Do your security policies and procedures actually promote better security, or is your company only looking for known malware and ignoring the human factor? It’s a tricky balancing act that trips up many organizations.
The recent spate of data breaches at major
U.S. organizations has raised questions about how effective current security
tools and approaches are when it comes to dealing with emerging threats.
Private and public
enterprises have spent tens of billions of dollars to bolster security over the
past decade, yet malicious attackers consistently succeed
in evading whatever roadblocks are thrown their way.
The trend has led many
organizations to embrace a back-to-basics approach focused equally on people,
processes and technology. Rather than viewing the security function as a
bothersome cost of doing business, a growing number of organizations see it as
a strategic enabler of new initiatives.
"Security and
product development are not mutually exclusive," says Ron Green, MasterCard's
chief information security officer. "We don't look at security as being a
siloed responsibility."
Instead, MasterCard's
security specialists are embedded with teams focused on identifying business
innovations, in units such as MasterCard Labs, Emerging Payments and Enterprise
Security Solutions, Green says. The focus is on managing products for the long
term and using security to enhance the cardholder experience.
"Our executive
team has the expectation that we build security into everything we do as a
standard practice," says Green. And while that practice may add time to
the project schedule, it's worth the trouble. "[Security] is table stakes
for customers now, and you're expected to deliver," he says.
IT leaders say five key
measures are needed at a strategic level to bolster security. The manner in
which these measures are implemented might vary at a tactical and operational
level. But the key, users and experts say, is to focus on the high-level goals.
1. Strengthen the network perimeter
Perimeter technologies
such as antivirus tools, firewalls and intrusion-detection systems have long
been the mainstay of enterprise security strategies. They work by looking for
specific markers, or signatures, of known viruses and other types of malware
and then blocking the malicious programs.
Over the years,
public- and private-sector organizations alike have tended to spend more on
perimeter security tools than on any other security product category, though
analysts have warned that perimeter defenses alone aren't enough to keep
systems safe.
But the continuing
breaches at major organizations have hammered home the reality that
signature-based perimeter tools are ineffective against the highly targeted
attacks of the sort employed by malicious hackers these days. Few enterprises
appear ready to forgo perimeter technologies altogether, and many insist that
the tools still play an important role in protecting against malware.
Nonetheless, perimeter technologies as the sole, or even major, line of defense
are inadequate, says IBM security researcherMarco Pistoia.
"Cybersecurity
attacks have shown that hackers can now bypass virtually any type of physical
restriction," Pistoia says. "Perimeter-based defenses are still
necessary, but by all means insufficient to guarantee the security of a
computing system."
From a strategic and
tactical standpoint, it's important for enterprises to view perimeter-based
defenses as just one of the necessary links of the security chain, he says.
Equally important are
pattern recognition and predictive analytics tools that can help
enterprises establish a baseline of normal network activity and then spot
deviations from that behavior. Just as network firewalls are needed at the
perimeter to block known threats, Web application firewalls are needed to
deflect the malware that does manage to breach the outer perimeter, says Matt
Kesner, CIO at Fenwick & West, a
Mountain View, Calif.-based law firm.
"On the
technology front, we are still spending time and money on the perimeter,"
Kesner says. But instead of sticking more signature-based blocking capabilities
at the network edge, Kesner has set up redundant malware-blocking systems and
firewalls at all levels of the network, including in front of the firm's Web
application servers. Fenwick & West uses a log event coordination system
that enables IT to aggregate, correlate and analyze logging and rule
information from all the devices on the network.
Kesner has also
deployed several products from niche vendors for specialized functions like
inspecting directory information for signs of suspicious privilege escalation
and searching for evidence of deeply concealed network intruders. "We
spend a lot of time making sure the perimeter works exactly as we
intended," Kesner says. "We assume breaches will happen, and want to
be better guarded against it."
