SAN FRANCISCO -- Organizations are investing more in security and yet breaches are on the rise. Why is this happening?
The first thing that came out of the research is that we are overinvested in product, which is a very hard thing for the head of products to tell an audience of 10,000 people.
senior vice president, HP software enterprise security products
Roughly 86% of security budgets are spent chasing adversaries at the infiltration stage, according to Art Gilliland, senior vice president and general manager of the enterprise security products unit of Hewlett-Packard Co.
"We continue to chase the 'silver-bullet technologies' that try to keep the adversary out of our networks," Gilliand told an audience of security professionals during a keynote address this week at the 2014 RSA Conference.
Global spending on cybersecurity reached $46 billion in 2013, according to HP Security Research, while threats and breaches increased by 20% and the damages associated with a breach rose 30%.
"Stats push against us as an industry and say, 'You are not doing your job,'" said Gilliland, who noted that organizations actually stop most threats, but a structural imbalance exists because adversaries only have to be right one time.
Many organizations are so busy chasing new technologies that their security teams cannot manage everything they need to do. According to Gilliland, instead of trying to match the attackers weapon for weapon, the security industry needs to reexamine its strategy, specifically to take security threat analysis data into account. Attackers use the same tools as organizations -- buy and sell them -- and share intelligence.
"This ecosystem is all about monetization," he said. Companies face threats from an organized marketplace of specialists who focus on specific segments of the attack lifecycle, such as researching profiles and systems. Profilers then sell that information to individuals further up the chain.
Over the last five years, HP Security Research has collected data on cyber defenses and the functional capability of security operations centers (SOCs). Researchers conducted 93 assessments on about 69 SOCs globally. The average maturity of these centers, or functional capability within companies, on a scale of one to five, received a two.
"Want to take a guess on who the mature one was?" Gilliland said. "Ironically, retail."
Even though this capability is often focused on trying to defend the organization, almost one-quarter failed to meet the minimum security requirements. "The reason for that is that they were often pushing to meet a policy -- checkboxing for compliance," Gilliland said. Even then, almost one-third failed to meet compliance requirements.
"The first thing that came out of the research is that we are overinvested in product," Gilliland said, "which is a very hard thing for the head of products to tell an audience of 10,000 people."
Organizations need to invest more in IT security people and processes and prioritize applications. "Security is not there to protect the entire enterprise," he said, "it is there to protect the business."
Many companies are rewriting applications based on the transition to the cloud and mobile devices. These efforts provide the opportunity to rewrite apps and minimize "the bad coding that we did in the past," Gilliland said. Research indicates that a lot of work still needs to be done: Of the 2,000 apps pulled down from the app stores of Fortune 1000 companies, nine out of 10 had security vulnerabilities, and 86% had problems with encryption.
According to Gilliland, the security industry needs to share more actionable threat intelligence in real time, and the only way to do that is to systematize it and integrate it with technology from other vendors. Hewlett-Packard is among several companies and security threat analysis research groups that offer threat intelligence. In September, the company announced its community-sourced HP Threat Central platform, which is uploaded to HP ArcSight security information and event management.
"The only way to make that work as an industry is to focus on open standards," Gilliland said, "STIX [Structured Threat Information Expression] and OTX [Open Threat Exchange] and others. If we can automate it, if we can bring it into systems immediately that contextualize it to make it relevant, I think we have a shot."