Many enterprise IT security teams spend much of their time focused on preventing a cyberattack. In doing so, they have implemented a “incident response” mindset rather than a “continuous response” where systems are assumed to be compromised and require continuous monitoring and remediation.
The adaptive security architecture is a useful framework to help organisations classify existing and potential security investments to ensure that there is a balanced approach to security investments. Rather than allowing the “hot” security startup of the day to define security investments, Gartner recommends that security organizations evaluate their existing investments and competencies to determine where they are deficient.
Gartner predicts that, by 2020, 40% of large organizations will have established a “security data warehouse” to support advanced security analytics.
“Digital business is built upon an intelligent mesh of devices, software, processes and people,” says David Cearley, research vice president and Gartner Fellow. “This means an ever more complex world for security, demanding a continuous, contextual and coordinated approach.”
He added that there are four stages of an adaptive security cycle (see Figure 1).
Prevention and detection are key pillars of a traditional approach to cybersecurity. “In the digital world, however, predicting new threats and automating routine cybersecurity responses and practices — to free up the time of human specialists for the most complex incidents — is key to staying ahead of an expanding universe of threats and risks,” said Mr. Cearley.
Moreover, relying only on prevent-and-detect perimeter defenses and rule-based security, such as antivirus and firewalls, becomes less effective as organizations increasingly use cloud-based systems and open application programming interfaces (APIs) to create modern business ecosystems. The IT department simply does not control the bounds of an organization’s information and technology in the way it used to.
Therefore, the current “incident response” mindset of many organizations — which views security incidents as one-off events — must shift to a “continuous response” stance. The assumption must be that the organization will be compromised, that the hacker’s ability to penetrate systems is never fully countered. Continuous monitoring of systems and behavior is the only way to reliably detect threats before it is too late.
This continuous approach, however, generates an enormous volume, velocity and variety of data. Advanced analytics will be the foundation of next-generation security protection and Gartner predicts that, by 2020, 40% of large organizations will have established a “security data warehouse” to support this function.
“Advanced machine learning and artificial intelligence (AI) elements will extend this analytical approach to security,” says Cearley. “As these capabilities become mainstream, adaptive security architecture will become more common as vendors integrate different security functions into single platforms powered by embedded analytics and AI.”
One common example currently attracting widespread attention is user and entity behavior analytics (UEBA). These systems profile and baseline the activity of users, peer groups and other entities such as devices, applications and networks. They correlate user and other entity activity and behaviors, and detect anomalous patterns. For example, organizations can see if users are visiting sites they don’t usually visit, or downloading things they don’t normally download. Unusual behavior will trigger alarms.
“For next-generation security to be most effective, it must be integrated deeply into an organization’s architecture,” says Cearley. “It means security teams must overcome organizational barriers between them and application development and operations teams. As a result, they can provide meaningful feedback and ensure new systems are not introducing new threats that cannot be countered effectively.”