It is a tale, told by an idiot, full of sound and fury, signifying nothing - Macbeth
Its been a bad few months for data breaches, and unless Im much mistaken, theres no reason to think that were out of the woods yet. It is not unexpected that data breaches continue to occur, and indeed, continue to get worse despite record spending on security technology. Or perhaps its fairer to say there are a lot of reasons: sophisticated attackers, human nature, inattention, even plain old bad luck. The frustrating thing is that much of the security spending that has taken place over the last few years has been designed to mitigate exactly those problems human nature, bad luck, and so on, at precisely the time that data breaches have become more frequent and the damages even greater.
Clearly, something is going wrong. Some vendors would argue that the solution is found in the next generation of security technology, forever glimmering just beyond the horizon. I dont. In fact, Id like to suggest that the rush to invest in new security technology is not going to solve the problem and in many ways, it is the problem itself.
Proliferation of security technology in response to attacks, breaches or threats has left most security organisations trying to manage such a bewildering array of tools, and generating so much data (and I use that term loosely) that there is little hope of actually using the investment to significantly improve critical security functions.
Breaches occur not because of a single point of failure, but because of many problems, each compounding the impact of the others. The approach, then, of deploying many point solutions to address point problems has often provided short-term relief at the cost of long-term security. As a strategy, it relies on two critical elements: first, that the point solutions in place can identify, often with little additional context, the specific attack; and, second, that the security organisation is able to wade through the background noise of other events and spot something significant when it happens. As can be seen from recent history, this strategy has failed and was doomed to fail from the very beginning.
Take a typical large data breach scenario: An attacker gets access through a Web-facing application via an SQL injection attack, then begins to work their way around the infrastructure using a variety of means, probably looking for stale accounts, service accounts, systems with known vulnerabilities and so on. Finally, a custom-built and difficult-to-detect piece of malware gets dropped in a vital location, at which point its probably too late to prevent damage from being done.
And while all this is going on, the security team is spending its days wading through floods of events and running from one fire drillto the next. The real damage is taking place under their noses and they are, in all probability, simply too busy to see it, deafened by the constant klaxon of false alarms and exhausted by the battle to achieve even incremental goals. If theres one thing they dont need, its another tool to manage.
Sign up for MIS Asia eNewsletters.