SINGAPORE--Enterprises tend to trust their vendors too much with their security recommendations, which tend to include traditional and commoditized tools, while remain unconcerned over real risks such as advanced persistent threats (APTs).
Such mindsets would leave organizations vulnerable and need to be addressed, RSA executives urged.
Jeffrey Kok, technical consultant director of RSA Asia-Pacific and Japan, said companies generally accept the security designs and recommendations from vendors too easily when they should be asking more from them in terms of advice to address the evolving, sophisticated cyber threats proliferating the enterprise space currently.
This is because these companies trust in brand names more than whether the security tools recommended meet their needs, adopting a mentality that if the vendor's recommendation does not work they will not be the only ones affected, Kok added. The executive was speaking at the Security Exchange 2012 conference here Thursday.
Go beyond one-size-fits-all
Vendors, on their end, tend to recommend the "official industry threat model", which are generic security designs that might not tackle most security threats, he added. These default designs do not work because every IT environment is different, and the security architecture will need to be customized accordingly, he stated.
These designs also use commoditized security tools such as signature-based antivirus, firewalls, intrusion prevention systems and intrusion detection systems, the executive said. A commoditized security tool can be defined as one which is offered by 10 or more vendors and its functionalities are difficult to differentiate, he explained.
An internal survey by RSA on IT spending, for example, showed 70 percent of Singapore companies investing in commoditized products for known threats instead of tools for advanced security threats and analytics, Kok pointed out.
Commoditized tools are created based on understanding what "bad threats" and "good systems" look like, but with APTs increasingly favored by cybercriminals, these threats are able to bypass the detection of such tools, he said.
David Cohen, head of knowledge delivery and business development at RSA, who attended the same conference, added enterprises still do not believe "in the severity of APTs".
Organizations think APTs are not real because they have not been breached, but this mentality is wrong because many other organizations have been breached, he said. High-profile APTs such as Stuxnet and Flame have also surfaced in recent years, the executive pointed out.
So, instead of spending on security offerings that uncover known threats, enterprises should invest in finding out more advanced threats potentially hiding in their IT systems, Kok advised.
They should also spend more time understanding their IT environments, such as having internal visibility at all levels, he added. "[They] must understand their adversaries and environments and how they can come and get you… before knowing what goes into the design and architecture of a threat model that can protect them," the executive said.