A lack of monitoring and analytics has been a systematic failure in security for too long.
Speaking at a press Q&A at the RSA Conference Europe in London, executive chairman Art Coviello said that in the mid-2000s, security professionals said that they were not getting any leverage, so they analysed log data to get some leverage and as a result, SIEM (security intelligence and event management) was born.
However he said that as this was the top layer of the security operations centre, inexplicably a lot of companies were not adopting the SIEM product and it is now at a point where it is not scaling to the business need.
Speaking about 'budget inertia', which he had raised in his opening keynote, he referenced research that RSA had commissioned that showed that 70 to 80 per cent of budget is spent on prevention, but only five to ten per cent on response.
He said: “We do have a clear vision but it is not about one company, it is on where the industry needs to go. Look at the security infrastructure, it didn't start with risk, it was with a reaction to a problem, so if you saw a virus you bought anti-virus. If you saw a connection you didn't like, you bought a firewall.
“It is about layers of control and companies are focused on the perimeter. Years ago there were one or two points of connection. To manage controls there is an individual management console and the job of that layer is to provision controls one at a time, and manage controls.”
He went on to say that the issue with logs, or the analysis of log data, is that sometimes the lack of a perimeter causes a problem with so many external connections, especially with cloud-based applications.
“So there is more requirement for visibility to find what is going on. Things are easier and easier to penetrate, so continuous monitoring goes on to spot the anomalies and combine packet data and contextual elements for a system of controls to do big data analytics,” he said.
“When you get an analytical capability so an advanced security centre can respond in real-time, it shrinks the 'dwell time' window. If you do it from the outside-in, you can focus on risk and high end analytics and on where the compromises exist in your infrastructure.”