Learning lessons from cyber security near-misses

A realistic approach to cyber security means avoiding the trap of near-miss complacency, writes Anthony Perridge, channel director, Sourcefire EMEA

Tags: Sourcefire (www.sourcefire.com)
  • E-Mail
Learning lessons from cyber security near-misses Perridge: Companies need to have continuous analysis of all security events to gain proper awareness of risks.
By  Anthony Perridge Published  December 23, 2013

How many times do we hear about people failing to heed warnings of potential danger from natural or man-made disasters only to be negatively affected? Researchers Robin Dillon-Merrill and Catherine Tinsley at Georgetown's McDonough School of Business took a look at this phenomenon in a paper entitled "How Near-Miss Events Amplify or Attenuate Risky Decision Making." It all boils down to the fact that we tend to view the outcome as the indicator of success or failure. In the case of a near-miss, the outcome is positive so our natural tendency is to consider it a success. With enough ‘successful' outcomes complacency can take hold along with a false sense of security; past experiences influence individual assessments of risk and lead us to make more risky decisions. As an example, the paper cites Hurricane Katrina and how ‘hurricane fatigue' had set in, causing many individuals not to heed evacuation warnings.

But the researchers also find that if we flip our perspective and view the outcome of a near-miss as a near-failure, then we can take steps to minimize risk in the event of disaster. To do this we need to put a premium on safety. Leading automobile manufacturers have a long history of doing this successfully. Since introducing its crash tests in 1995, the Insurance Institute for Highway Safety reports that the majority of vehicles tested have improved from poor or marginal to good - the highest rating. Automobile manufacturers demonstrate that if we identify near-miss events as near-failures and then use them as an opportunity to recognise and correct dangerous conditions, we can actively reduce risk and move towards true success.

This same approach should be applied to cyber security where complacency doesn't just cloud our ability to assess risk, it actually compounds risk by creating vulnerabilities. That's because security is temporal. You may be safe today, but what about tomorrow? Business models are evolving, attack vectors are evolving and attackers are evolving too. You're up against persistent and astute attackers who are taking advantage of dynamic environments and gaps in security to penetrate your networks.

As a security professional dealing with this reality it's more important than ever to be able to identify near-miss events and take action, turning them into opportunities to enhance security. Below are a few key considerations when evaluating technologies and processes to support this effort.

Open: To deal with dynamic environments you need access to global intelligence, with the right context, to identify vulnerabilities and take immediate action. An open architecture lets you share the latest threat intelligence and protections across a vast community of users for collective immunity. It also enables you to integrate easily with other layers of security defenses as your IT environment and business requirements change.

Integrated: To eliminate the gaps in security that attackers are exploiting, you need technologies that work together to secure networks, endpoints, virtual environments, data centres and mobile devices. Whatever form factor your business requires - physical, virtual, cloud or services - look for solutions that enable you to improve security controls with central policy management, monitoring and distributed policy enforcement.

Pervasive: Policies and controls are important to reduce the surface area of an attack, but threats still get through. Given today's sophisticated and malicious attacks, you need defenses that address the full attack continuum - before an attack happens, during the time it is in progress and even after it begins to damage systems. You also need to address all attack vectors including network, endpoint, mobile, virtual, email and web. Pervasive protection is the only way to detect, understand and stop targeted malware and advance persistent threats and avoid the ongoing damaging effects of a deeply rooted, long-term attack.

Continuous: Advanced attacks do not occur at a single point in time; they are ongoing and require continuous scrutiny. A security infrastructure based on the concept of awareness, one that can aggregate and correlate data from across the extended network with historical patterns and global attack intelligence, enables you to discriminate between active attacks and simply background noise. This helps you zero-in quickly on a malicious attack, take action to stop the threat and use that intelligence against future attacks.

There's a lot we can understand about our environment and attackers to help identify near-misses and correct dangerous conditions to mitigate the impact of an attack and prevent future similar attacks. What's needed is a realistic approach to security so you can see a near-miss for what it truly is - a near-failure. With that perspective you avoid the trap - and risk - of complacency and gain more effective security.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code