Trend Micro's new paradigm: old (but good) advice in a new bottle

Information security vendors are telling customers to think in a new way. At the core of their advice is the idea mdash; the admission, if you like mdash; that no matter how good the defences they sell, sooner or later the bad guys will get through.

Trend Micro#39;s version of this advice follows the now-standard narrative. Attacks are becoming increasingly targeted and mumble mumble advanced persistent threats (APTs) Chinese hackers eek. Good-enough security isn#39;t good enough to divert a targeted attack to an easier target mdash; because that#39;s not who they#39;re after.

quot;If there is some reason that I have something of value, they can and will get in,quot; said Blake Sutherland, Trend Micro#39;s vice-president of strategic markets, at a media briefing in Sydney earlier this month. quot;The question is, can I put the controls in place that allow me to get visibility quickly and determine who#39;s attacking me?quot;

Traditional defences were like putting on a suit of armour that didn#39;t have a visor to look through, he said. They tried to stop the attack while doing little to identify the attacker.

The message? Security systems need more than a defensive perimeter or here-and-now real-time traffic analysis. They also need processes for responding to break-ins once they#39;re eventually discovered, and processes for improving the defences to remove the risk of a repeat incident.

quot;A lot of these new technologies are trying to give you far more information - whereas AV [anti-virus] in the past was just #39;Keep it away!#39; It#39;s bug repellant. Well now we want to know if that mosquito#39;s got malaria,quot; Sutherland said.

Of course a new way of thinking needs some nifty slogans and explanatory diagrams. Trend Micro#39;s four-step model mdash; let#39;s call it D-A-A-R mdash; is typical of the genre.

* Detect the targeted attacks. That means you have to watch and log events to begin with.

* Analyse the attacks, to determine its scale and risk. and identify the attacker.

* Adapt your defences to protect against future attacks.

* Respond to the attacker, using what intelligence you#39;ve gathered to contain and remediate the threat.

Of course the real strength of D-A-A-R, at least for Trend Micro, is that thanks to a very handy coincidence it maps onto the marketecture of their Custom Defence product line. Of course it does. But that doesn#39;t matter, because that sort of model is actually good advice.

Indeed, D-A-A-R is not so different from last century#39;s quot;traditionalquot; information security cycle. Protect, Detect, React. Protect the network with a firewall, sure, but also monitor its logs and deploy an intrusion detection system to detect problems, and have a process in place for reacting to incidents.

Given the various extended versions of that paradigm mdash; such as Protect, Detect, Test and Verify, Respond and Remediate mdash; the similarity becomes even clearer.

There#39;s nothing wrong with repeating some security essentials in a fresh form, particularly when circumstances are changing. As James Turner, security analyst with IBRS, put it, quot;I think the value out of this conversation is that it#39;s got to be the shift that we see across the entire industry in terms of the culture around security events.quot;

Turner cited the recently-revealed hack of the Reserve Bank of Australia as a prime example. quot;There was an employee that went #39;Something#39;s not right here#39;, raised the flag, and by all accounts they seem to have done a good intercept [in terms of preventing data exfiltration].quot;

Vendors like Trend Micro don#39;t develop similar models because they#39;re copy-cats. It#39;s because they#39;re all looking at the same infosec landscape.

Copyright © 2013 IDG Communications, Inc.

The 10 most powerful cybersecurity companies