Posts tagged: 'advanced persistent threats'

The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.

In the belly of the whale…

I recall a story from infant school.  It described a holy man being begged by frightened mariners during a storm to pray for calm waters.  He refused, suggesting that it was better not to wait until the storm, but to have acted before the clouds gathered.

To a similar point, ‘feast or famine’ is a favourite phrase of mine.  I use it to describe folly of all kinds.  But it’s a great way to highlight a major organisational shortcoming too – the side-lining of known important activities in favour of short term pressures.  This is a tactic everyone uses though, surely?  Well, in the security field it’s not working and hasn’t worked for years.

“Little and often’ is another favourite.  I use it to describe a more virtuous method.  It seems that whether you’re seeking to keep fit, preparing for an important event or even keeping on top of expenses, it’s a phrase that describes desirable behaviour.  For many organisations, security spending has been far more ‘feast or famine’ than ‘little and often’, certainly as long as I have been in the industry anyway.  Could this be about to change?

It all used to be about compliance.  Security-related expenditure, that is.  As long as the compliance box was ticked, the CFO’s job was safe, and the operations team could avoid getting yelled at in review meetings.  But look at the last three months – it seems like the highest profile, most trusted brands are haemorrhaging customer information, credit card details and intellectual property to hackers.  I’m not using those terms licentiously either – RSA, Sony and even the X-Factor database have been compromised.  Those three events alone could add up to nearly half a billion compromised records.  Does this mean compliance measures are not working?  Well, the recent Verizon report suggests that where breaches have occurred, an overwhelming percentage of the companies that should have been PCI compliant, weren’t.  89% in fact.  But these recent breaches were all despite compliance systems in being place, which seems to increasingly be the case.

What does this mean in terms of brand confidence?  Here’s an example.  I spend a lot of money with Amazon annually.  In fact, I transact with them twenty or thirty times a year.   Their customer service is every bit as good as people say.  But, do you think Barnes and Noble or would get my business if Amazon lost my credit card number?  You bet they would.  Maybe this is where security is at an inflexion point.  Are we at the stage, where organisations have to make ‘pre-sale’ commitments to customers about the safety of their data?  Would I move suppliers in favour of someone who offered guarantees as to the safety of my personal information?  Maybe.

In any event, security is getting interesting again.  Do we now work in a discipline which, rather than being a perceived cost and burden to an organisation, could quickly become a competitive differentiator?  I can see it happening, but not while spending patterns are so ‘feast or famine ‘?  Maybe it’s time to start bidding for security funding not just for compliance and risk mitigation, but as a way that organisations can improve customer confidence, retention and intimacy through cast-iron security guarantees.

This may sound like blue-sky thinking – particularly in the context of things like Advanced Persistent Threats (APTs).  If a syndicate has enough time and resources, won’t they always find a way in?  Not if you have the right resources to hand.  Whether access to your systems has been socially engineered, or via a stealth APT that may have taken 6 months, a good logging solution is key.  Pinpoint and exploit early warnings, and use targeted resources to take remedial action and mobilise defences quickly.  Be warned though – feast or famine won’t work – this requires a little effort, often.

Tags: , , ,

0 Comments | Security