You hear this quip ever louder at gatherings of securityprofessionals. There are two kinds of organizations. Those thathave been breached and liars.

Ask yourself: Which are you?

A storm is gathering that is raining pessimism on traditionalsecurity which, for the most part, puts its biggest budgets andenergies on securing the perimeter against intruders with, amongother things, robust firewalls and complicated passwords.

The intent was to keep the bad guys out and thus to keep thecrown jewels safe.

The problem is that this strategy no longer is working.

More and more the opinion of security professionals is that ifprofessional hacker organizations – funded by, among others,China, Israel, possibly a few affluent criminal groups – wantinto a network, they will find a way.

It will take time, possibly months, but they are patient – thusthe name Advanced Persistent Threats (APT)– and, eventually, they will get in.

“The perimeter is dead,” said David Knight, an executive with security firm Proofpoint. He made hisclaim vivid by pointing to extensive Proofpoint research into theever-more sophisticated “spear phishing” campaigns that seek to getlog in details from targeted victims.

According to Proofpoint's data, about one in every 10 spearphishing emails is clicked on and in many cases malware and morewinds up on a target's computer.

And that means a bad guy can jump over all the perimeterdefenses because he has a valid log in.

Even worse, said Mike Lloyd, chief technology officer atsecurity firm Redseal Networks, “The attackers are usingautomation. They can attack on a grand scale. If we just use bowsand arrows we will lose.”

Hackers today are unleashing blitzkrieg attacks that bombardtargets with many, many intrusion attempts. The thinking is thatsome will get through. And, usually, that proves true.

“We need to respond strategically,” said Lloyd.

That is next-generation security and it's explained below.

A first reality however is that no one is seriously proposingending perimeter security.

“Perimeter security is like your front door — if you leave itopen flies, gnats and other pests will get in your house. Shuttingthe door keeps these pesky bugs out the same way a firewall cankeep out the attackers that don't have higher level technicalskills or automated tools. Perimeter security is not going away, itwill continue to be the first line of defense,” explained LamarBailey, director of security research and development fornCircle.

The vast majority of attacks aimed at financial institutions areclumsy efforts and those are the ones that will be deflected bysimple firewalls.

Added the director of information security at one of thenation's largest credit unions: “Some folks will bark on this onebut I would use a firewall that leverages geo-location to reducethe locals capable of connecting externally.” He requestedanonymity because he was not authorized to comment on the recordfor his credit union.

His point: He believes his institution's security issignificantly augmented by blocking access from entire geographies.That is a hotly debated topic and, yes, skilled hackers can hidetheir true location. But his point is that if an institution isgetting no legitimate traffic from, say, Iran, just shut thatnation off entirely.

But beyond the firewall, then what? Matt Lane, a vice presidentat security firm 41st Parameter, wrote his recipe in an email:“While there is no panacea when it comes to account security, alayered defense is the best way for a financial institution toensure they are as protected as possible.

“Layering a strong authentication system at the front door, anaccount surveillance and anomaly detection system to monitoractivity inside the account that may precede a monetary event, anda transaction monitoring system scrutinizing suspicious moneymovement will ensure a financial institution has eyes in all of theright places regardless of how a fraudster chooses to perpetrate aparticular attack.”

A key ingredient in new style protection, agrees just aboutevery security expert, is this “anomaly detection,” that is, whenis a user – even one with what appears to be valid credentials –behaving oddly?

Said Jim Bearce, an executive with security firm VigilantTechnology, “How do you identify anomalies? To do that you have toknow what's normal.”

He ominously added: “It's not an IT problem. It's a businessproblem. You can't look to IT to solve this problem.”

Question: If your CEO logs on at 3 a.m. on a Saturday night andbegins downloading hundreds of account records – is that ananomaly?

Should the CEO's access be locked down, immediately – and if infact it is the real CEO, let him call in and explain why he needsthis anomalous – that is, extraordinary – access.

But you see: that thinking is not inherently IT in nature. It'smore rooted in business process and, to work, this defense has tostart in rapid detection of something unusual happening.

Frankly, it's of little use to detect an intrusion the next dayin checking logs. Detection has to occur in real time, as doesdecision-making on how to minimize any losses.

Is that possible? The oddity is that although many securityprofessionals express profound depression about the failure of thetraditional safeguards, there is mounting optimism that new tools –big data analytics in particular – will bring ever more security tonetworks.

Bottom line: this is a time for in-depth reassessment. What isworking, what needs to be beefed up, what new weapons need to beadded.

Do that, suggest the security pros, and just maybe there aregood reasons for believing that in fact the sky is not falling.

At least not just yet.