In his book “The Black Swan,” Nicholas Taleb describes the impact that unexpected events, outliers, and ones as rare as the sighting of a black swan, have on people and society. He gives as examples September 11, 2001, World War I and Google, noting that if we can turn black swans to white, the damage and risk associated with the unknown can be greatly mitigated and the opportunity harnessed. I think this premise of preparing for black swans is the cautionary advice to be gleaned from the latest Ponemon Institute study on the “Efficacy of Emerging Network Security Technologies.”
The Ponemon Institute is a long time provider of comprehensive surveys of the security industry and its user base. Their latest research sets out to understand whether and how firms are using emerging security technologies and how well the investment is doing at protecting valuable data. As it turns out, a contradiction starts to emerge from the results. Over 4,700 IT and security practitioners around the world seem to concur on a number of points. A majority see a threat landscape that's grown quite complex. This trend has prompted nearly all to invest, by varying degrees, in the latest forms of security solutions, which the report calls emerging security technology. It defines this category as firewalls, intrusion prevention systems, next generation firewalls, application firewalls, and VPNs.
Companies spanning financial and health services, manufacturing, regional banking and governments are investing in these emerging technologies, as well as in the personnel and expertise needed to manage and maintain them. Nearly half of respondents surveyed feel the products are performing as advertised. How can it be, then, that firms can feel confident in their security technology investments and their people, yet ultimately still believe that they remain at great risk? Consider some of the results on the report:
- 61 percent of respondents feel that emerging network security technology is only doing a partial job against cyber threats.
- 75 percent give their networks a six or lower in terms of cyber attack detection preparedness where 10 is best; the same percentage feels equally unprepared to prevent attacks.
- 53 percent cite that they deploy emerging network security technologies for the inside-out security problem (as opposed to the outside-in threat from attackers directly targeting the data center and web applications).
- 56 percent see securing web traffic as by far their biggest concern.
Taken together, these results paint an emergent picture of the security posture of most organizations today. Businesses and networks of all sizes have deployed solutions that are effective at detecting known threats. Firewalls enforce access controls against previously defined policies, next generation firewalls provide granular application use, and monitoring and intrusion prevention systems and web application firewalls identify threats by matching them against databases of known threat signatures.
Stated another way, these solutions are not successful at spotting unknown threats, or the “black swans” of security. If we further consider that the biggest threats are those originating outside the network perimeter, taking the form of new variations on botnets, DDoS attacks and SQL injections, we can understand why networks are sustaining continued breaches despite having the latest protections on hand. Indeed, 60 percent of respondents in the Ponemon survey had at least one breach in the last year.
So this brings us to the findings from the Ponemon report. There is a clear need for renewed focus on zero-day attack defense. As a group, we security practitioners have to review our security investment weighting, to assess whether the areas of greatest risk are getting commensurate attention. Given the survey results, it seems that firms are addressing only half of the threats against them – those originating from within networks and those that leverage known exploits. Organizations have options beyond settling for partial defenses.
Methods that extend known signature and pattern matching are joining the ranks of “emerging” network security and are poised to layer and evolve the IP-only based methods already installed. These new technologies leverage device identification, big data analytics and broad-based intelligence sharing. They are making security enforcement more effective by quickly detecting and shutting unknown threats and attackers often within seconds of emerging and before a breach has occurred. Now if we can only get similar black swan spotters for flat tires….anyone?