Security professionals recommend technology to detect attacks that have already infiltrated a network.
As students head home for the holidays, Dan Basile knows they are taking their devices with them, and that worries him.
The executive director of the security operations center at Texas A&M University System, Basile is responsible for keeping students' systems safe and universities' networks secure. It's not an easy job. "My workload skyrockets as the beginning of the semester, because all the students went home, got infected with everything known to man, and then brought it back onto my network," he says.
For that reason, Basile's wish list is focused on detecting threats already inside the networks — a strategy that he highly recommends for businesses, even if they think they are managing every device connecting to their local networks. Detecting threats between machines inside the network — so-called "East-West" traffic — is crucial to being able to respond to threats quickly, he says.
"Having that East-West visibility is golden because the malware is already in the environment," he says.
As security professionals look to 2020, they have different threat profiles, so also different outlooks on what technologies they want. However, the common theme as the New Year approaches is the ability to react to threats quickly.
The plethora of systems that security analysts have to use is one factor that hampers response, says Richard Rushing, chief information security officer for Motorola Mobility. Security operations centers are currently laboring under the lack of integration between systems, and he sees as a top priority platforms that bring together all the disparate technologies back to a single workstation.
"We should be able to leverage the various APIs to pull all this content together, allowing the data to stay where it needs to stay — no one should need to be doing a massive data lake," he says.
Here are some other technologies that made security professionals' wish lists:
The triad for faster response
While TAMUS's Basile aims to stop attacks before they infect the network, as the security director in charge of university networks he understands that it is not always possible. Students and professors want freedom to explore — and with that freedom comes risk.
So Basile is mainly focused on implementing two defensive technologies. Traffic inspection systems such as network traffic-analysis and application firewalls allow companies to detect when attacks are coming from systems inside the network perimeter. Endpoint detection and response (EDR) software allows him to quickly see attacks in progress and take steps to blunt any compromise.
Because Texas A&M is helping Texas stand up an analysis and response center for the state, both types of technology are on Basile's required list for new municipal and county government offices whose security the center will be overseeing.
"As we are bringing on more counties and cities across Texas, we are requiring an EDR or EPP [endpoint protection platform] for every site," he says. "It gives me a better picture and it lets us respond in real-time to incidents."
Get the "R" right
Companies need to go beyond endpoint detection and response, says Motorola's Rushing. The problem is that the actual "R" in EDR and SOAR (security orchestration, automation and response) platforms today is very basic.
"You need to get to the actual R working," he says. "Generating an e-mail to open up a ticket is not accomplishing what I want it to do. You need to get a better response capability."
As more automation is being used by defenders, Rushing sees security teams moving away from simple playbooks and moving toward automated, yet managed, responses. While the actual logic is basic — "if this, then that," would be enough, he says — getting the automated response technology working would be a boon.
Defending against attacker automation
Yet defenders are not the only ones using automation. Attackers are adding automation and machine-learning techniques to their toolboxes, so companies will need to find ways to stymy their operations.
Bots are one example of a threat that combines the two techniques and which are becoming a staple of attackers — from credential stuffing to advertising fraud, bots help attackers automate their operations. For that reason, bot management services will become a must-have for any company that has Web-facing applications or services, says Sandy Carielli, a principal researcher with business-intelligence firm Forrester Research.
"Anyone that has a good deal of customer interaction — a static website, any sort of online store, or if you are relying on advertising traffic — most of the sites on the Internet these days — will need bot management," she says.
For companies that are paying for traffic — such as advertising or affiliate services — bot-detection products can remove non-human interactions from the mix, saving them money. Customers that use these services will put pressure on their suppliers, and as incentives change, organizations will pay closer attention to metrics of humanness, Carielli says.
"The interesting thing about bot management is the range of stakeholders," she says. "Bots attack e-commerce sites. They are doing ad fraud and credential stuffing."