Traditionally, network security has been reactionary. Protection didn’t often happen until after infection. But in the early days that was OK. Compared to now, networks weren’t complicated. Finding and removing malicious software was relatively easy. Today, however, networks are more complicated and the abilities of hackers to get inside are more sophisticated. It’s not uncommon for the bad software to be buried so deep in a network that infections go undetected for months (or years). Obviously, this means that our approach to security needs to change, and it has.
What we are seeing now is people taking higher-level concepts, things like machine learning, and applying those to security, turning it into something that is more proactive and predictive.
This Isn’t an Either/Or Choice
And that’s great. It really is. What’s not great, though, is that people in the security world are setting up predictive security and reactive security as an either/or choice. It’s not.
Some of the blame here falls on marketing and the way that the benefits are being communicated. It’s not about deciding to go with predictive security or reactive security. We see this often when we talk about using the “assume breach” mentality. People will often swing too far into the reactionary security camp. Really, it’s about the “and.” Have measures in place that are predictive AND have measures that are reactive. You need both types of tools working together.
The Lines are Beginning to Blur
Some of the companies making network security devices are recognizing the increase in predictive security measures and have begun to add predictive elements, either through acquisition or internal R&D, to their traditionally reactive devices. This is blurring the lines of what’s reactive and what’s predictive since some companies are beginning to actively block uses based on real-time behavior.
There’s Room for Improvement
While using these advanced concepts and techniques in security is a good one, how they are applied still needs to be polished. Tweaking these tools that are using things like machine learning is still too labor-intensive. False positives are still too common. So, while these tools are great as an advancement and can be used for passive visibility and incident response (i.e., reactive security), it’s difficult to implement them well for proactive or predictive security.
So, what do you do if you’re in the market for security tools?
- Before you go out and buy anything new, maximize what you have. You should already have the standard tools like firewalls, IPS devices, anti-virus software, etc. Make sure those are working at their optimum level. If they aren’t, then fix that. That may mean new software, or a new device, or even a new approach — a managed IPS, for example.
- When it is time for these new tools, beware of a vendor’s over-promise. Know what these devices can and can’t do. The vendors are going to make a lot of implications about what they can accomplish. We aren’t saying that these implications aren’t true, but be aware that this world of predictive security is still new. Much of the talk you hear is more aspirational than reality.
- Finally, diversify. Don’t put all of you chips in on reactive security or predictive security. You want a good blend of tools to keep your network well protected.