Sapsiwai - Fotolia


Shifting IT security budgets to attack detection, response

A prevention-focused security strategy isn't foolproof. CIOs need to guide a shift in IT security spending toward attack detection and response.

Let's get the bad news out of the way: Your organization has an outdated approach to IT security budgeting and is almost certainly wasting precious dollars that could make the difference in preventing a breach.

If it's any consolation, many enterprises are making the same mistake: budgeting too much on attack prevention and not investing in threat detection and response. Fortunately, the changing dynamics aren't hard to understand, and the necessary changes to IT security budgets, while they may be painful initially, will ultimately lead to better security. That's what we'll discuss in this tip.

Detection and response matter as much as prevention

It's impossible to prevent every determined attacker from gaining unauthorized access to your IT infrastructure and finding sensitive data. From early breaches like those at Heartland Payment Systems and Epsilon Data Management to more recent incidents involving Target, Home Depot and Sony Pictures, time and again attackers have proven there's always a way to get past the preventative security controls of virtually any organization -- firewalls, intrusion prevention, signature-based antimalware, single-factor authentication -- even those organizations in industries that invest heavily in information security and compliance like finance and retail.

It's critical for CIOs to understand the need to start significantly shifting how IT security budgets are spent, and support and facilitate that process.

To boil it down, good guys make mistakes -- be it a misconfigured firewall, an unpatched Windows machine or a zero-day exploit hidden in a phishing email -- and bad guys need only to be "right" once to succeed. Prevention technologies help ensure every attacker doesn't get in, but as those high-profile incidents show, sophisticated attackers can still get by.

Instead, enterprises must deliberately undergo a process to reduce that prevention spending and shift it toward attack detection and response products. Detection and response technologies -- network and endpoint threat detection, malware sandboxing, and policy-based whitelisting as well as offerings that accelerate and ease incident response -- assume the worst, giving enterprises new ways to identify, categorize and prioritize anomalies, and then conduct rapid isolation, remediation and post-incident analysis.

Detection and response capabilities are becoming essential information security infrastructure components alongside prevention products; more and more enterprises are recognizing this important trend, but it needs to be accelerated. To do that, allocation of IT security budgets must change.

Attack prevention vs. attack detection in IT security budgets

Now, as we've established, a prevention-only security strategy isn't foolproof. So why are enterprises still spending so much on it? According to industry estimates, enterprises have historically spent more than 75% of their infosec technology budgets on preventative technologies. Attackers, unfortunately, see that as an opportunity. While fortunately research shows that percentage is declining, many CISOs have either failed to fully recognize the reduced effectiveness of preventative security technologies, or haven't been able to work with their CIOs to land the seemingly necessary budget increases.

In one sense, it's logical: The preventative products worked in the past, vendors have strived to improve them, and the alternative is to invest in newer, less proven technology that may be harder to justify to C-level executives. This is why it's critical for CIOs to understand the need to start significantly shifting how IT security budgets are spent, and support and facilitate that process, both by encouraging their CISOs to begin planning for this shift and by initiating conversations with other top executives to pave the way.

Another barrier to change is that while it's easy in theory to spend more on detection and response, in practice it means reducing what an organization spends on prevention. Firewalls and the like are still needed and still require maintenance and upkeep. Two trends help tremendously here: the convergence of legacy and contemporary security technologies and the rapid commoditization of legacy security product categories.

For instance, one disruptive vendor's latest midrange next-generation firewall (NGFW), which also includes intrusion prevention system (IPS) technology, offers up to 36 Gbps of firewall throughput and 7 Gbps of IPS throughput for a cost (low five figures, including support) that is just a sixth of what a similar offering from a top-tier vendor would cost. Even a year or two ago this would have seemed impossible, but new technology advancements have enabled several vendors to offer low-cost, high-performance converged IPS-NGFW products that are worthy of enterprise shortlists, creating huge cost-savings opportunities.

Another example is on the endpoint. One vendor that specializes in endpoint threat detection and response (EDR) has recognized that even though signature-based endpoint antimalware products are largely ineffective in consistently detecting dangerous malware, many organizations still need it for compliance reasons. So the vendor has integrated a prominent vendor's free malware detection software with its own EDR platform, enabling customers to get the combined benefit of integrated prevention and detection technology while eliminating the endpoint prevention cost burden.

Don't ignore the opportunity of changing security market dynamics

New opportunities like this are emerging all the time, and CIOs should encourage their CISOs to watch for ways to decrease spending in legacy areas to pursue advanced security technologies. Indeed, changing information security market dynamics are enabling opportunistic enterprises to dramatically reduce their spending on preventative technologies, in turn allowing them to increase their detection and response spending.

The speed and size of the budgetary shift will vary in every organization, and there are no "right" percentages. What matters is that CIOs must not only be aware of this transition, but also actively foster it within their organizations; doing so will go a long way toward reducing an organization's risk of falling prey to a devastating breach.

About the author:
Eric Parizo is senior analyst, Enterprise Security with Current Analysis, a leading provider of timely, practical market intelligence and advice that helps global IT and telecom professionals compete, innovate and improve performance. His areas of emphasis include next-generation firewalls, threat detection and remediation, Web and application security, and enterprise mobility management.

Next Steps

The evolution of whitelisting technologies

How is malware adapting to virtual environments?

Streamlining continuous threat analysis via endpoint threat detection

Dig Deeper on Enterprise information security management