Adopting Intelligence-Driven Security
- 1. ADOPTING INTELLIGENCE DRIVEN SECURITY A Security Strategy to Help Build Trust in the Digital World RSA Whitepaper INTELLIGENCE DRIVEN SECURITY Today’s changing business requirements, exciting IT innovations, and the dynamic threat landscape underscore the need for a modern security strategy that updates security processes to achieve a more effective approach to cyber-defense. This paper provides guidance for how to adopt an Intelligence Driven Security strategy that delivers three essential capabilities; visibility, analysis, and action. These capabilities can help detect, investigate, and respond to advanced threats, confirm and manage identities, and prevent online fraud and cybercrime. This strategy empowers organizations to effectively address the challenges they have today and those still beyond the horizon.
- 2. Adopting Intelligence Driven Security INTRODUCTION It’s a classic example of a double-edged sword -- the very same IT innovations that increased enterprise efficiency over the past decade have created opportunities for dangerous, nuanced cyber threats to damage the organization. As enterprise processes grew in sophistication, so too did attacker tactics; evolving beyond rudimentary mass malware into precisely targeted, devastatingly advanced attacks. As IT plays an increasingly central role in fundamentally transforming business operations and creating new opportunities and advantages, IT risk and security challenges have never been more important to address. RSA’s Intelligence Driven Security strategy helps organizations mitigate the risk of operating in a digital world. Organizations can employ this strategy to deliver the visibility, analysis, and action they need to detect, investigate, and respond to advanced threats, confirm and manage identities, and prevent online fraud and cybercrime. THE CHANGING BUSINESS Not so long ago, IT’s reach was well-defined and well-controlled. Most applications required a comparatively small amount of access, little or no information was shared externally, and IT had near-complete control over the infrastructure for applications and access. Then things changed. Organizations recognized they could lower costs and increase productivity by granting third-party access to applications, and as a result, introduced a greater number of digital identities corresponding to employees, suppliers, and partners. To further complicate matters, the workforce brought a host of new personal mobile devices (mobile phones, laptops, and tablets) that all required access. Many business processes, including core functions such as IP development or financial transaction processing transitioned partially or fully to the cloud. Today, many former in-house tasks are conducted outside the organization’s traditional “four walls.” Further, the explosion of digital data created by new applications and new digital business processes dispersed over multiple silos resulted in a significantly expanded attack surface. Potential points of vulnerability increased, and the newly hyper- extended business struggled to adequately secure what it suddenly didn’t own, manage, or control. Simultaneously, hackers, politically motivated “hacktivists,” and fraudsters capitalized on this evolution, developing more advanced attack tactics, such as moving “low and slow” to mimic the behaviors of a normal user, while their motivations transformed from largely notoriety-driven to objectives like stealing intellectual property. With more points of vulnerability and a lethal combination of hacker motivation and know-how, the possibility of a breach today is unprecedented. In fact, most authorities agree that yesterday’s goal of preventing every intrusion is impossible, and today’s security imperative is to detect and stop intruders before they can cause damage or loss to the organization. Against this backdrop of a changing business, IT, and threat landscape, there’s a fundamental disconnect between most organizations’ in-place security processes and an effective, contemporary approach to cyber-defense. Intelligence Driven Security is that new strategy. page 2
- 3. Adopting Intelligence Driven Security “In order to keep pace with the rapidly growing number of users, devices, and internal and external threats, intelligence driven security has evolved from a conceptual theory to a must-have strategy for today’s enterprise. This proliferation of access requirements by people and devices has dramatically increased security risk; ensuring that the right systems are accessed only by those who are authorized is driving the need for intelligence around those behaviors.” Chris Christiansen, IDC WHAT MAKES AN INTELLIGENCE DRIVEN SECURITY STRATEGY INTELLIGENT? An Intelligence Driven Security strategy delivers three essential capabilities designed to prevent inevitable breaches from causing damage or loss: visibility, analysis, and action. Visibility Organizations gain visibility by collecting data about what matters. But what matters today and what control points still exist in today’s hyper-extended enterprises? First is risk -- What are the risks to the organization? What are its vulnerabilities? How well is it defending against those at any given point in time? Without visibility into risk, organizations can’t design optimal defense strategies or appropriately prioritize activities. Second is what’s happening on the network. Network visibility needs to go beyond what we have today, from logs and events down to the packet and session level to spot faint signals that indicate advanced threats. Third is digital identities. Organizations need to understand who/what are on their networks, what they are doing, and is that behavior appropriate. And finally, transactions – organizations need to know what’s happening inside key applications that drive the business. Analysis All the data gathered to gain visibility is useless without the ability to extrapolate insight and meaning from it. Analysis involves understanding normal state behavior and then looking for anomalies. By knowing what is “normal,” an organization can then spot, investigate, and root out anomalies that result from malicious activity. Once anomalies are discovered, additional, more detailed, contextual analysis may be required to determine the appropriate response. Action Action is the response to confirmed malicious anomalies. Rapid action allows organizations to mitigate potential threats by enforcing controls such as access restrictions or additional authentication. Action also results in remediation processes and activity. The key to success is keeping action consistent, so each time an analysis finds something potentially threatening; the organization can “operationalize” the response. page 3
