RSA Conference: Actionable Intelligence is the Missing Link in Incident Response

Anthony Di Bello Yesterday at Moscone Center I walked by the former Gartner security analyst who famously pronounced nearly 10 years ago that “IDS is dead.”

So it was fitting to attend the keynote by RSA Chairman Art Coviello and hear him say, “It’s past time for us to disenthrall ourselves from the reactive and perimeter-based security dogmas of the past and speed adoption of intelligence-driven security.” He described a fact that’s inescapable to all security professionals now, which is that alerting systems and point solutions for threat response aren’t sufficient to respond to modern threats. The time has come to change the way we perform incident response by using rapidly accessible, actionable intelligence to make the stakes higher for hackers, crackers, and thieves.

Big Data: Double-edged Sword?

He began his address by noting that we’re in the era of “big data” hype. While big data is potentially a boon to security approaches, it’s ironic that the very applications and data stores that industry is beginning to use for marketing and product-development purposes will live in the cloud and be accessible by mobile devices and therefore become the targets of the cybercriminals, corporate spies, and nation-state agencies we security professionals are defending against.

But emerging big-data analytical tools may soon enable us to “extract meaning, sort through masses of data, and find the hidden patterns and unexpected correlations” in the millions of attacks currently being experienced by government and enterprise organization on a weekly basis.

Which leads directly to the main point Coviello made: In order to fight cybercriminals and spies effectively, and knowing that they will breach our firewalls and plant long-term threats in our data, we must have immediate access to actionable intelligence. This intelligence will make it possible for us to make tactical counter-strikes against the bad guys sooner in such a way that it costs them more each and every time they attempt a breach—setting up a state of diminishing returns.

Triage and Vital Intelligence Will Drive Smarter, Faster Countermeasures

The problem is, of course, that for too long there’s been a missing link between alerting systems and point response tools. That missing link is the ability to rapidly triage, then uncover the genuine threats and discover their source, scope, and threat on the endpoints on which they’ve been unleashed. This intelligence then becomes vital intelligence that can be used in minutes – not days or weeks – to fight the attackers early in the game.

This is why we’ve created an integration between EnCase® Cybersecurity and FireEye MPS: because organizations need to move quickly from alert to triage to intelligence to action. These are exciting times, and it’s good to be in on the beginning of a collaborative phase in our industry, where we band together, integrate, and fight faster and smarter against cybercriminals.