SAN FRANCISCO – With all the weekly headlines about new malware, dangerous threats, and unforeseen attack vectors, it might be easy to believe that hackers will soon be the victors of the cybersecurity war. But Stephen Trilling, senior vice-president of security technology and intelligence at Symantec Corp., has been trying to predict the future of security – and what he sees is encouraging.
Right now, most organizations are exiling themselves onto little islands, with each looking out solely for their own interests, said Trilling, who was the CTO of Symantec until long-time Microsoft Corp. staffer Amit Mital replaced him in December 2013.
“Today’s targeted attackers have the persistence and patience to execute campaigns … We are fighting an asymmetric battle,” he said, speaking during a keynote address on Wednesday afternoon. “We hope hackers can’t get through all of our products, and today’s best-of-breed do block most attacks.”
However, all of these products do different things – for example, organizations set up firewalls, monitor their endpoints, monitor malware, and so on. But none of these programs talk to each other to watch for full-scale attacks, and companies are the same way.
Trilling’s solution? In an ideal future, organizations would rely on managed services to safeguard their data. With managed services focusing solely on protecting different organizations, they would have more visibility for threats across their customer bases, as well as the ability to integrate security services automatically for their clients.
But more importantly, organizations would team up to protect their data from the hackers aiming to steal it for financial gain. Trilling envisions a database where organizations could voluntarily submit any data about new threats. With all of the information in one place, security professionals could band together against any attackers, especially as attackers tend to launch similar campaigns against different targets.
Not only would organizations be alerted to new threats appearing in the wild with this “rich source of intelligence,” but they’d also be able to detect new targeted attacks by matching them against what’s in that large database. And that wouldn’t be limited to malware, Trilling said – he pictures a way of keeping track of all systems and files.
“You won’t be an island,” he said. “All observations would be forwarded to a secure, multi-tenanted database … In a perfect future state, even complex attacks could be discovered in minutes or hours.”
Normally, it’s security analysts who sort through threats and attack data, pulling the information into a report. But by setting up a database with all of these sources of data, organizations could set up automated scripts that recognize attacks by matching them against what’s in the database, Trilling added.
While this strategy might sound like Trilling is pushing for better versions of security information and event managers (SIEMS), Trilling said he feels these are very different from having a large database of threats on file.
“SIEMS are only as good as the product that’s doing the detecting. They watch for events that fit into a limited timeline,” he said. “These might as well go into a time capsule.”
Trilling’s idea of a database appeals to Joseph Lowe, senior security analyst with Intrawest Resorts Holdings Inc., a company that builds mountain resorts in North America, including Mont Tremblant in Quebec and Blue Mountain in Ontario. Lowe was attending the RSA conference on Wednesday and listening to Trilling’s keynote.
“It’s a very good idea … It really helps with the industry’s fundamental problems,” he said. “Right now, everyone’s spending a lot of money to protect themselves, and attackers continue to get sophisticated.”
While Lowe said he could picture the database being a very attractive target for hackers, that’s when every organization’s combined security would protect the database, he added. As things stand, he currently doesn’t feel equipped to deal with every threat hackers throw his way, especially with a limited IT budget.
“As they said in other keynotes, I have to be right every time, but [hackers] only have to be right one time.”
The RSA conference continues until Friday.