Why Darwin was right about IT security

There's a great cartoon out to be found out there on the interweb which shows the state of the IT security industry in 2002 as a bunch of folk with nets chasing after a relatively small fish, and then in 2012 as a couple of giant fish chasing those same net-holding folk. It's something of an exaggeration but, as with all the best satirical lampooning, there's an element of truth to it: the bad guys are no longer the hunted, in many ways they are doing the hunting.

An evolutionary approach to security policy demands one thing and that's being proactive. The days of building ever bigger firewalls to keep attackers out as a workable defensive strategy are long over, not least because the bigger that wall gets the harder it becomes to see what's happening on the other side of it from where you are standing.

Unfortunately, those attackers have no such problems and can peep through the cracks which expose your enterprise network. OK, it's a fairly simplistic analogy at the moment, but bear with me. Just installing a seemingly never-ending number of 'blocks' in front of your data does nothing to protect it from those already in the building, already in the network, already shovelling your data out the side-door and down a vulnerability alleyway.

Think of it as Swiss cheese: each layer may have holes, but with every layer the number of holes that remain exposed get fewer.

The whole area of social media risk reduction strategy is a fine example of how an evolutionary approach works better than a revolutionary one. Instead of blocking all access to social networks and sitting back with a misplaced sense of preventative productivity try seeing beyond the wall and understanding the bigger picture. Your employees will use social media while at work, simple as. You might not like it, but you had better face the reality of the situation if you really want to protect your data from potential abuse. The rise of the BYOD culture shows just how easily many roadblocks to social media use can be knocked down. Far better to think about usage policy and risk reduction through user education than just running for the big stick.

Similarly, sitting back and assuming your defences are stopping all attackers from breaching the walls of your network, why not analyse your access logs and get a real view of what's happening, who is attempting access and how? Intelligence runs through the evolutionary approach to IT security, in the form of intelligence gathering. The more you know about the methods that those who would steal your data, the better you can protect against a breach occurring. Likewise, the more you know about the true value of your data to your enterprise and to those attackers alike then the better you can be prepared when it comes to allocating resources to build your defences.

In the ever-evolving world of IT security the harsh truth, and the one that leaves too bitter a taste to even be mentioned by many a security expert, is that technology is fast becoming the last piece in the defensive puzzle. Intelligence gathering, user education and data value determination all represent bigger pieces of the overall secure picture. Signature-based scanning systems are still relied upon far too much. Sure, they play a role in the overall IT security strategy but that role is often overblown into a front line one and that's simply not sustainable any more. The bad guys have evolved, and malware has evolved, to the point where signature updating systems have to be in real time to have any impact. Even then they cannot keep up with the pace of evolution, they cannot deal with downloader threats which bypass the signature security and install the payload directly. They certainly cannot deal with the social hacker, the politically motivated hacktivist or the zero-day web exploits that have become de rigueur amongst the cybercrime fraternity.

In some ways, I guess that we do need to look back at the text book and relearn the lessons it taught us. Not least that layered security is strong security. My favourite explanation of how layered security works, and I forget who recounted it to me for which I apologise, was to think of it as Swiss cheese: each layer may have holes, but with every layer the number of holes that remain exposed get fewer. So signature detection systems are one layer, behavioural detection systems are another, firewalls another, user education another and so on.

As if to prove that Darwinism is alive and well as far as IT security is concerned, you only have to look into the cloud. Forget, for the purposes of this argument at least, the common worries about securing data that is stored in the cloud and instead think of it in terms of evolving the delivery of security itself. How so, well take Distributed Denial of Service (DDoS) attacks, the de facto trigger pulled by most hacktivists these days. On premise DDoS solutions require additional staffing and bandwidth, generally speaking, whereas cloud DDoS solutions require neither.

The cloud, from a security delivery perspective, scales down equally as well as up: think the smaller end of the SME spectrum and having your anti-malware solutions delivered via the cloud brings the benefit of automatic updating and patching as well as reducing the need for in-house hands-on knowledge.

Essentially then, an evolutionary approach to IT security is surely just common sense. Reacting to threats as they are classified and catalogued is no longer good enough; security policy has to change to reflect general changes in how the bad guys are attacking networks and data, and the reasons why they are doing so. So whereas a few years ago you could probably conclude, with some degree of certainty, that the bad guys were after your data in order to turn a profit in one way or another, things are no longer that straightforward.

Now there are plenty of people who simply want to screw with your business on political and ethical grounds as well as just for the LoLs. That doesn't mean that you forget the firewalls and throw your money at DDoS mitigation instead, but it does mean you need to step back, see the bigger picture and evolve your security strategy to allow for the different layers of attack that the enterprise is facing.

Read more about: