Man & Machine: Why Security Needs a Human Touch

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://recode.net/2014/07/25/man-machine-why-security-needs-a-human-touch/

There’s an old saying in information security: Corporate networks and
infrastructure should look a lot like an M&M: With a hard, crunchy outside
and a soft, chewy center.

For some time, large organizations have operated under the premise that if
the perimeter is well defended, there isn’t much that needs to be done to
protect data and assets on the interior. Protection methods such as
signature-based firewalls, intrusion-prevention systems and Web gateways
have been relied on to keep the “bad guys” out. With 2013 and 2014 rapidly
turning out to be epic years for data breaches — post-Target, Neiman
Marcus, Adobe, Evernote, eBay and a slew of others — it’s clear that the
hard outside isn’t all that it’s been cracked up to be.

One thing these high-profile breaches have proven is that today’s most
commonly chosen protection methods are not keeping up with the
ever-advancing hackers around the globe. That’s not to say, though, that
large organizations aren’t shelling out the cash in the hope of protecting
themselves. Gartner is predicting that corporate spending across the world
for a broad swath of security services will climb from about $35 billion
today to $49 billion in three years. Yet, time and time again, breaches and
investigations have proven that attackers are able to skirt defenses put
into place by top-selling security tools.

Over the past few years, we have started to see a mentality shift away from
defending the perimeter to keeping a better eye on the internal assets.
That basic M&M principle is now more like a peanut M&M — hard on the
outside, a bit of softness, and an even harder core. There is no shortage
of security startups keeping an eye on internal assets; analytics that
drive on the heels of network and endpoint data to spot anomalies have
become a big trend moving the industry in the right direction.

Even with all of the technology protecting the perimeter, and the advent of
new solutions monitoring the internals, we’ve seen a massive migration to
the cloud combined with the introduction of mobile and other corporate
interconnected devices. The notion of a defined network has gotten a whole
lot fuzzier, making protection and detection harder than ever.

One thing is clear: The enterprise has gotten so complex that the tools of
the past and the technology of the future will never fully safeguard
everything. Complexity introduces variability into the equation, making
automated technology extremely difficult, if not impossible, to rely on
alone.

So, what’s the solution? How does an enterprise protect itself against
today’s advanced threats? In today’s world, a human-powered solution is an
integral part of any holistic security program. It only takes a single
security flaw to translate into a massive data breach, and it only takes a
single human to identify what that flaw is. Organizations cannot rely
solely on automation.

No computerized form of cyber security protection is going to fully protect
the enterprise. We have to think like hackers, respond like hackers and
analyze like hackers to uncover potential gaps or holes in the protection
of network elements and applications.

At the same time, a single security expert can’t be relied on to unearth
every security flaw in a particular environment. Plus, since corporate
applications are constantly changing, performing these assessments at a
single point in time doesn’t make sense. As such, we must look to new
models and solutions that enable enterprises to scale security assessment
resources and leverage them on a continuous basis while maintaining control.

Organizations like PayPal, Facebook and Google have come to this
realization, and have introduced vulnerability disclosure programs into the
mix — paying scalable security talent worldwide to uncover problems. The
issue: Running such programs is complex, introduces a multitude of inherent
challenges including management inefficiencies, staffing challenges and
extra cost, and isn’t the core competency of any internal security team.

Today, some companies offer a solution to this problem by leveraging crowd
security intelligence to protect the broader enterprise without the pain
experienced by internally managed bug-bounty program trailblazers. The
ideal crowd security company can gather the most highly qualified, current
and relevant resources who understand the hacker mindset, but use it for
good to secure the enterprise. At the same time, a trustworthy vetting
process and technological controls are essential in enabling even more
conservative organizations to leverage a global talent base of researchers.

Crowd security intelligence platforms are unique in their ability to
incentivize researchers through a meritocracy. The best researchers find
more complex vulnerabilities, and are paid appropriately through the SaaS
(Security-as-a-Service) model, with larger bounties. A successful platform
can evoke elements of gamification and competition alongside monetary
incentives to foster a community of security experts that is both skilled
and motivated.

Crowd security intelligence has the potential to change the global security
landscape by providing businesses with personalized safeguarding from a
diverse array of experts. Today’s rising security startups abstract this
process in order to allow smaller businesses to take advantage of the same
tactics that PayPal, Facebook and Google have used. While threats
constantly evolve, responding with a similarly evolving human security
force is the most effective means of universally decreasing vulnerability.

Enterprises need to be able to spot vulnerabilities before they become the
next news headline, and the only way to do this is with both machine and
man.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!