IT Security Teams Should Focus on Security Resolutions Rather Than Security Predictions
As 2012 comes to a close, many security vendors have issued predictions on what security issues and trends would dominate our collective attention in the New Year. As SecurityWeek reviewed dozens of vendor-compiled predictions, we noticed that most were things already happening now, or were self-centered predictions that a particular problem would be a major concern—but ironically one that the vendor could help address with their solutions.
SecurityWeek’s conclusion is that IT security teams should focus on resolutions rather than predictions. While keeping an eye on the ever-changing threat landscape is important, organizations worried about what might happen should instead focus on what they can do to improve their security posture.
We make New Year's Resolutions for our personal lives each year, yet we rarely talk about resolutions to improve the security of our networks, our data, and infrastructure. SecurityWeek chatted with a few security experts and compiled a list of security resolutions for 2013.
The first resolution is to shake things up and make security a strategic focus for the entire organization. "Stop doing the same things over and over again and expecting different results," Anup Ghosh, founder and CEO of Invincea, told SecurityWeek.
It's time to recognize the user is the primary target of attack—and always will be—and "training the problem away" isn't the answer, Ghosh said. In a recent survey of more than 500 people conducted by Invincea, 83 percent of the respondents said their organizations used training, but only 20 percent of that group said it had any measurable impact.
Organizations need to think of the endpoint as the new perimeter and look for innovations at the endpoint, such as secure virtual containers and behavioral-based scan engines, he said. "Take a chance on new technologies at the endpoint—perhaps even to the point where you rip out subscription based A/V if you need budget replacement," Ghosh said, adding, "Do something—be a change agent—take action and innovate."
Along the theme of doing things differently, Lawrence Pingree, a research director at Gartner, suggested organizations "pursue threats rather than compliance." Many security professionals say that being compliant doesn't necessarily mean the organization is secure. We learned this the hard way with the massive data breach in South Carolina this year. While Gov. Nikki Haley was technically correct that the state had met all of its compliance requirements and followed guidelines, the fact that the state hadn't encrypted some of the sensitive data made the breach far more serious than it would have been otherwise.
Organizations need to "realize that most compliance related mandates deal with threats of ten years ago," Pingree said. Instead of worrying about meeting requirements, organizations should focus on "advanced persistent security to combat today’s threats," Pingree said. If they are truly secure, compliance would automatically follow.
Learn about your network, Eddie Schwartz, CISO of RSA Security, advised. Organizations must "dramatically deepen their knowledge of what is happening right now on their network," he said. Most organizations are not aware when the systems in their networks are connecting to unknown servers and to malicious Websites, and without network visibility, they don't know what they are up against.
Organizations need to gather comprehensive information about the status of standard internal controls as well as insight and effective management of critical security processes such as identity, authentication, and encryption, Schwartz said. Big Data analytics may help make sense out of all the security data.
Once the organization has some visibility in the network, the next step is to proactively deal with all unknown things, not just the bad stuff they know about. "We have seen customer after customer fundamentally change their security posture once they begin to proactively manage things that are unknown or anomalous, and not just the things that are known to be bad," said Wade Williamson, senior security analyst at Palo Alto Networks. Forensically analyze every incoming file as a preventive measure to identify what happens when the file is executed, and take action accordingly.
Attackers spend a lot of time and effort to make sure their malware and attack domains don't trigger any security alerts. Security teams need to be suspicious of unknown network traffic coming in and out of the network. In many cases, malware needs to be able to leave the network to communicate with its command-and-control server, so organizations need to be scrutinizing outbound traffic, Williamson said.
The same goes for unknown or uncategorized URLs in firewalls and Web security products that filter out malicious URLs. Customers may not want to block a site simply because it’s uncategorized, but security teams can easily apply rules that prevent executables from being downloaded from uncategorized (read: unknown) sites, for example.
"We have seen customers reduce their exposure to 0-day malware by 75 percent just by using this simple trick," Williamson said.
Organizations need to think about what accesses the network, and manage them accordingly, said Catalin Cosoi, chief security researcher at BitDefender. Simple things such as flash drives can have "catastrophic consequences on overall network security," Cosoi noted, especially if the devices are lost or stolen. Infected-flash drives still spread malware, as well.
"Incidents such as Flamer are a bitter reminder of the powers of flash-based storage in today’s network environments," Cosoi said.