A new category of
specialized products that has evolved in recent years features so-called
"kill chain" tools. Available from vendors like Palo
Alto Networks, these systems not only help companies find malware;
they also enable them to monitor how hackers use malicious programs to move
inside the network, and that information ultimately helps users neutralize the
threat.
Many of the tools are
based on the premise that individual hackers and hacking groups usually use the
same malware tools and follow a set pattern when attacking targets. So by identifying
the group or groups behind an attack, it becomes easier for organizations to
mount a defense against the specific tools and methods that are likely to be
employed.
2. Build a detection and response capability
A vast majority of the
attacks against enterprises these days are targeted strikes carried out by
organized criminal gangs or nation state actors. The random, scattershot
attacks of the past have been replaced by campaigns that are carefully designed
to extract corporate information, intellectual property, trade secrets and
financial data. Rather than smash and grab, the emphasis most often is on lying
low and siphoning out large quantities of data in small, mostly unnoticeable
increments over a lengthy period of time.
In such an environment,
any security strategy should place at least as much emphasis on detection and
response as it does on prevention.
"Preventative
tools based on static rules and signatures cannot stop determined, advanced
attackers from gaining a foothold," says Rob Sadowski, director of
technology solutions at RSA, the security division of
EMC. It's important, therefore, to prioritize early detection and response to
ensure that an intrusion won't result in business damage or loss, he says.
To drive this change,
IT leaders need to use tools that give them more granular visibility into what
is happening across their infrastructure, Sadowski says.
It's necessary, for
instance, to augment existing log-centric monitoring with network packet
capture and endpoint-monitoring technologies that enable security
administrators to get a more complete picture of attacker activity.
Use of identity
management, identity governance and behavioral analytics tools is also vital in
spotting and limiting the impact of compromised credentials and identities,
Sadowski says.
MasterCard's Green
says organizations need to take a multilayered approach to security. "If
you're only looking one way, you can't cover all that you need to," he
says, referring to enterprises that rely too heavily on signature-based
perimeter security.
That multilayered
approach should include a means of guarding against insider attacks, not just
external attacks. "Internal threats are often more challenging,"
Green explains. "So you should have a robust and layered security program
that addresses both [internal and external threats] and allows you to quickly
identify and remedy situations as they arise."
3. Secure code development
Vulnerable Web
applications have often provided hackers with relatively easy access to
corporate networks and data, so securing them is vital to ensuring data
integrity and confidentiality.
Common,
well-understood shortcomings like SQL Injection errors, cross-site scripting
flaws and broken authentication and session management functions have tripped
up numerous organizations. But the recent wave of intrusions at major
organizations has really driven home the need for secure code.
"If you're
developing an app, along with that comes an expectation of security,"
Green says. "You [also] have an expectation that the vendors from whom you
purchase technology are at the top of their game when it comes to security and
privacy protection." The same is true of supply chain partners and other providers
of goods and services, he adds.
Hardening the software
component of a computing system is particularly tricky because vulnerabilities
can be nested deep within the code, says IBM's Pistoia. To prevent applications
from being attacked, and thereby safeguard data integrity, enterprises must make
security part of all the phases of the software life cycle, and proper code
review practices need to be in place, he says.
For many large
organizations, manual code review would be prohibitively expensive. So a viable
alternative would be to automate the code-review process by combining static
and dynamic program analysis and by making the code analysis process an
integral part of application development.
"Advanced
application development systems now check application code on every commit or
on a periodic basis," Pistoia says. They show developers the issues that
need to be remediated in succinct and easy-to-follow steps, he adds.
"The application
layer has become the latest battleground for cybersecurity and the focus not
only of security teams, but of development and [systems development life cycle]
teams too," says Chris Pierson, general counsel and chief security officer
at Viewpost,
a supplier of an online invoicing and payment platform.
The focus on both
static and dynamic code reviews has become more baked into the product
development pipeline, he says, adding that IT professionals are paying more
attention to the Open Web Application Security Project's
top 10 security risks.
