The security software executive of IBM tells CBR why pre-emptive action is key to cybersecurity.
If you needed to describe IBM Security in a word, ‘holistic’ would be apt. This giant of tech is not used to doing things by half, and its heft and breadth as an organisation has seen it become one of the biggest players in cybersecurity.
As Peter Jopling, CTO and security software executive of IBM, UK&I, puts it: "We have got a very long pedigree in security," pointing to the Data Encryption Standard (DES) the company developed back in the 1970s, a tool approved by the National Security Agency (NSA) that is considered a milestone in cryptography.
The company’s security division reorganised itself in 2011, integrating both the tech and consulting sides under the moniker IBM Security. "That was a watershed moment when security was starting to become front and centre in the most board agendas," says Jopling.
He believes that the move greatly enhanced the company’s ability to serve customers, leading them to build a framework around security that is described in detail in one of the company’s technical support Redbooks publications.
In the past decade, IBM has also made a dozen security acquisitions, most recently in the cloud with CrossIdeas and the Lighthouse Security Group, and invested more than $1bn in research.
The fruits of this expenditure include more than 3,000 security patents, 25 security labs, and 6,000 security researchers across the globe. The firm can even boast that its X-Force team, which advises business and consumers on the latest threat, has analysed 20 billion webpages, building a database of 40 million spam and phishing attacks, as well as more than 80,000 vulnerabilities.
Direction of the market
On the question of the balance between prevention, detection and response, Jopling says: "In security there’s no silver bullet. So it’s all about how can you get to those choke-points pretty quickly, how can you manage them, and how can you take good business decisions around that environment.
"Firewalls and antivirus have been around for years so typically that’s not where a threat actor will try and launch an attack," he adds. IBM has increasingly stressed the idea of intelligence over the past three years, with the company responsible for more than 15 billion security events every day in 133 countries, a project that encompasses thousands of clients and more than 20,000 devices.
False positives are a common occurrence in cybersecurity, and so much effort is focused on filtering the events on the basis of behaviour analytics. As Jopling says, the aim is to "get rid of noise and show a clear picture of events you have to take action against".
The other problem is that many do not know how to make the best use of their tools.
"Most organisations are reactive, so something happens and they don’t know what it is, they don’t know how they’re going to mitigate it, but they throw a lot of resources, and a lot of money, and a lot of effort at trying to sort out that problem," says Jopling. "So we spend a lot of time trying to get organisations into a more proactive stance."
His belief is that boards are redeeming their previous complacency over cybersecurity issues.
"They have become very attentive and it’s changed dramatically over the last 18 months," he says. "It’s seen as something that the business needs to do," adding that being proactive can both reduce cost and increase revenue. If so, the board is right to be intrigued.
Using partners to tackle verticals
Even as the third-largest enterprise software company in the world, IBM Security relies on a large network of partners to facilitate its services. The network of systems integrators and other IT professionals allows it to better tailor its services to the business risks of each client, creating flexibility across a huge market.
As for customers, the company can also boast an impressive record. IBM Security is responsible for almost three-quarters of the banks across Japan, North America and Australia, and was even highlighted as the market leader by research firm Gartner in a recent report.
Like other firms it has seen variance between the American and European markets, the latter being more heavily regulated, a fact more noticeable in some vertical industries than others.
"There’s a stronger market in the US in terms of financials, but also critical industries such as infrastructure," says Jopling.
An interesting area for growth in cybersecurity is found among retailers, with its huge usage of point-of-sale (PoS) units like those compromised in the breach of Target in the US.
"There’s a real issue at the moment with retail around point-of-sale terminals being compromised with malware," says Jopling, adding that more could be done in that sector.
The latest quarterly report by the X-Force team focused on the impact of Heartbleed, a flaw in the OpenSSL security layer that allowed hackers to eavesdrop on conversations between web browsers and websites. Even six months after it was disclosed, many servers are still affected by it, and similar bugs such as Shellshock have also been unearthed.
"I think it came as a little bit of a shock," says Jopling, adding that the event showed who was capable of responding to a security crisis. The race to patch and exploit the bug was likely educational for a lot of companies caught up in the struggle, but IBM remains confident about its ability to respond to zero-day bugs that can lie undiscovered for years.
"We have got a good track record," says Jopling. "We have the ability to react to a number of attacks that have been quite substantial in the past."
In the end, he believes the key is around multi-layered security, and he stresses that there is no one tool that can deal with all the problems.
"In a way it’s classic military tactics, in terms of how you respond to the enemy and what we do to protect ourselves going forward."