Gartner Blog Network

One Big Take Away From RSA: Intelligence

by Neil MacDonald  |  March 1, 2011  |  1 Comment

As I walked the exhibit hall floor at RSA, I couldn’t help but notice the large numbers of vendors talking about the need for improved detection capabilities and security intelligence that provides actionable insight as to what is going on in our IT infrastructure.

Complete protection requires both prevention and detection capabilities.

I’ve blogged about this issue previously here, here, and here.

We are far too focused on the unachievable goal of trying to prevent anything bad from ever happening. It’s not gonna happen. As we discussed on the panel I moderated at the conference on Advanced Persistent Threats, you will be compromised. One of the panelist, Dave Merkel from MANDIANT, made the point that you are already compromised, you just don’t know it.

In this research note for clients in early 2007, I made this prediction:

By the end of 2007, 75% of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.

It’s just taken us a bit longer to realize that most of us have been compromised for a really, really long time. With all of our security dashboards showing “green” (mostly because they are dependent on signature-based models that have become increasingly ineffective) we were complacent.

No longer.

Around the exhibit floor, dozens of vendors used different words that all described the same need:

  • Intelligence
  • Advanced Threat Detection
  • Situational Awareness
  • Context Awareness
  • Activity Monitoring

Delivering Security Intelligence and Situational Awareness will be one of the next big areas of investment in information security.

How will we pay for these net new investments? While information security budgets on average continue to increase, it won’t be enough. The need for better detection will be funded through savings and cutbacks on the protection side of the equation – for example, savings on endpoint protection platforms and consolidation onto next-generation enterprise firewalls which combine firewalling and IPS capabilities.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: beyond-anti-virus  endpoint-protection-platform  security-intelligence  

Tags: adaptive-security-infrastucture  defense-in-depth  endpoint-protection-platform  next-generation-security-infrastructure  reducing-cost  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on One Big Take Away From RSA: Intelligence

  1. Wendy Cohen says:

    I agree, today’s DLP systems can detect pre-defined templates and predefined fingerprinted content. However, we all very far from detecting natural language that is sensitive in nature.

    Nevertheless, for compliance purposes as well as IP protection, companies such as mine; GTB Technologies, have developed a content based detection engine that supports detection in any file format and through most TCP channels.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.