Importantly, the growing adoption of DevOps practices is
giving some organizations an opportunity to integrate security at an early
stage of the software development life cycle. "Security is a big driver
for DevOps adoption," says Alan Shimel, an information security
professional and editor-in-chief of DevOps.com.
Developers and
operations teams need to recognize that security must be a shared
responsibility and work to integrate controls earlier in the product life
cycle. And it needs to happen more often than what's going on now, he says.
"We are still at the stage where in most organizations we are trying to
convince the security guys that DevOps can improve security," Shimel says.
4. Take care of the people factor
Many of the biggest
attacks in recent years have started fairly innocuously, with attackers gaining
entry into networks using log-in credentials belonging to legitimate users such
as employees, business partners or suppliers. Hackers use slick social
engineering techniques and phishing emails to pry loose a password and username
belonging to someone with access to a corporate network and then use that
initial foothold to find and access critical enterprise systems and data
stores.
The tactic, used by
the intruders who hacked Target, Home Depot, the U.S. Office of Personnel Management and
other sites, has focused attention on the need for employees and other
authorized users to be more aware of security risks — and on the need for
training to ensure that users are able to recognize and resist potential
threats. (For more on this type of training, see "Of Black Hat and security awareness".)
"Employees really
need to be aware of the role they play in protecting company assets," says
MasterCard's Green.
In many cases, people
with access to enterprise data don't feel personally obligated to protect that
access. To encourage such users to accept some responsibility for safeguarding
corporate systems, Green says MasterCard is "building a culture of
learning, so we can educate employees on a regular basis about how they can
keep our assets safer, especially as new threats emerge."
As part of the effort,
MasterCard uses a combination of traditional training approaches and what Green
describes as "edutainment" to impart important messages.
"Because criminals are always getting smarter, we have to stay a step
ahead of them in terms of awareness and protection," he says. The idea is
to impress upon employees that they are very much a part of the security team
even though they may not report into security.
"Because of this,
creative ways to enhance our security have emerged," Green says, pointing
to a security initiative called SafetyNet for protecting cardholder data that
MasterCard launched last October as one example.
5. Secure your business processes
A company can have the
best security technology and still be tripped up by bad practices and
processes. That's why the Fenwick & West IT organization has implemented
what Kesner describes as several small and big changes to the policies and
processes pertaining to the manner in which sensitive data is handled.
Previously, for
instance, the law firm's policy was to encrypt incoming and outgoing client
data whenever it was possible to do so. These days, it's an absolute requirement.
Kesner's team has also implemented new policies for ensuring that data on the
company's storage-area networks is encrypted at rest and while in transit.
Sensitive data on all company laptops and desktops is supposed to be encrypted,
and IT runs audits and tests every six months to verify that it is.
The law firm has third
parties and security firms come in periodically to do penetration tests and
mock attacks where nothing is off limits. "With the appropriate
confidentiality agreements in place, we let security engineers come in and try
and do penetration tests on everything," Kesner says. Afterward, the IT
team asks the security firm to come up with a list of five changes that can be
turned into actual security policies.
Fenwick & West now
requires all partners to disclose in writing the complete details of their
security practices and to acknowledge that they in turn understand the law
firm's security policies and processes. Partners are required to implement a
token-based form of two-factor authentication and are no longer permitted to
use just a username and a password to authenticate themselves to Fenwick's
networks.
Organizations of all
kinds are taking similar approaches. Cybersecurity is a top priority, and
leadership teams and boards of directors recognize this fact. "Directors
want and demand to know what the company's cybersecurity stance and position is
from a controls, governance and operational perspective," says Viewpost's
Pierson.
"If you want to
capture and retain the trust of your customers, security and privacy will be
baked into your culture and value proposition."
This story, "5
tips for better enterprise security" was originally published byComputerworld.
No comments:
Post a Comment