The most fundamental change in the evolution of the information security ecosystem in response to the sophistication of cyber threats is the increased reliance on human investigation and manual incident response when an enterprise is faced with an advanced threat.
Gavin Coulthard, Manager Systems Engineering Australia / New Zealand, Palo Alto Networks, said, “Despite this, one of the most consistently-neglected costs of any security product is neither the price nor maintenance, but the time and talent required from security staff in order to get the real value out of it.”
It is important for enterprises not to lose sight of the role network security plays as a crucial element and first line of defence in cybersecurity strategies. Cybersecurity architects and managers also need to recognise the dramatically diminished effectiveness of legacy network security solutions that continue to rely on methods and technologies designed for the threats of yesterday.
Advanced cyber threats simply can’t be effectively addressed using a “set it and forget it” approach to security. Worse still, the vast majority of security products focused on advanced threats stop at detecting a threat, which kicks off an incident response phase.
Coulthard said, “Modern IT incident response requires a set of highly technical skills. Advanced traffic analysis, memory forensics and reverse engineering of malware are highly technical disciplines. An enterprise would be lucky to have just one of these experts on staff.
“The fundamental problem is that advanced threats are not sufficiently rare. If you look for advanced threats, the odds are very high that you are going to find what you’re looking for, which can be a deterrent for looking at all.
“The IT security industry and organisations need to grow to a place where incident response is reserved for the truly exceptional threats, not those that simply slide through outdated security models invented a generation ago.”
Palo Alto Networks suggest there are two major things that need to happen for this to be a reality:
1. The IT security industry and organisations need to do a better job of stemming the flow of advanced threats upstream. For example, better and faster sharing of threat intelligence and signatures to create a shared level of protection can mean that new threats encountered by one organisation can benefit the others.
2. The IT security industry and organisations need a better, more automated approach to investigate threat events. The goal is to avoid the need for deep-dive technical analysis by providing automated correlation and mitigation that requires minimal-to-no human intervention.
Coulthard said, “Understandably, many organisations may be reluctant to share what they find about advanced cyber threats on their networks. Some may see knowing how to combat an advanced threat as a competitive advantage while others may see sharing the information as drawing unwanted attention to their network’s vulnerabilities.
“The important thing to remember is this: until there is a more collaborative approach to threat identification and mitigation, combined with an automated approach to investigating threat events, Australian organisations will continue to suffer from the adverse effects of advanced cyber threats.
"It’s only when these two elements come together in a more mature approach that we will be able to minimise the amount of human intervention required and thereby reduce costs.”