Today’s information security regulatory standards are out of date. They need to be updated with more prescriptive guidance. For example, almost all security practitioners know they need updated technologies like malware sandboxing, exploit prevention (memory protection) on desktops, enhanced network traffic visibility, distributed deception platforms, web application firewalls and enhanced SIEM systems that can leverage user behavior and machine learning vs simple correlation to move up against the attackers of today. Why is it that our regulators don’t see (and more quickly respond to) how even compliant organizations are being breached every day? Maybe I’m just on a soapbox, but we need to get real with the attacker. It is my belief that we must push our regulators and contractual obligations like PCI, HIPAA, CIP and other regulations and regulators to evolve to be more relevant to today’s threats.

Today’s threats need new technology approaches to be successful. For example, many organizations I speak to still don’t have adequate headcounts, despite this, they still don’t use technologies that would lower the headcount required. Many of the technologies (especially user behavioral monitoring, machine learning and distributed deception platforms) can and do lower the number of headcounts required to raise detection and prevention.

via the fine folks at Gartner