With the acquisition of Mandiant by FireEye this week, and the Target data breach earlier in the holiday season, two more strong data points have been added to the evidence that IT Security is at an inflection point. That the threats organizations are facing have fundamentally changed, and that this will require a change in their approach to IT Security. No longer are traditional security defenses on the perimeter and at endpoints enough to secure an organization from harm. A new model is required, and that new model must put data protection front and center.
If you look at the pattern of data breaches and other IT Security market acquisitions throughout 2013 it is clear that they are closely related to this inflection point. Advanced threats have evolved significantly, now directly targeting specific sensitive data for financial gain or to promote national interests. They’ve come a long way from the nuisance viruses like Melissa that shut down email systems back in 1999, to become critical attacks that can directly affect the destiny and success of an organization.
What’s more even data that we think of as transient – chat sessions or photo exchanges with Snapchat and potentially other services are vulnerable. Users of these services (including many enterprise customers using these tools) may ‘think’ that the information in their sessions is transient, and disappears after only a few seconds, but the reality is that they are open to vulnerabilities existing at the service provider and to whatever back end processes are in place for retaining and using that data.
This set of circumstances has resulted in not only advanced needs for data protection inside of an organization’s network, but also for advanced on-line fraud detection and prevention that help mitigate losses from compromised data. Mobile data protection and security comes into the picture too, with organizations struggling to come to grips with a tsunami of new devices connecting to networks and (again) accessing sensitive data.
Looked at from this perspective, you can think of 2013 as the year when people began to realize what was really at risk – Their data. A couple of examples from the many acquisitions over the last year:
· FireEye and Mandiant – The acquisition should create solution to help detect and prevent advanced threats to data, as well remediate from their effects once identified
· Oracle acquiring Bitzer Mobile for mobile application management can directly assist organizations with limiting their exposure by controlling employee access to corporate data and applications from mobile devices
· Trustwave acquired Application Security to enhance compliance in information security for databases
· Cisco acquired Sourcefire to expand intrusion prevention capabilities that result from these latest threats
· IBM’s acquisition of Trusteer is another example – adding to their portfolio counter-fraud and Advanced Persistent Threat protection.
All of these acquisitions emphasize the depth of this “sea change” – Old school, traditional defense-in-depth is failing organizations at a basic level. New threats allow invaders to compromise accounts and leverage them to get “the goods”, and acquisitions such as Mandiant’s by FireEye are a clear validation of these new facts. It portends a new way of thinking about defense-in-depth with much more emphasis on:
1. What is entering your network
2. Reducing attack surfaces and slow the adversaries
3. Protecting against what adversaries (either internal or external) are after, the data
One thing must fundamentally change before this can happen – spending priorities must change. The limited value of traditional solutions isn’t reflected in where IT Security spend is going, with 80%+ still heavily focused on outmoded solutions.
It’s time for IT organizations to face up to this new reality and make the tough choices in changing their security posture – Today.