Do your security policies and procedures actually promote better security, or is your company only looking for known malware and ignoring the human factor? It’s a tricky balancing act that trips up many organizations.
The recent spate of data breaches at major U.S. organizations has raised questions about how effective current security tools and approaches are when it comes to dealing with emerging threats.
Private and public enterprises have spent tens of billions of dollars to bolster security over the past decade, yet malicious attackers consistently succeed in evading whatever roadblocks are thrown their way.
The trend has led many organizations to embrace a back-to-basics approach focused equally on people, processes and technology. Rather than viewing the security function as a bothersome cost of doing business, a growing number of organizations see it as a strategic enabler of new initiatives.
"Security and product development are not mutually exclusive," says Ron Green, MasterCard's chief information security officer. "We don't look at security as being a siloed responsibility."
Instead, MasterCard's security specialists are embedded with teams focused on identifying business innovations, in units such as MasterCard Labs, Emerging Payments and Enterprise Security Solutions, Green says. The focus is on managing products for the long term and using security to enhance the cardholder experience.
"Our executive team has the expectation that we build security into everything we do as a standard practice," says Green. And while that practice may add time to the project schedule, it's worth the trouble. "[Security] is table stakes for customers now, and you're expected to deliver," he says.
IT leaders say five key measures are needed at a strategic level to bolster security. The manner in which these measures are implemented might vary at a tactical and operational level. But the key, users and experts say, is to focus on the high-level goals.
1. Strengthen the network perimeter
Perimeter technologies such as antivirus tools, firewalls and intrusion-detection systems have long been the mainstay of enterprise security strategies. They work by looking for specific markers, or signatures, of known viruses and other types of malware and then blocking the malicious programs.
Over the years, public- and private-sector organizations alike have tended to spend more on perimeter security tools than on any other security product category, though analysts have warned that perimeter defenses alone aren't enough to keep systems safe.
But the continuing breaches at major organizations have hammered home the reality that signature-based perimeter tools are ineffective against the highly targeted attacks of the sort employed by malicious hackers these days. Few enterprises appear ready to forgo perimeter technologies altogether, and many insist that the tools still play an important role in protecting against malware. Nonetheless, perimeter technologies as the sole, or even major, line of defense are inadequate, says IBM security researcherMarco Pistoia.
"Cybersecurity attacks have shown that hackers can now bypass virtually any type of physical restriction," Pistoia says. "Perimeter-based defenses are still necessary, but by all means insufficient to guarantee the security of a computing system."
From a strategic and tactical standpoint, it's important for enterprises to view perimeter-based defenses as just one of the necessary links of the security chain, he says.
Equally important are pattern recognition and predictive analytics tools that can help enterprises establish a baseline of normal network activity and then spot deviations from that behavior. Just as network firewalls are needed at the perimeter to block known threats, Web application firewalls are needed to deflect the malware that does manage to breach the outer perimeter, says Matt Kesner, CIO at Fenwick & West, a Mountain View, Calif.-based law firm.
"On the technology front, we are still spending time and money on the perimeter," Kesner says. But instead of sticking more signature-based blocking capabilities at the network edge, Kesner has set up redundant malware-blocking systems and firewalls at all levels of the network, including in front of the firm's Web application servers. Fenwick & West uses a log event coordination system that enables IT to aggregate, correlate and analyze logging and rule information from all the devices on the network.
Kesner has also deployed several products from niche vendors for specialized functions like inspecting directory information for signs of suspicious privilege escalation and searching for evidence of deeply concealed network intruders. "We spend a lot of time making sure the perimeter works exactly as we intended," Kesner says. "We assume breaches will happen, and want to be better guarded against it."
A new category of specialized products that has evolved in recent years features so-called "kill chain" tools. Available from vendors like Palo Alto Networks, these systems not only help companies find malware; they also enable them to monitor how hackers use malicious programs to move inside the network, and that information ultimately helps users neutralize the threat.
Many of the tools are based on the premise that individual hackers and hacking groups usually use the same malware tools and follow a set pattern when attacking targets. So by identifying the group or groups behind an attack, it becomes easier for organizations to mount a defense against the specific tools and methods that are likely to be employed.
2. Build a detection and response capability
A vast majority of the attacks against enterprises these days are targeted strikes carried out by organized criminal gangs or nation state actors. The random, scattershot attacks of the past have been replaced by campaigns that are carefully designed to extract corporate information, intellectual property, trade secrets and financial data. Rather than smash and grab, the emphasis most often is on lying low and siphoning out large quantities of data in small, mostly unnoticeable increments over a lengthy period of time.
In such an environment, any security strategy should place at least as much emphasis on detection and response as it does on prevention.
"Preventative tools based on static rules and signatures cannot stop determined, advanced attackers from gaining a foothold," says Rob Sadowski, director of technology solutions at RSA, the security division of EMC. It's important, therefore, to prioritize early detection and response to ensure that an intrusion won't result in business damage or loss, he says.
To drive this change, IT leaders need to use tools that give them more granular visibility into what is happening across their infrastructure, Sadowski says.
It's necessary, for instance, to augment existing log-centric monitoring with network packet capture and endpoint-monitoring technologies that enable security administrators to get a more complete picture of attacker activity.
Use of identity management, identity governance and behavioral analytics tools is also vital in spotting and limiting the impact of compromised credentials and identities, Sadowski says.
MasterCard's Green says organizations need to take a multilayered approach to security. "If you're only looking one way, you can't cover all that you need to," he says, referring to enterprises that rely too heavily on signature-based perimeter security.
