cyber security?

Today it’s not AI, but it will be. Our technology is currently knowledge-based.

Each time a customer runs an incident it adds to the knowledge base. The very use of the product improves its capacity to react. So it becomes better informed.

While it’s a really potent knowledge base and it gets increasingly potent over time, where it will get really exciting is when AI is incorporated.

Earlier this year IBM announced that its AI – Watson – would be working in line with cyber security: cyber Watson.

They think that when AI’s been incorporated into security products, users will not only have their own capacity to react, but will have Watson as their wingman.

>See also: Bring the noise: How AI can improve cyber security

What is critical here is the ability to not only provision customers to react faster, but to provide an automated service that does it for them.

The term we use is orchestration, rather than automation, which implies you design people out of the process.

Orchestration is a much more appropriate term, where users are given the capacity to quickly assimilate and react, and wherever possible we’ll help them automate the processes to do that.

This is the future of cyber security and it’s not a million miles out. We’re not talking about this coming in the distant future. It is a conceivable time frame; you can expect to see some exciting developments in the foreseeable future.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...