This is the second in a three part point-counterpoint series of cybersecurity blog posts, where we are asking Unisys executives to share their contrasting views on IT topics of the day.
We’ve launched this series in the spirit of debate that drives so much of IT decision-making today. Our first post asked, How Much Security is Enough?
Today Nick Evans, Vice President and General Manager within the Office of the CTO and Roberto Tavano, Vice President of Global Security Sales for Technology, Consulting & Integration Services will ponder the question: SHOULD SECURITY BE OFFENSIVE OR DEFENSIVE?
Nick’s answer: “It depends who the enemy is.”
Roberto counters with “Security must be preemptive.”
What’s your counterpoint? What do you think about Nick’s and Roberto’s advice? What’s your security posture in your organization? Please share it with your fellow readers in the comments section that follows this post.
NICK EVANS: It depends on who the enemy is
Nick Evans, Vice President and General Manager
Office of the CTO
First, we should start off by defining what we mean by offensive security. At the extreme end of the scale, we are talking about coordinating attacks on cyber-criminals via cyber-related means. I think this is appropriate for certain areas of the public sector or the military, where data protection and confidentiality are paramount, and where cyber warfare is a legal part of the playbook. In fact, last year, as part of unveiling a new offensive strategy, Deputy Defense Secretary William J. Lynn III stated that a new “dynamic defense” would seek to deter potential attackers by searching for them on the Internet instead of waiting for an attack.
For non-governmental organizations, however, you can’t fight cyber-criminals by becoming a cyber-criminal yourself. Commercial security should always be defensive; that is to say, be able to protect, detect, and respond to threats. But as the threat evolves, commercial organizations might feel it necessary to take on a more offensive posture, while remaining within the letter of the law.
So what can a commercial organization do beyond a defensive security program? One example is to employ the use of offensive systems such as honeypots. These contain a data cache that’s attractive to hackers, but doesn’t actually contain any sensitive information. What the system does contain: A trap.
Hackers lured into the honeypot are monitored as they work to exploit the fictitious system. The organization’s security team learns about the hacker’s behaviors, tools, and techniques; and works to gather sufficient evidence to track them down, pursue them legally, and ultimately, take them offline for good. For more background on this, a useful article is this piece from Symantec which looks at entrapment, privacy and liability considerations.
At Unisys, we are seeing organizations start to move from a reactive security defense posture to a proactive enterprise security intelligence methodology, where advanced data analysis is helping to predict threats before they cause significant damage. The key aspects of this proactive enterprise security intelligence methodology are the integration of an array of sensors such as intrusion detection, malware and antivirus detection, and data loss prevention coupled with continuous compliance capabilities, forensics and situational awareness all built into the operational model. To read more about this, check out our CyberSecurity Predictions for 2012.
ROBERTO TAVANO: Security must be preemptive
RobertoTavano, Vice President of Global Security Sales
Technology, Consulting & Integration Services
I prefer the terms preemptive and reactive instead of offensive or defensive. Offensive and defensive relate well to a military enterprise; not so much to commercial IT. And by taking a preemptive approach to security, you are proactively anticipating the risks, vulnerabilities, and channels of attack against your enterprise.
But in order to adopt a preemptive posture, the organization needs to be adaptive. Unfortunately, few commercial organizations are adaptive in terms of their CyberSecurity. Risk assessment in most enterprises is done once, put into a formal plan, and filed away to live in obscurity, in perpetuity.
To be adaptive means to be constantly assessing risk. It’s not just a matter of building a wall to protect the organization, or reacting quickly when it’s attacked. Organizations that are adaptive evolve their security measures fluidly in sync with potential threats.
The good news is that this issue is coming into sharper focus with the rise of IT consumerization and the rise of brick-and-mortar businesses embracing the benefits of the cloud. The enterprise is extending its reach and opening its doors beyond previously conceived physical and logical boundaries.
For me, the right answer going forward is designing and upholding a preemptive approach to security. The alternative – always chasing, understanding, and reacting to an attack – isn’t attractive or effective, and is by definition perennially behind the curve.
Take a preemptive stance, and you can lead the way to the future of cybersecurity.