We are entering the third phase of Cyber Security. Phase one was all about perimeter security, read Firewall, and Anti-Virus, if you had those two security controls you were “secure”.
In this phase your security team was the firewall guy/gal. Then we started to hear about big organisations getting hacked, Sony, Target and JP Morgan Chase were just a few of the big ones to hit the front pages of newspapers across the globe. The target CEO was a casualty of their hack, and board rooms started to take security seriously.
Late phase one organisations started to roll out more controls to stop the bad guys getting in, but to little effect. A narrative of “It is not if they get in it is when they get in” started to permeate through the security halls of large enterprises. That kicked of Cyber Security phase two, putting in controls that help you detect breaches.
At this time SIEM solutions became a standard tool, not just to tick a PCI box, but actually used in anger to detect threats. The hot name in this sace being LogRhythm. We also got a bunch of next generation sandboxing solutions that would analyze files coming in to the organisation via email or web and tell you if they were likely malicious. The original hot name in this space was Fireeye, now Palo Alto and Deep Discovery from Trend Micro.
The challenge with phase two technologies is you had to have knowledge, you needed to know what to log for in the event logs to detect a breach, or where and how malware hid itself from the operators, even how it spread from machine to machine. This was a specialist skill set and plenty of tools went in to organisations that provided little value as operators had no idea how to use them.
Vendors responded by making the tools more intelligent, with more out-of-the-box detection capabilities, and organisations responded by bringing in specialist malware hunting teams and up skilling the existing team with education from the big hacking conferences across the globe.
This resulted in more detections of compromised machines, the problem then moved from detection to response. Which brings us to phase three, tooling the organisation to respond to threats at scale. Being able to take the internal knowledge of the malicious software behaviour and sweeping the estate to ensure the infection is contained and cleared.
Tools that allow you to check every endpoint for signs of the infection and if found clear out the infection are now all the rage. The current vendor that is all over this space being Tanium. Most organisations are late phase two, starting to detect the infection, with the more mature organisation firmly in phase three, being able to respond at scale.
Phase four can’t be too far behind, more AI type technology, to detect abnormal behaviour and automatically responding to threats. Vendors are already using the buzzwords associated with artificial intelligence, but no strong vendor has yet stepped up to own this space.
Given the fact that the world is moving towards AI and automation it will only be a matter of time before we have someone fill this gap and become the next hot name in cyber security, like their predecessors Fireeye, LogRhythm and Tanium.