What makes the real difference between today’s targeted attackers and those organisations that find themselves in their sights? The attackers have the persistence and patience to execute their plans over months and years. They have only to get their attack strategy right ONCE to breach someone’s defences. Their would-be victims have to be able to resist those assaults for every second of every day – time and time again.
It is for this reason that enterprises are repeatedly warned it is not a matter of if you will be breached, but when. This is no scaremongering or alarmist tactic to get people to buy more solutions. It is simply stating how things are now.
Of course, no one really wants to admit the attackers have all the advantage – they employ sophisticated social engineering tactics to trick their unsuspecting victims and are able to customise each attack campaign as needed to reach their targets – but only by doing so will those under attack really be in a position to fight back.
True, with hundreds of available security products and new security start-ups popping up every day, you might think that enterprises would be able to keep the attackers out. However, we’re fighting an asymmetric battle. Attackers have the blueprints to the defences – they can buy security products just as easily as any of us – and learn their weaknesses. So right out of the gate, we’re at a disadvantage.
Naturally, companies need to continue to deploy solutions like endpoint protection, host intrusion prevention, email and web filtering, database monitoring, firewalls etc. The problem is each of those point security products is an ‘island’ unto itself. Each has its own console, each drives detections based on its specific view of the world and these products don’t interact with each other.
Also, each product requires a separate administrator to manage the product, who won’t always have the time to examine all of the data generated by each of these products or to keep up with the newest capabilities and techniques of the attackers.
Collectively, the products ought to have a huge amount of visibility into what’s happening in your environment. And the truth is that, taken together, they do see a tremendous amount of information that could help better secure the enterprise – such as every network connection from every machine, every attempted login from each computer, detailed information about incoming emails and web pages, and so forth.
So, what if we were to take every existing security agent in your enterprise and update it, so it not only alerts you to direct attacks on the systems it protects, but also keeps track of other events that could help us uncover new attacks and better protect critical company assets – just like putting a security camera on each product.
We could start to gain a much clearer, integrated picture of an enterprise’s security posture, and attack activity. And by driving this data back into each product, we can make that product better at doing its job. For example, if a particular endpoint had recently connected to a suspicious website, we could instruct our server security software to block that endpoint from logging into the financial database. Or, if we saw four consecutive failed logins to the ERP database from a particular computer, we could require that this computer provide a second factor of authentication before being allowed to access other enterprise systems for some period of time.
We could identify that certain users tend to get infected frequently and could adjust their security policies appropriately – e.g., we could restrict access by these users to certain critical servers. And, if our endpoint security software determined that a particular piece of software looked suspicious, we could instruct our data loss prevention (DLP) product to block access by that software to any sensitive documents.
These are just a few examples – actually, I’m barely touching the surface here as to what is possible – of how such data mining could make each of these point products better at their job.
So, let’s talk specifically about how Symantec is planning to deliver Unified Security. A cross-company effort is underway right now to gather a lot more telemetry from all of our products, turning all of those products into rich ‘security cameras’
Also, we know that our customers’ environments are changing dramatically. Over time, more and more will be using cloud-based services like Salesforce.com. They will run their apps on Amazon AWS. They will start leveraging emerging new platforms, such as IoT. So, through organic development and acquisitions, as well as deep partnerships where appropriate, we will make sure that our ‘security cameras’ get installed in new customer environments – in the cloud, in virtualised environments, in IOT systems etc.
We’ll deliver a Unified Incident Security offering that provides customers with a prioritised list of suspicious incidents, based on correlating all available information from across the enterprise with Symantec’s Global Intelligence Network (GIN). And each ‘incident’ won’t just be a single event – for example, a single malware detection event on a single machine – but will include all relevant intelligence from every deployed Symantec product to provide the customer with rich context about the attack.
Next, we’ll deliver a unified incident investigation offering that allows customers to ‘drill down’ on security incidents so that they can discover all the artefacts associated with that incident. We will also deliver a risk analysis offering, helping customers understand how their security posture compares with industry peers and how this security posture is changing over time. Is the customer getting fewer or more infections over time? Do they have fewer or more vulnerable systems? What additional security capabilities and policies might the customer deploy to improve their security posture? And how would such a change quantitatively impact their number of incidents/day?
Such is our vision – a ‘Unified Security’ platform that leverages the combined visibility and intelligence of all of our offerings (augmented by third party data) to block, detect and remediate attacks, protect information and reduce risk. This, we believe, will be the future of security. At Symantec, we intend to use our vast assets and capabilities to deliver on that promise.