Will 2015 be the Year of Risk-based Security?
CyberTech 2015: Getting the right security will be crucial in enabling both individuals and organizations to gain greater value from IoE and IoT. Bert Hartman of Cisco offers a security approach that is both threat-centric and operational which focuses on the threats themselves versus only the policies or controls
Bret Hartman
| 23/03/2015
While it may be a stretch to assert that we’re moving towards fully automated networks, there are several points Gartner makes, which are true today and among the reasons why there is mounting concern at the senior and executive board level today regarding cybersecurity.
For quite some time, I have encouraged security practitioners to embrace the reality that it is no longer a matter of "if" their organization will be attacked but a matter of "when". The motives and persistence of attackers have increased, along with their understanding of classic security technologies and applications. Attackers are relentless in driving attacks home and will frequently use tools that have been developed specifically to circumvent their target’s infrastructure.
These challenges will only increase in severity as more organizations adopt new business models related to the Internet of Things (IoT) and the Internet of Everything (IoE). Today there are 10 billion connected devices, but that number is expected to grow exponentially – exceeding 50 billion sensors, objects, and other connected “things” by the year 2020. Cisco estimates that the IoE will create $19 trillion in Value at Stake (net profits) globally over the next decade. Getting the right security will be crucial in enabling both individuals and organizations to gain greater value from IoE and IoT.
With the picture I’ve painted regarding what’s in store for us in 2015, you’re probably wondering what strategies organizations can adopt to address these challenges and maintain a robust security posture as they get ready for the next wave of disruptive technologies.
The best place to start is with a security approach that is both threat-centric and operational which focuses on the threats themselves versus only the policies or controls. It must provide broad coverage across all potential attack vectors, rapidly adjust to and learn from new attack methods, and implement the intelligence back into the infrastructure after each attack.
Additionally, this threat-centric security strategy must also tie back to business risk. Focusing on the threats to the business that really matter requires zooming in on the ones that have the most impact on the crown jewels –the application data. Since organizations face so many threats on a daily basis, concentrating energies on the threats that can do the most damage allows you to improve the effectiveness of security controls by expanding the use of automated, dynamic controls to block the most serious threats.
By adopting an approach that encompasses these attributes, you can reduce complexity and fragmentation, while gaining superior visibility and continuous control across the entire attack continuum – before, during and after an attack.
It will only be a matter of time before we know if Gartner’s predictions for next year will prove true. What is certain today and relevant for the foreseeable future is that there is no silver bullet in security and no matter what strategies you adopt, attacks and breaches will happen. Security strategies must evolve and radically change to provide the levels of protection necessary to keep pace with the dynamic threat landscape and enable organizations to maintain a proper security posture.
The technologies necessary for staying ahead of sophisticated attacks are vastly improving and you have a unique opportunity to move towards security approaches that are built on a foundation of visibility and extensive data collection that can see everything, learn through correlation and context and apply controls dynamically.
I’m not sure how you feel about the future but I’m looking forward to seeing how these bold predictions play out in 2015 and beyond.
Bret Hartman is the VP and CTO of Cisco Security Business Group
CyberTech 2015: Getting the right security will be crucial in enabling both individuals and organizations to gain greater value from IoE and IoT. Bert Hartman of Cisco offers a security approach that is both threat-centric and operational which focuses on the threats themselves versus only the policies or controls
While it may be a stretch to assert that we’re moving towards fully automated networks, there are several points Gartner makes, which are true today and among the reasons why there is mounting concern at the senior and executive board level today regarding cybersecurity.
For quite some time, I have encouraged security practitioners to embrace the reality that it is no longer a matter of "if" their organization will be attacked but a matter of "when". The motives and persistence of attackers have increased, along with their understanding of classic security technologies and applications. Attackers are relentless in driving attacks home and will frequently use tools that have been developed specifically to circumvent their target’s infrastructure.
These challenges will only increase in severity as more organizations adopt new business models related to the Internet of Things (IoT) and the Internet of Everything (IoE). Today there are 10 billion connected devices, but that number is expected to grow exponentially – exceeding 50 billion sensors, objects, and other connected “things” by the year 2020. Cisco estimates that the IoE will create $19 trillion in Value at Stake (net profits) globally over the next decade. Getting the right security will be crucial in enabling both individuals and organizations to gain greater value from IoE and IoT.
With the picture I’ve painted regarding what’s in store for us in 2015, you’re probably wondering what strategies organizations can adopt to address these challenges and maintain a robust security posture as they get ready for the next wave of disruptive technologies.
The best place to start is with a security approach that is both threat-centric and operational which focuses on the threats themselves versus only the policies or controls. It must provide broad coverage across all potential attack vectors, rapidly adjust to and learn from new attack methods, and implement the intelligence back into the infrastructure after each attack.
Additionally, this threat-centric security strategy must also tie back to business risk. Focusing on the threats to the business that really matter requires zooming in on the ones that have the most impact on the crown jewels –the application data. Since organizations face so many threats on a daily basis, concentrating energies on the threats that can do the most damage allows you to improve the effectiveness of security controls by expanding the use of automated, dynamic controls to block the most serious threats.
By adopting an approach that encompasses these attributes, you can reduce complexity and fragmentation, while gaining superior visibility and continuous control across the entire attack continuum – before, during and after an attack.
It will only be a matter of time before we know if Gartner’s predictions for next year will prove true. What is certain today and relevant for the foreseeable future is that there is no silver bullet in security and no matter what strategies you adopt, attacks and breaches will happen. Security strategies must evolve and radically change to provide the levels of protection necessary to keep pace with the dynamic threat landscape and enable organizations to maintain a proper security posture.
The technologies necessary for staying ahead of sophisticated attacks are vastly improving and you have a unique opportunity to move towards security approaches that are built on a foundation of visibility and extensive data collection that can see everything, learn through correlation and context and apply controls dynamically.
I’m not sure how you feel about the future but I’m looking forward to seeing how these bold predictions play out in 2015 and beyond.
Bret Hartman is the VP and CTO of Cisco Security Business Group
