Kathy Gibson reports from London – The information security measures that companies used in the past won’t work in the future, and organisations are increasingly going to have to make informed compromises about their security.

This is according to Neil MacDonald, vice president and Gartner fellow, speaking at yesterday’s HP Enterprise Security event. He says organisations should look to beef up diversion, detection and response capabilities instead of investing more in physical solutions like firewall and network IPS.

“Companies need to invest in better control up the stack to enable an application and information centre security strategy,” he says. “They are going to require their vendors to deliver virtualised and cloud-based implementation; and look for opportunities to integrate their security services into the software-defined networking strategy.”

We are witnessing a changing threat environment, MacDonald says, where cloud, consumerisation and mobile computing are converging.

In the face of this, organisations are facing three top threats:
* Advanced targeted attacks are increasing. To prevent these, signatures are futile and organisations are unable to stop criminals at the network perimeter. They have to work out new ways to protect their organisations from threats that have never been seen before.

* The threat from an increasing loss of control by IT. This has been caused by the explosion in consumer devices, and by running applications and data in the cloud, on infrastructure that is not owned or controlled by the IT department.

* Lack of security alignment with the business. Zero risk is simply not possible, MacDonald explains, and organisations need to strike a balance between effective security and business agility.

To address the threat of advanced targeted attacks, MacDonald says that companies have to stop thinking about the traditional ways they have protected themselves in the past and move to a lifecycle approach that lets them deal with threats strategically.

“The problem is that we are focused on prevention, with the misguided delusion that we can stop everything. But we have to assume that we will be infected and start being able to detect it once it’s happened.

“No-one is talking about diverting attacks to begin with, but this is an emerging area: making it more difficult to target us to begin with by employing fake vulnerabilities, fake networks and systems, cloaked systems, shifting systems, obfuscated data and user interfaces, fake applications and information, sprinters information and splinted network traffic.
“There are a lot of start-ups working on this area of information security.”

We also need new ways of detecting these advanced targeted attacks, MacDonald says.
We’ve tried to identify “badness” and protect against it, but have found it doesn’t work, so he proposes turning the model on its head.

“We need to understand what goodness looks like, and then look for deviations. This involves things like baselining, anomaly detection and predictive failure analysis.”

Big data would be employed within the IT security organisation to do this, MacDonald says, as monitoring and analytics become more important.
“The goal is to gain insight or intelligence derived from the data we gather.”

Consumerisation, cloud computing and mobile are all taking control away from the IT department, and MacDonald explains that we need to find ways to compensate for this.

“IT doesn’t own or control all the infrastructure; and the mistake they make is in equating ownership with security – this is a flawed assumption. We need to come up with new models of trust and trustability.

“We have to change the way we think about security. It’s not about ownership and control. In fact, it never was about device lockdown or dictating applications; but was always about protecting data. That’s our job and we need to develop compensating controls that allow us to protect data on devices we don’t own, running on systems we don’t manage.”

To do this, MacDonald says IT has to stop thinking about bottom-up control and start developing a top-down approach that emphasises application security and considers the information embodied in people, processes and systems.

“If we can secure the application, we can do a better job of securing the information,” he says. “Application security must be a key element of any information centric security strategy.”

Context is another powerful tool that IT could use to secure applications and information, he says.

“Context is the circumstances within which something exists or happens; and that can help to explain or understand it,” MacDonald says. “Context-aware security is the use of context information to allow security decision-making at the point of use.

“There are many sources that companies can use to determine the trustability of people or systems. These include identities, e-mails, e-mail addresses, content/files, URLs, UIP addresses, devices and certification.”