That multilayered approach should include a means of guarding against insider attacks, not just external attacks. "Internal threats are often more challenging," Green explains. "So you should have a robust and layered security program that addresses both [internal and external threats] and allows you to quickly identify and remedy situations as they arise."
3. Secure code development
Vulnerable Web applications have often provided hackers with relatively easy access to corporate networks and data, so securing them is vital to ensuring data integrity and confidentiality.
Common, well-understood shortcomings like SQL Injection errors, cross-site scripting flaws and broken authentication and session management functions have tripped up numerous organizations. But the recent wave of intrusions at major organizations has really driven home the need for secure code.
"If you're developing an app, along with that comes an expectation of security," Green says. "You [also] have an expectation that the vendors from whom you purchase technology are at the top of their game when it comes to security and privacy protection." The same is true of supply chain partners and other providers of goods and services, he adds.
Hardening the software component of a computing system is particularly tricky because vulnerabilities can be nested deep within the code, says IBM's Pistoia. To prevent applications from being attacked, and thereby safeguard data integrity, enterprises must make security part of all the phases of the software life cycle, and proper code review practices need to be in place, he says.
For many large organizations, manual code review would be prohibitively expensive. So a viable alternative would be to automate the code-review process by combining static and dynamic program analysis and by making the code analysis process an integral part of application development.
"Advanced application development systems now check application code on every commit or on a periodic basis," Pistoia says. They show developers the issues that need to be remediated in succinct and easy-to-follow steps, he adds.
"The application layer has become the latest battleground for cybersecurity and the focus not only of security teams, but of development and [systems development life cycle] teams too," says Chris Pierson, general counsel and chief security officer at Viewpost, a supplier of an online invoicing and payment platform.
The focus on both static and dynamic code reviews has become more baked into the product development pipeline, he says, adding that IT professionals are paying more attention to the Open Web Application Security Project's top 10 security risks.
Importantly, the growing adoption of DevOps practices is giving some organizations an opportunity to integrate security at an early stage of the software development life cycle. "Security is a big driver for DevOps adoption," says Alan Shimel, an information security professional and editor-in-chief of DevOps.com.
Developers and operations teams need to recognize that security must be a shared responsibility and work to integrate controls earlier in the product life cycle. And it needs to happen more often than what's going on now, he says. "We are still at the stage where in most organizations we are trying to convince the security guys that DevOps can improve security," Shimel says.
4. Take care of the people factor
Many of the biggest attacks in recent years have started fairly innocuously, with attackers gaining entry into networks using log-in credentials belonging to legitimate users such as employees, business partners or suppliers. Hackers use slick social engineering techniques and phishing emails to pry loose a password and username belonging to someone with access to a corporate network and then use that initial foothold to find and access critical enterprise systems and data stores.
The tactic, used by the intruders who hacked Target, Home Depot, the U.S. Office of Personnel Management and other sites, has focused attention on the need for employees and other authorized users to be more aware of security risks — and on the need for training to ensure that users are able to recognize and resist potential threats. (For more on this type of training, see "Of Black Hat and security awareness".)
"Employees really need to be aware of the role they play in protecting company assets," says MasterCard's Green.
In many cases, people with access to enterprise data don't feel personally obligated to protect that access. To encourage such users to accept some responsibility for safeguarding corporate systems, Green says MasterCard is "building a culture of learning, so we can educate employees on a regular basis about how they can keep our assets safer, especially as new threats emerge."
As part of the effort, MasterCard uses a combination of traditional training approaches and what Green describes as "edutainment" to impart important messages. "Because criminals are always getting smarter, we have to stay a step ahead of them in terms of awareness and protection," he says. The idea is to impress upon employees that they are very much a part of the security team even though they may not report into security.
"Because of this, creative ways to enhance our security have emerged," Green says, pointing to a security initiative called SafetyNet for protecting cardholder data that MasterCard launched last October as one example.
5. Secure your business processes
A company can have the best security technology and still be tripped up by bad practices and processes. That's why the Fenwick & West IT organization has implemented what Kesner describes as several small and big changes to the policies and processes pertaining to the manner in which sensitive data is handled.
Previously, for instance, the law firm's policy was to encrypt incoming and outgoing client data whenever it was possible to do so. These days, it's an absolute requirement. Kesner's team has also implemented new policies for ensuring that data on the company's storage-area networks is encrypted at rest and while in transit. Sensitive data on all company laptops and desktops is supposed to be encrypted, and IT runs audits and tests every six months to verify that it is.
The law firm has third parties and security firms come in periodically to do penetration tests and mock attacks where nothing is off limits. "With the appropriate confidentiality agreements in place, we let security engineers come in and try and do penetration tests on everything," Kesner says. Afterward, the IT team asks the security firm to come up with a list of five changes that can be turned into actual security policies.
Fenwick & West now requires all partners to disclose in writing the complete details of their security practices and to acknowledge that they in turn understand the law firm's security policies and processes. Partners are required to implement a token-based form of two-factor authentication and are no longer permitted to use just a username and a password to authenticate themselves to Fenwick's networks.
Organizations of all kinds are taking similar approaches. Cybersecurity is a top priority, and leadership teams and boards of directors recognize this fact. "Directors want and demand to know what the company's cybersecurity stance and position is from a controls, governance and operational perspective," says Viewpost's Pierson.
"If you want to capture and retain the trust of your customers, security and privacy will be baked into your culture and value proposition."
This story, "5 tips for better enterprise security" was originally published byComputerworld.