Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

One Big Take Away From RSA: Intelligence

by Neil MacDonald  |  March 1, 2011  |  1 Comment

As I walked the exhibit hall floor at RSA, I couldn’t help but notice the large numbers of vendors talking about the need for improved detection capabilities and security intelligence that provides actionable insight as to what is going on in our IT infrastructure.

Complete protection requires both prevention and detection capabilities.

I’ve blogged about this issue previously here, here, and here.

We are far too focused on the unachievable goal of trying to prevent anything bad from ever happening. It’s not gonna happen. As we discussed on the panel I moderated at the conference on Advanced Persistent Threats, you will be compromised. One of the panelist, Dave Merkel from MANDIANT, made the point that you are already compromised, you just don’t know it.

In this research note for clients in early 2007, I made this prediction:

By the end of 2007, 75% of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.

It’s just taken us a bit longer to realize that most of us have been compromised for a really, really long time. With all of our security dashboards showing “green” (mostly because they are dependent on signature-based models that have become increasingly ineffective) we were complacent.

No longer.

Around the exhibit floor, dozens of vendors used different words that all described the same need:

  • Intelligence
  • Advanced Threat Detection
  • Situational Awareness
  • Context Awareness
  • Activity Monitoring

Delivering Security Intelligence and Situational Awareness will be one of the next big areas of investment in information security.

How will we pay for these net new investments? While information security budgets on average continue to increase, it won’t be enough. The need for better detection will be funded through savings and cutbacks on the protection side of the equation – for example, savings on endpoint protection platforms and consolidation onto next-generation enterprise firewalls which combine firewalling and IPS capabilities.

1 Comment »

Category: Beyond Anti-Virus Endpoint Protection Platform Security Intelligence     Tags: , , , ,

1 response so far ↓

  • 1 Wendy Cohen   March 3, 2011 at 1:00 am

    I agree, today’s DLP systems can detect pre-defined templates and predefined fingerprinted content. However, we all very far from detecting natural language that is sensitive in nature.

    Nevertheless, for compliance purposes as well as IP protection, companies such as mine; GTB Technologies, have developed a content based detection engine that supports detection in any file format and through most TCP channels.