Recently, I had the good fortune to be invited to present the keynote speech at the 2014 Les Assises Security Conference held in the beautiful city state of Monaco. Les Assises is the largest information-security gathering in France and year-in and year-out it proves to be not only a huge information sharing opportunity, but also a time of self-reflection and strategy affirmation for the thousands of security executives that attend.
The conference was brimming with a bursting-at-the-seams attendance and a full dance-card of top notch speakers and engaging topics to review. I learned a lot from those with whom I had the good fortune to hear and speak with – and I now better understand that our industry is at a crossroad.
Here are some of the most resounding messages I’d heard:
The threat landscape is changing with great velocity. There is no ‘set it and forget it’ any longer in the mindset of the people who bear the brunt of detecting and mitigating today’s threats.
Europe is inextricably tied to the international information-security community. There was a great sense to me that the attendees understood that although organizations in France didn’t always receive the size or type of cyber-attacks which affect the US, there was clearly a sense of urgency and reverberation into the European theater to proactively deploy controls before the attacks reach their ‘shores.’
There is a growing sense that governments need to take action and begin legislating priorities and providing guidance for their companies and organizations.
Perhaps a few years behind organizations in the US, there is, never-the-less, a quick movement to Cloud Delivery Models – making permanent the porous perimeter.
In addition to these conversations and joining the Radware team in attendance, I was invited to provide a presentation on the topic of Cyber Warfare.
Building a Yellow Brick Road
As part of my visit, I was asked to build a “yellow brick road” – to assist participants in their pursuit of a more stable and predictable path through the threat malaise.
My presentation highlighted many myths about today’s cyber-attacks that many believe, such “a cyber-attack is just about volumetric attacks and all you need to do is ‘buckle down’ to weather a storm that will eventually pass.” I also tried to drive some salient points about how folly the idea of not planning and studying this threat has proven to be!
I concluded my discussion by summarizing key points about enterprise security, among them is that cyber-attack storms shouldn’t be weathered alone.
The following criteria should be considered when conducting an assessment of how capable your organization’s protection is:
Quality of Attack Detection: Do you have accurate and effective protection against all vectors of attacks?
Time-To-Detect: Speedy attack mitigation. Many vendors actually take a lot of time.
Time-to-Mitigate: This includes the time to detect and to react effectively; a very important parameter. Only the best service providers achieve client satisfaction in this area.
Quality-of-Mitigation: Make certain that legitimate traffic is not suffering while mitigation is occurring.
Detailed Reporting & Response: Today, even large enterprises don’t have the expertise and resources to handle large scale and prolonged attack campaigns. Small to large online businesses require an ‘Easy Button’ too – that is a system that provides total end-to-end service for the entire threat spectrum.
In my time spent at Les Assises this year, we learned that attacks are becoming more and more business relevant and in the past three years the frequency and complexity of attacks has grown. Now it is easier than ever to tell who has gone down, who has stayed up, and who helped them along the way. For me, the event highlighted poignantly powerful trends and proved to punctuate the omnipresent threat gripping businesses today.
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.