Martin Borrett, Director of the IBM Institute for Advanced Security Europe.
How have organisations’ borders changed in recent years?
I think we must recognise that there has been a major shift in how organisations protect their data. Trends like cloud and social mean companies are now dealing with massive amounts of data. They’ve also move beyond a single, siloed perimeter to a multi-perimeter type of scenario. That has meant they need to move more intelligence closer to the endpoints and targets. In the world we live in now, you can’t rely on a single measure.
Why has the nature of the perimeter changed?
It’s become much more about the data and the applications, and where you are working from. Not long ago, a company was a group of people who worked in an office nine to five and then left. They accessed the business services they needed to do their job in the office. Now there has been a fundamental shift. Staff typically access business services on the move.
There’s a very mobile workforce using very different devices, from tablets to smartphones. Organisations are looking to things like cloud as being more cost-effective and agile. If you bring cloud into the equation of course your data is being stored somewhere else. These factors have dramatically changed the landscape in the last ten years and we expect to see more of that. The world is becoming more and more instrumented and sensors are interconnected in new ways to create new business services. In that environment the notion of a single, well-defined perimeter doesn’t work very well at all. Organisations need to take a more holistic approach.
And what new issues has that change created?
Organisations are having to take additional measures to protect their data, and much more care around endpoints. For example if people are using devices beyond the firewall are they patched correctly, are the right policies in place? You can’t just rely on a firewall, you need to look across a number of layers.
How has security technology in general had to adapt or evolve in order to help organisations deal with this ‘new normal’?
Technology has had to evolve as you say; as the data volume, variety and velocity has changed technologies have had to adapt. In many ways it’s like a Big Data problem: the huge volumes [of data], the variety of structured and unstructured data that needs to be secured. One of the key questions is how you get security intelligence and visibility over key areas in your environment. Can you spot threats in a proactive way?
And what about IBM specifically – how does the latest generation of technology help companies protect their data and staff?
IBM has been working on a couple of fronts. We’ve invested a huge amount into security analytics, which you can see manifested in a number of ways. Watson is a good example that is feeding into what customers are using today [Watson is IBM’s artificial intelligence computer system capable of answering questions posed in natural language]. In October 2011 we acquired Q1 Labs, which specialised in security intelligence. It does deep, actional, contextual alerts from large volumes of data. We integrated that into our Big Data Platform and you are seeing a huge push around analytics: that’s helped increase the types of data sources that it can pull in. Not just logs from antivirus, firewalls and intrusion prevention but other streams like email, social media.
You can take it further and visualise that information to look at the data in different ways. That also then plugs into another of our acquisitions, i2, which does forensic analysis of Big Data. It’s a big area because if you think of it as a game of cat and mouse, you find there are increasingly sophisticated adversaries out there. They are well funded and well-researched. You need to spot threats as close to real-time as possible.
Do you think that the ‘bad guys’ are winning?
I’m quite optimistic that organisations can protect themselves but at the same time we can’t be complacent. There’s an evolving threat landscape as new technologies are brought in all the time.
Do you believe that a move towards end-point protection instead of perimeter protection has reduced, or increased the complexity of the IT infrastructure?
I think the first thing to say is that it’s important you take a holistic approach. There’s no magic bullet and there are a lot of fronts to look across. As controls grow you really need to have a consistent management approach. A single management console can help you to have a consistent policy across endpoints. That means laptops, servers, desktops – you need to be able to apply your policy consistently. You should also monitor and audit how effective that is – that becomes more and more important as the complexity grows.
Do you think the increasing use of private cloud computing and virtualisation has had any impact on the internal and external threats organisations face?
Cloud is an interesting one. It’s introduced some new dimensions but if you think about it what is really different here? Yes, the location of the data. There’s a big difference between private cloud on-premise and public cloud. How do I know where my data is, and can it be deleted? If it’s deleted how do I know it’s deleted? Service providers have started to become more and more transparent about their processes related to security, auditability and so on. But it’s still a key choice for organisations: is this what I want to do, and if so what sort of cloud is suitable?
But in principle there’s no fundamental reason why cloud can’t be as secure as traditional environments, if not more secure, especially for smaller organisations. After all, cloud providers should be offering an extremely well-managed, efficient and well-protected environment.
There’s been a lot of talk about Bring Your Own Device (BYOD) potentially putting companies at greater risk. Do you agree with that?
I think the first question is whether BYOD is really necessary. It promises to save capital, to be about saving costs and increasing productivity. But we found we are spending more money securing and managing employees’ devices than the company’s, even when you factor in the hardware savings. In many cases I think organisations would be better off providing the hardware and enforcing some sort of acceptable use policy.
Where do the ‘hidden’ costs rack up?
It’s really about the management: the device management and security management. There are so many different devices and how do you separate business and personal? It’s no trivial task. There are a lot of platforms, a lot of complexity, and organisations need to think about things like data segregation and wiping. You also need to educate users about the risks of losing their device. Ultimately it’s not easy to find the right balance between openness and risk management.
Cyberattacks on companies’ sites and networks are rising dramatically. Is the security technology keeping pace with the latest, sophisticated attacks?
Yes, but again I don’t think we can be complacent. There needs to be constant research because the sophistication [of attacks] is increasing all the time. There are advanced persistent threats and rising professionalism. We already know a lot about different styles of attack, for example we know there is usually a research phase in any attack. More and more we see specific individuals targeted – ‘spear phishing’ attacks. They can look very genuine to the individual targeted. Once a hacker gains entry they are often able to hop across to another endpoint. Other attacks are ‘low and slow’ – they take their time and try to stay under the radar as long as possible.
The more we know about such attacks the better, which is why analytics and research are so important. Both the ‘here and now’, and an analysis of historic data. You need to analyse large data sets as well as analyse groups of data sets. Our more mature clients are doing that routinely already. They have no choice.