AVANT sees IT security deployed at three general levels, correlating not only to defensive tools, but also to the degree to which the organization establishes its own momentum around securing the enterprise and making sure key assets are safe. This approach has been spearheaded by Trustwave; an important AVANT technology partner in the IT security space.
“Reactive” security translates to the basic table stakes of engaging traditional security products with which IT professionals are typically at least generally familiar. These would include antivirus, firewalls, IDS/IPS, email gateways, log collection, etc., as shown on the chart below. These are typically the types of measures to be found in a middle-aged to mature organization that hasn’t really pushed upwards into the higher forms of self-protection. All of these things are beneficial and positive, but they also represent a basic level of protection intended to react to cyber-incidents wither when they happen or shortly thereafter.
“Proactive” security extends the reactive level by taking all the information and data fed to the organization by reactive technologies, and then layering security intelligence on top of that value. This may include reports on cybersecurity issues and efforts within your industry sourced from cybersecurity experts focused on your particular vertical.
“In this scenario, the enterprise organization is really trying to understand what’s happening specifically in your industry with the types of services that you would typically use,” said Ron Hayman, AVANT’s chief cloud officer and a Certified Information Systems Security Professional (CISSP). “So, if there are particular applications or hardware that is used in your industry then you’re using that security threat intelligence to better understand what’s happening in that space.”
In many cases, Artificial Intelligence or Machine Learning are used to sift through massive quantities of data in order to help focus on threats in key areas, and to determine what the response should look like in the event of an attack.
While falling short of actually fighting back, “Adaptive” security takes proactive security to the next level with a stronger focus on how to deliver the best possible outcome for the organization. Some of the things that fall into that category would be threat hunting, in which the organization engages an expert who specializes in security issues around your particular industry. That person does a comprehensive search for any evidence that the client organization is suffering from any of these specific breaches or attacks.
“This is about proactively using a tactical team to go look for what might impact your organization,” explained Hayman. “You can do that across your network, including the endpoints. Then there’s security orchestration, which is the automation of tasks that otherwise would need to be done by a security team or even an IT infrastructure team.”
In evaluating these three positions, it’s important to understand the company’s relative maturity with respect to security, and the types of assets that most notably need to be secured. Oftentimes, compliance requirements actor into this equation, as well.
The cost of moving from one level to the next can be highly variable and dependent upon the number of users, number of locations, specific technologies, whether the capabilities are cloud-based or data center-based, as well as a number of other factors.
Most enterprises categorically fall into what we call the “proactive” phase of security; that is, they’ve implemented resources like intrusion detection, penetration testing, and a formal incident response plan. However, most have yet to achieve the “adaptive” phase of security, where their introducing proactive threat hunting, monitoring the dark web, and implementing end user/entity behavior analytics to identify abnormalities. Reaching this phase is pivotal to achieving security resiliency in a disruptive climate.
“It’s a complicated issue and I think it’s important to have a guide,” summarized Hayman. “That’s where the trusted advisor comes in to play. They have access to experts from the leading MSSPs. Ultimately, you want to partner with someone who can help you get all the way to your goal. That goal will sometimes need to change, and given the deficit in cybersecurity talent, the only way to do this successfully is to partner.”
Be on the lookout for AVANT’s 6-12 Report on cybersecurity, coming in December.