Data analytics will soon transform security technologies, says Hugh Thompson, program chair for RSA Conference USA. And that transformation will impact where and how organizations make investments in security products.
"We're a very young field, but there are lots of other fields that have progressed using analytics," and security can learn from them, Thompson says during an interview with Information Security Media Group [transcript below].
"There is going to be a big sifting out period in the security space, where some technologies rise and others fall," he says. "But the benefit of it is going to be us becoming smarter about how to defend ourselves, and it might not be some universal truth."
Through that knowledge, analytics will likely prove that uniform security strategies are often not the most effective, Thompson adds. "I think that it may turn out that we've got this multimodel distribution of what the right answer is, and it's exciting to see that play out."
Analytics will help security practitioners know which technologies work and which ones don't, he explains. "This is about us becoming smarter about how we define ourselves," Thompson says.
During this interview, Thompson discusses:
- Why the U.S. security industry is embarking upon a so-called "pre-renaissance";
- How analytics will likely reveal a greater divide between compliance and functional security;
- Why relying on "averages" has stunted information security.
Thompson is a world-renowned expert on IT security. He has co-authored several books and written more than 80 academic and industrial publications about security. Thompson has been an adjunct professor at Columbia University; an advisory board member for the Anti-Malware Testing Standards Organization; an editorial board member of IEEE Security and Privacy Magazine, and senior vice president and chief security strategist at Blue Coat Systems.
Analytics Role in Security
TRACY KITTEN: How is analytics changing the world, and what role will it play in security?
HUGH THOMPSON: We're at a really exciting time in information security. I think you've seen a lot of changes over the last 24 months in the attack landscape through some of the threats that have come in. But we're also in this pre-renaissance phase where we're starting to look at big data. And I think big data will give us a ground truth around security. We're a very young field. There are lots of other fields that have progressed using analytics. Look at the way that you shop online, look at the way that you even buy insurance and have that priced for you. Analytics has transformed lots of other industries and it's exciting to think what it's going to do for information security. I think it's going to give us insight on which technologies work and which don't; which approaches and methodologies, even training methods for employees, educational resources, are effective at keeping data safe and keeping a business safe. So, it's a really exciting time in that way.
Finding a 'Ground Truth'
KITTEN: How do you see analytics helping the security space determine or find its ground truth?
THOMPSON: I always say the best indicator of the future is the past. From other industries, you look at the consequence of this type of analytics. When I go to a website like Amazon.com, for example, 10 years ago, I'd get the same landing page as my mom would get or my cousin would get. Today, I go to Amazon.com and I get a completely different landing page, something customized just to me. We've seen this personalization of security play out through analytics, and it turns out, statistically, that is the best way to sell goods to someone. If you present to them something that they are personally interested in, that other people have been personally interested in, that has been a huge step forward in commerce. Now, you look at that transformation and wonder what will that transformation look like in security? I think what it will start to remove a bunch of the superstition that exists in the security space today. A lot of what we do is based on convention. Why do we employ products A, B and C? Why do we have a policy that passwords have to be eight characters? Why do we teach employees about security during new employee orientation and never talk to them about it again for another year? We do it, usually, because that is what we did last year and the year before. I think analytics has the ability to come in and tell us, 'Look, those methods that we're doing, some of those were right some of those were wrong, and here is actual data to back it up. There is going to be a big sifting out period in the security space, where some technologies rise and others fall. But the benefit of it is going to be us becoming smarter about how to defend ourselves, and it might not be some universal truth. Maybe the answer isn't that every password must be eight characters. Maybe the answer is, for a financial services company in Singapore, that you should have 12 characters. Maybe the answer for a technology company in California is that you should have eight characters. I think it may turn out that we've got this multimodel distribution of what the right answer is, and it's exciting to see that play out.
Big Data's Impact on Compliance
KITTEN: Do you think big data or data analytics could change how we perceive compliance?
THOMPSON: I think one of the biggest challenges that we face in security today is a growing divide between compliance and actual functional security. I think analytics will be helpful in that space, but I'll tell you, it's going to be a slow process. It took us a long time to get the regulations that we have today, and I think it's going to take a lot of data to change the regulations that we have and align them more to risk. But I think the truth is that we're going to find out that sweeping regulations aren't the right answer. I think it's going to be very personalized, very individualized to the company and the type of data that company is using. So that's going to be an interesting discussion. But I do think that some of the conventional wisdom that we have in this space will be challenged. I think for some people it's going to be very exciting; for other people it's going to be very concerning. And I think, in some ways, it's going to cause a different breed of security executive to emerge inside big enterprises. And you can see that that sifting out process happening even in a field like baseball. Right when Billy Dean first decided we're going to use analytics to choose baseball players, instead of relying on the scouts that we've relied on for decades and centuries, it was really disruptive. It was really scary, actually, to a lot of people in the space. But he embraced it and now you see many other people use that same approach to selecting their players. Now, after that revolution happened in baseball, you saw some people who were so entrenched in the old method of doing things just become less and less relevant over time. And the people that embraced the new method of doing things rose to the top. So I think that you're going to see a very interesting period over the next couple of years, as we truly move from analytics to real insight about security.
KITTEN: How might data analytics help to address some of the cultural differences that we see in places such as Asia, and how will that impact security?
THOMPSON: Asia is incredibly diverse and incredibly eclectic. Country to country, laws vary, policies vary, conventions vary and cultures vary. So, I think what analytics will show is that we can find solutions that fit into a set of multiple factors that determine what the right approach is. The danger, though, in analytics is that we start to worship averages. If we took the world's population, all the companies in the Fortune 1000, and we wanted to come up with an average of what the best way was to do passwords, what the best way was to do authentication, the way to do antivirus, I think that we would come up with a result that is actually not very useful for anybody. You're taking a lot of these very individualized situations, verticals, cultures, and trying to mix them together. So, I think that what analytics will eventually show us is that there is a right answer for a particular company or a particular government agency; but that may be very different from what the global answer is.