Technology is not to blame for online attacks: FireEye

Online security attacks against organisations may occur as a result of technology being used as tools to create malware and vulnerabilities, but ultimately, it's an attack by people, said Dave Merkel, FireEye senior vice president and chief technology officer.

Speaking to ZDNet, Merkel said that despite spending billions on endpoint security, organisations are continually losing the security battle. He said that one of the reasons behind this is because online attacks are often misunderstood as a technology problem, when it's not. In turn, organisations look in the wrong places for solutions.

"When you do think of it that way, then you tend to do a bunch of bad things. Such as ask bad questions to your security team like, 'What product can I buy to make this go away?' The answer is you can't just buy a product that is going make the bad guys go away forever," he said.

A similar view is shared by Gartner. Paul Proctor, Gartner's chief of research for security and risk management, previously said that security is a people problem, not a technical problem. In fact, he noted that it is people who end up making poor security choices when it comes to training, security policies, and management that put enterprises at "digital risk".

"This is not about information security anymore. Digital business is blurring the physical and digital worlds," Proctor told ZDNet.

"Digital risk is not 'Did we encrypt the link between the device gathering how many steps you took and our server?' That's traditional information security. We're talking about the issue [of] 'What are we doing with this information? Is it enhancing our business? Is the risk worth it? Is there a regulation in a country that says you can't do that? Are they going to arrest our CEO when they land in that country?'"

Merkel suggested that businesses need to accept that online attacks will never stop, and they need to implement a security strategy that will enable them to manage attacks as part of their everyday business operations.

"What you have to do is think about how you're going to manage this problem that is always going to be there, so that it's at a manageable level. It really is about making an ongoing investment, because the bad guys will continue to invest and innovate, so you have to do the same," he said.

When asked what classifies as a "manageable level", Merkel said an organisation needs to be realistic about its security goals -- and completely eliminating attacks does not count, because it is not possible.

"What you can do is position yourself to be continually observing and hunting for those attackers in your environment. Even if you can't prevent every breach, you may be able to prevent its impact," he said.

"If you can find the attacker in the first few minutes as they enter your environment and stop them, then that's significantly different than if the attacker is in your environment for a month or half a year."

He added that if an attack occurs, organisations can only blame themselves and not the technology systems in place.

"You've got no one else to blame but yourself for failing to innovate, or invest in new tech while the bad guys did," he said.

From a global perspective, Merkel said that organisations still have a way to go, highlighting findings from the Mandiant M-Trend 2015 that were "terrible". It found that while the average time from initial breach to an organisation discovering that they have been breached improved from 229 days in 2013 to 205 days in 2014, it was still a significant number.

The data also showed that when discovery of the breach happens, 69 percent of organisations find out from a third party, such as a supplier, customer, or law enforcement.

Merkel noted that improvements will come down to organisations adopting an adaptive defence strategy, which involves equal investments in technology, intelligence, and expertise, and using the tools to detect, prevent, analyse, and respond to attacks.

This approach echoes Gartner's people-centric security strategy that is focused on structuring a security strategy and process around people's innate humanness.

"It is a model based on the social sciences that puts an emphasis on incentivising people to do the right thing. Gamification makes things fun so people do it, [but] this is not gamification," Proctor previously said.

"It's about setting up your controls in a manner that motivates people because they have something to lose. I give you certain rights and responsibilities. I give you the ability to use your personal device to get corporate email on it, but I also tell you don't put a bunch of company-sensitive information on that."