Earlier this month, the National Association of State Chief Information Officers (NASCIO) released its annual security survey examining CIO priorities heading into the new year. Security and risk management topped the priority list for this year, with respondents saying that they are concerned about governance, budget and resource requirements involved in meeting the demands of complex information security. Cloud services came in second, with CIOs saying that cloud strategy and vendor choice presented unique challenges.
It’s no surprise that security has topped this list for the past few years as cyber threats become more frequent and complex. As CivSource reported in October, policy wars over crypto and other security response plans are also creating roadblocks in strategy development and incident response.
Bob Stasio, Senior Product Manager, Cyber Analysis, Safer Planet at IBM, has put out a new paper calling for the cybersecurity industry to go even further by moving away from relying solely on systems monitoring or reactive patching, and moving toward attack prediction. Stasio calls the approach, which melds systems monitoring with intelligence gathering, “intelligence driven” and says it can lead to a more rapid incident response.
“A lot of what we see now as the current state of the art in security is systems monitoring,” Stasio tells CivSource. “But, it’s almost a commoditized offering at this point and it is still very reactive. We want to build in another layer of analysis that gets organizations to a more predictive framework so that security teams can predict when an attack is likely to occur.”
In the paper, Stasio explains it this way –
“In order to attack the full cyber threat spectrum an organization must embrace both information security and the natural evolution of cyber threat analysis. Information security creates a foundation of security with a framework and builds upon that with some specialization and technology. Eventually, the security process evolves into cyber threat analysis with long-term research and ecosystem visibility concerning malicious actors. Drawing from the medical analogy, information security becomes the hygiene and triage of critical issues. Cyber threat analysis is analogous to medical and laboratory research, which examine more sustained and complex issues.”
In practice, a cyber analysis framework requires not only information gathering and an analytics platform, but a trained professional who can sort out specific actions over time assigning them to good guys and bad guys. Once specific adversaries are identified along with their patterns, security operations centers can begin to predict when and where attacks will occur. This kind of intelligence gathering is close to what the NSA and other large-scale intelligence operations use to protect classified data.
Stasio admits that the approach is new, and involves significantly greater resources than many current CIOs have at their disposal. But says that if more organizations can get to a basic state of security, threat analysis can follow as the next frontier.
“What we want to do is get everyone to at least a basic level of security to avoid the stupid mistakes. But once we are there, it’s important to move on to something predictive rather than just reactive,” he explains. “This kind of response can take years to build up, but adversaries are persistent and are getting more sophisticated. It’s a worthwhile goal to get better at managing them.”