Complex security architectures and innovation

Martin Borrett is the Director of the IBM Institute of Advanced Security in Europe. He leads the Institute and advises at the most senior level in clients on policy, business, technical and architectural issues associated with security. In this interview Borrett discusses information security innovation, the importance of artificial intelligence in complex security architectures, CISO nightmares, and more.

A myriad of new security technologies appeared in the past decade. Regardless, the rapid evolution and increasing sophistication of the threat landscape ensured a never-ending battle with the bad guys, often with millions of dollars as collateral damage. What can the information security industry do to truly innovate, not just follow the tactics of cybercriminals and, ultimately, act as a giant band aid?

Intelligence is the innovation play in security. We believe that tackling cybersecurity is more than any one individual step; it is a continuous process where you need to: Learn, Monitor, Analyse, Decide and Respond.

Today’s cyber threats require: continual inspection and analysis of high volumes of dynamic data from sensors and other devices to gain accurate insights into possible threats and system compromise in real time. Pattern and behavioural analysis across diverse data streams from many channels is necessary to detect evasive attacks.

Advanced situational awareness provides the context and alerting to enable decision making and appropriate response in circumstances when humans cannot keep up with the pace of the threat when under attack.

Defences need to be able to fuse information from a variety of sources, including real-time observations, and make them available within the right context. Such real-time analysis will have an impact on business processes that will need to be thought through carefully and automated in order to adapt and respond to the threat dynamically.

When do you expect to see the application of artificial intelligence on a large scale in complex security architectures? Could we expect to have a type of self-healing system in the future?
Artificial intelligence in security is all about advanced correlation and predictive analytics. Nothing is ever quite as random as it seems. There are patterns to be discovered in almost everything we do and security is no exception. The challenge is deploying software that not only can identify those patterns, but also ultimately share that intelligence with other systems and applications in a way that is actionable.

IT organizations need access to security tools that make it easier to identify anomalies that are usually indicative of a security breach. That “brain” first works to identify the natural operational rhythms of the business. Once those are determined it becomes a lot easier to identify unusual activity, such as a system that is sending large amounts of data at irregular hours of the day.

That capability is then integrated with IBM network operations centres around the globe that work to analyse 13 billion security events a day.

Once correlated information about that potential security threat suddenly gains a lot a more context.

The fact of the matter is that most security breaches are not discovered for months, even years. And it’s usually someone outside the IT organization that discovers it. Security intelligence is about giving the internal IT organization the tools they need to identify those breaches before anyone else does.

Ultimately advances in terms of integrating security intelligence with IT operational systems and even physical infrastructure will be made. But right now it’s all about giving companies that information they need to combat cyber criminals that are not only becoming increasingly sophisticated, but also more patient in terms of the extremes they are willing to go to in order to compromise a valuable target.

Finally I would say that the concept of self-learning is already integrated in today’s security analytics solutions. Machine learning and data mining techniques are the basis for advanced correlation and predictive analytics.

The increasing amount of data to be processed actually requires automated methods and tools. Actually, we want to get a step beyond “self-healing”.

Self-healing implies that there was a security breach beforehand. Our research labs are working on solutions that are “secure by design” and withstand any attack.

Based on your talks with C-suite executives, what type of threat scenario keeps them awake at night?
Scan the papers any day and this new reality is crystal clear. Confidential hospital patient records wind up on the Internet. Hackers are attacking networks, and employees are losing their laptops and smartphones along with the sensitive corporate data stored on them. These are all real-world examples with real legal, financial, and brand consequences. This is the stuff that keeps CIOs and Chief Information Security Officers (CISOs) awake at night.

The reality is that the new digital world provides huge opportunities, but it also creates new risks. Cloud and mobile computing are cost-effective ways for employees to tap data anytime, anywhere, but they also open the door to losing control of that data. Globalisation means that corporate networks are more far-flung. Digitising services and customer care helps companies cater to customers, but it can also lead to exposing much more data.

Discussing security with IT executives, it is clear that companies are committed to increase their level of protection and attempt to reduce risk but are struggling to understand gaps in their protection and to control the complexity of the multitude of security solutions available.

The level systems are compromised is often unknown and many companies are constantly dealing with sophisticated security threats that are coming from all parts of the world and even from within their own organizations.

Major security reports routinely paint a sombre picture of the state of Internet security. Based on your experience, do you expect things to be better in the next 5-10 years?
If you look at our very latest IBM Full Year X-Force 2011 Trend and Risk Report you will note that despite the many challenges, throughout the report, we have also observed some positive trends and improvements.

The total number of reported web application vulnerabilities is lower than we’ve seen since 2005 and X-Force is seeing a significant decline in the number of true exploits that have been publicly released. When exploit code is released on the Internet it can provide an easy means for attackers to target vulnerabilities. In the past few years, exploit code was released for about 15 percent of the vulnerabilities that were publicly disclosed.

This year that number has dropped to 11 percent. The frequency of exploit code releases targeting web browsers as well as document readers and editors was down to levels not seen in over four years. Publicly disclosed vulnerabilities were also more likely to have patches than ever before. The percentage of unpatched vulnerabilities was down to 36 percent from 43 percent last year.

Throughout 2011 security teams were repeatedly challenged to do better.

Many were challenged to improve processes, technology, to educate employees and customers on safe practices, and to raise security intelligence by increasing visibility into the security posture of the business. IBM believes the way to help clients get ahead of security threats is to connect our analytics and intelligence capabilities across an organization for better prediction and detection. IBM made a big move by acquiring Q1 Labs in October 2011 and creating the new Security Systems division.

Continued news on how we’re advancing our security intelligence platform shows how seriously we’re addressing the market. With awareness comes action and change. It is our hope to make change. With this in mind we expect things to improve as awareness of the issues rises and the approaches, tools and techniques improve and clearly the significant investment we make in research will also help.