What’s not to love about Whack-a-mole?  I remember that gleeful carnival game where my brother and I would focus on beating mechanical rodents as fast as possible with a huge mallet.  My parents would stand in the back laughing until their sides hurt, and one of us walked away with a cheap stuffed animal.

Whack-a-mole isn’t so much fun when you are an IT security manager and you are forced to play the game every day.  

At a recent security conference, I asked a CISO from a global manufacturing company to estimate much time his team spent on reactive versus proactive security management.   “We easily spend 90% of our time being reactive,” he said.  “The team responds to alerts, troubleshoots connectivity issues, and performs assessments as fast as possible to avoid delaying new service rollouts.  We’d like to be more proactive, but there just isn’t time. ”

Quite a catch-22.  What’s a security professional to do when you are so overloaded beating down the next ugly issue rather than planning ahead to avoid major problems.  Studies estimate that it generally takes about 3X longer to correct the damage from a data breach or attack than it does to resolve the root causes in advance.  Whack-a-mole is not an efficient way to problem solve.

Starting with that 3X number, I did a quick back-of-envelope calculation.  By my guesstimate, security teams at Fortune 500 companies waste at least $400M every year through missed opportunity to avoid an incident in the first place.   

It’s clearly time to redirect that effort and expense to better use. 

So where to start?  Do a quick survey of your security team and find out the top areas where you are stuck in endless whack-a-mole game.  Most likely the list includes a lot of data collection, manual analysis, and reporting tasks, clear opportunities to automate security tasks.  Firewall analysis, compliance assessment, and vulnerability assessments are all likely suspects for major time and cost savings. 

For example, using an automated tool like Risk Control to prioritize vulnerabilities according to real network topology and risk factors helps you predict the most damaging ‘moles’ in advance and retire them before they are exploited by an attacker.  Speeding through a proactive correlation of vulnerabilities, threats, access paths, and target assets in a large network to find the top vulnerabilities that are most likely to be exploited is a math problem best solved by a computer.   With a predictive approach and automation, you can get back to spending more time on more engaging security management tasks. 

Are you being kept awake at night worried about the possibility of network gremlins, aka Advanced Persistent Threats (APTs), running loose in your network? If so, you are not alone. With continuing news coverage of sophisticated and targeted attacks that can go undetected for months, I wonder if any IT security professionals actually sleeps through the night.

Perpetrators of APTs are patient and well -- persistent. If there is a security gap (and whose network doesn’t have one) they will find it. But before you lose hope, there are steps you can take to significantly lower the risk of attack or focus your limited IT security resources to shine a spotlight on suspicious activities.

1.) Know your network. The fact is, complex networks are hard to keep track of and pinched budgets mean that too few people have the correct tools to completely map their network. When a new customer first sees a Skybox map of their network, the reaction is inevitably “I didn’t know that was there!” The surprise might be a collection of unapproved devices, a wireless network that isn’t supposed to exist or an access path from the internet to an important asset. How do you defend a network if you aren’t sure what it looks like? It’s also easier to sell upper management on the need for additional resources when they see the complete picture.

2.) Automate. If you are still trying to manage your network security manually, stop. A CISO told me recently that their security team was being “nickel and dimed to death”, with tons of time spent reviewing growing sets of firewall rules and sifting through endless vulnerability reports. Many daily security activities start with tasks that can be automated – data collection, correlation, analysis, alerting, reporting. Automate the time-consuming (but necessary) tasks, and precious security expertise can be applied better elsewhere.

3.) Be proactive in addressing the known security holes. While an APT using a zero-day vulnerability is frightening, In ComputerWeekly.com security expert, Ionut Ionescu, noted “they [APT attackers] used not only attack vectors specific to sometimes obscure equipment, but also attack vectors against well-known, publicised and patchable vulnerabilities.” Close the open doors and windows quickly, and you’ll lower the chance and exposure window of a potential attack. Tools such as Skybox Risk Control find and prioritize ‘exploitable vulnerabilities’ based on a combination of vulnerability scan data, threat information, and a view of the asset information.

Risk reduction requires continuous monitoring and determined effort. Whether you are concerned about APTs or just fighting garden-variety malware and cyber criminals, you can put into place the tools and processes for easier to conduct daily, systematic, and measurable risk reduction. Also, it might help you get some sleep.