Security Rebaked: The Layer Cake
Anti-virus is dead, endpoint protection has ended and perimeters have perished.
Over recent weeks, a new narrative has emerged from the ashes of the traditional security blueprint.
It was typified by the huge banners hanging outside InfoSec last week from LogRhythm – the strap line was ‘It’s when, not if.’
It’s a clear move away from perimeter protection towards ‘defense in depth’ strategies. Essentially, it’s planning around the inevitability of a security breach.
What does it actually mean for IT teams?
It means a rebalancing of time and investment towards a layered approach to security. No longer is there a single, expensive and supposedly impenetrable barrier protecting your company from attackers, such as desktop anti-virus or a network firewall. Now, and partly due to the increasing sophistication of spear-phishing, targeted attacks and Advanced Persistent Threats, every aspect of the network and its users needs dedicated protection – from cloud-stored documents through to email threat prevention.
One of those aspects which seems to have recently risen to the top of the agenda is user education and behavior profiling. When major threats surface, such as the recent Internet Explorer vulnerability, it’s crucial that (a) users are quickly educated to avoid the threat if possible and (b) the IT teams have a good idea as to which users represent the highest risk to the business so they can react accordingly. Actually, user behavior intelligence for IT teams is quite immature if you compare how the reporting and alerts for IT teams have evolved against user-friendly applications such as social networks. It’s a classic growth opportunity for vendors and the industry is turning on to it this year.
Of course, the best case scenario is that each layer of the business is protected before these vulnerabilities emerge. For example, companies using Mimecast’s Targeted Threat Protection service would warn or block users when clicking on links in an email that would direct them to malicious web content capitalizing on this IE issue.
It may sound like a subtle change, but this calibration of IT strategies and budgets will dramatically reform the landscape of the IT industry over the next few years. Large, traditional vendors will have to evolve quickly or simply fade away. Small, agile companies addressing very specific parts of the network will rise to prominence. It’s actually a very exciting time.