- 4. Adopting Intelligence Driven Security WHAT WOULD AN INTELLIGENCE DRIVEN SECURITY STRATEGY LOOK LIKE? An Intelligence Driven Security strategy places emphasis on detection, analysis, and action while deemphasizing static, signature-based, perimeter detection. This “even- split” approach understands the modern threat landscape and allocates resources accordingly. This includes creating a better balance between monitoring, response and prevention. “Securing today’s global enterprise is a massive undertaking. With the dissolution of the security perimeter, organizations need to take a more intelligence-driven approach to security. Using data from systems and users to drive decision-making can help improve the speed and efficiency of spotting and responding to attacks and ultimately safeguard an organization’s most important digital assets.” William Boni, Corporate Information Security Officer (CISO) and Vice President, Enterprise Information Security The following charts demonstrate the difference in priorities between many of today’s security strategies and an Intelligence Driven Security strategy. WHAT ARE THE BENEFITS? Aside from the critical capability to combat today’s increasingly dangerous threat landscape, an Intelligence Driven Security strategy provides additional benefits: Focus Because Intelligence Driven Security drives action based on mitigating the most pressing risks to the business, it ensures that organizations prioritize activity and resources appropriately. page 4 Monitoring 15% Response 5% Prevention 80% Today’s Priorities Monitoring 33% Response 33% Prevention 33% Intelligence Driven Security Source RSA
- 5. Adopting Intelligence Driven Security Operational Benefits Most organizations’ in-place security systems rely on a significant number of disparate solutions; malware analysis, identity and access management, governance, risk, and compliance, etc. Intelligence Driven Security reduces the number of point products and fuses together otherwise disjointed data sets and tools, increasing both security and operational efficiency. Risk Avoidance With the ability to identify attacks in a more timely fashion, Intelligence Driven Security reduces bottom line loss that often results from an undetected breach. Staffing Benefits It’s no secret that there exists a dearth of needed talent in the IT Security industry. An Intelligence Driven Security strategy can aid in attracting top performers, empower them with the right set of technologies and tools, and make their efforts more extensible throughout the organization. Automation and sophistication aids in freeing already overburdened employees, focusing them on what matters to defend the organization, and can elevate average performers into vital components of a winning IT security staff. CONSEQUENCES OF NOT ADOPTING AN INTELLIGENCE DRIVEN SECURITY STRATEGY While the upside is clear, there is also a significant downside for organizations who fail to adopt an Intelligence Driven Security strategy: Level of Exposure Rises Every organization has something of value, including its brand, intellectual property, and the bottom line. The inability to effectively manage today’s digital risks significantly increases the potential for damage to this value. One devastating breach can wipe out years of establishing steady revenue, cutting-edge research, or a trusted brand. Falling Behind Even if a breach never occurs, an organization that does not adopt an Intelligence Driven Security strategy is at serious risk of jeopardizing competitiveness. An organization that is able to effectively manage its digital risks can confidently channel resources into growing, expanding, and differentiating via new IT initiatives, leaving competitors behind. Getting Started Regardless of your current technology implementations or organizational security maturity, a roadmap towards an Intelligence Driven Security strategy can be developed. Current investments can be used as building blocks to a more sophisticated model. Nearly every organization has the potential to gain the required capabilities for visibility, analysis, and action. What’s important is not precisely where you are today, but what next steps you take to improve. The goal should be a roadmap across people, process, and technology to comprehensively increase maturity. The key is committing to adopting a more Intelligence Driven Security strategy. page 5
- 6. EMC2 , EMC, the EMC logo, RSA, Archer, FraudAction, NetWitness and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. Microsoft and Outlook are registered trademarks of Microsoft. All other products or services mentioned are trademarks of their respective companies. © Copyright 2014 EMC Corporation. All rights reserved. H13235 ABOUT RSA RSA, The Security Division of EMC, is the premier provider of intelligence-driven security solutions. RSA helps the world’s leading organizations solve their most complex and sensitive security challenges: managing organizational risk, safeguarding mobile access and collaboration, preventing online fraud, and defending against advanced threats. RSA delivers agile controls for identity assurance, fraud detection, and data protection, robust Security Analytics and industry-leading GRC capabilities, and expert consulting and advisory services. For more information, please visit www.RSA.com. www.rsa.com Adopting Intelligence Driven Security CONCLUSION The ineffectiveness of perimeter-based security strategies and today’s increasingly dangerous threat landscape requires a new strategy. RSA’s Intelligence Driven Security strategy helps organizations mitigate the risk of operating in a digital world. With its emphasis on visibility, analysis, and action, an Intelligence Driven Security strategy can help organizations reap extraordinary benefits: • A balanced, modern approach to cyber security that mitigates risk • Deeper, granular insight into the IT environment • The amalgamation of previously disparate data, applications, and solutions • Cost savings • Increase employee productivity • Improve competitiveness To survive, thrive, and build trust in today’s digital world, organizations need to turn to an Intelligence Driven Security strategy.