IBM outlines why the 'boom' moment is key to better security
No matter which aspect of security you look at, in the end it all boils down to risk and what could happen when things go wrong.
"Often I'm talking with people on the worst day of their business' life.
Those were the opening words from IBM I-Force Incident Response - Intelligence Services (IRIS) Asia Pacific lead Stephen Burmester, who hosted an intelligence briefing at Accelerate DX recently.
IBM sees approximately 90 billion security events per day around the world, so intelligence makes up a critical part of understanding the threat landscape and, in turn, risk.
"Everything we do in X-Force IRIS we try to base around risk. There are all sorts of things we can, could, and should be doing from an ICT and security perspective. We want to boil it down to focus on the risks I have to deal with, and what happens when something goes wrong.
Risk, Burmester says, concerns three main areas: Confidentiality of information, availability of information, and integrity. If an organisation wants to know the likelihood of getting hacked, they need to consider what they're most concerned about based on those three areas.
"The focal point for risk is what we call 'the boom moment. The boom when something goes wrong. It's when you realise you've lost data. Your systems shut down, or you're unable to access your information and your systems as you were expecting it to do.
When external sources alert businesses to that boom moment, that business is already on the back foot. It means an entire series of events has happened within the environment to lead to the boom.
Businesses can tune into those events and prepare for them, Burmester says. Practicing a plan is even more important than merely just having a plan. Burmester likens it to running a marathon. Most people get the best results when they're prepared, compared to just starting on the day and hoping for the best chances of success.
After businesses have discovered the issue, what are they going to do about it, how do they contain it, and how do they recover from it? With bigger data breaches and more expensive costs per record, customers are leaving organisations.
Burmester notes that one of the most common issues is what he calls misconfigured assets. This happens when organisations move information to the cloud without properly securing that information. It's happening without proper governance controls as things such as devops and devsec ops propel information to the cloud faster.
The cost of a 'boom' is also far bigger than some businesses imagine, Burmester says.
"It isn't a one-off cost. About 67% of the cost will happen in the first year; about 22% in the year after, and 11% the year after. You have a three-year debt you need to plan for.
He notes that humans aren't getting better at detecting security threats such as phishing attacks, and education and awareness aren't doing the job. Detection and protection controls are essential, but people should really be able to take the right actions themselves.
Burmester also adds that fileless attacks are becoming more rampant through malware attacks on system memory. This means organisations need to change the way they scan for threats because antivirus systems will not pick those types of threats up.
Security incident response goes beyond IT and security teams – it's the entire company's responsibility. Every team needs to follow the three Ps: Plan, prepare, and practice.
"Without those, your organisation will experience more loss.
Burmester concludes with three key actionable tips: Think carefully about security partners; implement security automation; and to be ready for the boom.