A quote posted to Twitter about one of the presentations at the recent Security BSides conference in San Francisco struck a chord and I wanted to comment on it.
It went something like this, ‘Information Security is situational – and as a result it is very difficult to generalize about the best way to protect an organization against it. “
This quote encapsulates the challenge faced by security professionals every day – and provides an insight into the best way for large organizations to address it.
There is no one – or event fifty – cookie-cutter cyber or insider attacks – each one is deliberately designed by the perpetrator to use an infrastructure against its owner and to enable the attacker to get as quickly as possible to the intended target and get out again undetected.
The days of signature-based attacks are over. So, if the problem is situational then if figures that the solution needs to be situational also.
Rather than looking in all of the ‘usual’ places for the signs of an attack the key is to collect data from all parts of the network, correlate it in real-time and identify any anomalous activity.
This approach is called Situational Awareness.
Situational Awareness is already being used in a range of industries, from EMS to air traffic control and on the battlefield. The time has come for it to become an accepted practice for those charged with securing large corporate networks.
Cross posted from The Situational Room