Networks also need to be segmented more granularly, which will help monitor the traffic flowing through as well as allow administrators to shut down one section of the infrastructure without impacting the rest of the company, Williamson said.
The network can be segmented by user role and application and how they should be able to communicate internally. "While everyone is likely to need to get to the Internet, everyone probably does not need to get to the internal accounting system," Williamson said.
Security controls help organizations assess risks and make informed decision about which issues take priority. Organizations should also use network security controls to improve risk assessment and mitigation, said Matt Dean, FireMon COO.
"There are lots of reasons that we don’t connect every device directly to the Internet and we spend millions of dollars on network security," Dean said, noting, "When evaluating vulnerabilities to understand the risk that is posed, factor in both access to and value of the asset in addition to the severity of the vulnerability." This will ensure that priority is given to "assets that are reachable from threat sources and can greatly reduce risk," Dean said.
Learn about the network, but that's not the only thing to worry about. Organizations should resolve to "double-down on identifying critical intellectual property," said Gunter Ollmann, CTO of IOActive. Instead of trying to protect everything, organizations should focus on identifying where "their truly valuable intellectual property actually rests and consolidate defenses at that level," he said.
Dean agreed, saying organizations need to know where the important systems are. Every asset doesn't have to have a value, but the important ones should be known and risk ranked, Dean said. Knowing who the threat actors are and knowing which systems are sensitive would give administrators sufficient information to understand and improve security.
During the assessment, organizations need to think about the non-traditional systems, such as smart TVs and conferencing systems, since anything that runs software can someday be exploited, Cosoi said.
This sounds pretty simple, but it's startling how many organizations don't run simulations regularly. For the New Year, organizations should commit to running a firedrill/simulation/table-top exercises, said Ted Julian, CMO of Co3 Systems. Simulations help ensure staff are ready in case of a real breach and identify gaps in technology or process to respond effectively. Not being ready to handle a breach can result in lost customers and revenue, regulatory fines, brand damage, and a drop to the stock price.
Since they aren't as urgent the way a real data breach would be, simulations often get overlooked, put off until the last minute, or are otherwise given short shift, Julian said.
Ollmann agreed, saying, "Incident response should be a pre-planned action, not a 'hair on fire' experience."
"By failing to give simulations the time and attention they deserve, firms deny themselves all of these benefits while at the same time increasing the likelihood that their response come the day is flawed," Julian said.
If distributed denial-of-service (DDoS) attacks are a concern, it's time to geographically diversify infrastructure in 2013, said Tommy Stiansen, the CTO of cyber-risk intelligence company Norse Corporation. Companies can reduce their vulnerability to DDoS attacks and improve their ability to maintain business continuity by distributing their infrastructure, Stiansen said.
Organizations need to be moderately skeptical about the bring-your-own-device trend, Cosoi said. While allowing users to bring their own devices to work may cut down on IT-related costs, it weakens the IT team, Cosoi said. Ollmann agreed, noting that resistance was futile and organizations should plan for unauthorized devices connecting to the corporate network. One way to deal with the trend is to implement application-level security and policy controls, to ensure that data remains within the applications on the server and is not downloaded onto the client device, Ollmann said.
If the organization develops its own code, it's time to review application development standards with developers, Cosoi said, noting that "security through obscurity is starting to re-gain adoption as a response to agile software development." Many developers think speed and simplicity trumps all and often sacrifices security. The problem is, it may wind up costing the business more than saved work hours, especially if the application is compromised by a malicious entity. Developers should not be running server-side software with easy-to guess or no passwords at all - even for computers that seem to be inaccessible from the web, Cosoi said.
The above resolutions is a pretty comprehensive list and covers a whole range of areas. Perhaps it is a little overwhelming to think about all the various pieces to focus on. Well, what if the entire task can become less daunting?
There is already a list of specific controls and recommendations, which if implemented, could dramatically improve the organization's security posture. While there is no one single thing that will address all security concerns, applying the 20 Critical Security Controls from the SANS Institute will result in "enormous benefits," said Wolfgang Kandek, CTO of Qualys. The prioritized list of actions also offers implementation guidance for newcomers ("Quick wins") and for more experienced teams ("more involved"), Kandek said.
The US State Department, under CISO John Streufert, has demonstrated more than 94 percent reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls.
No one is saying to attack the entire list—either the SANS list or our list of security resolutions—but the idea is to start small. "Look at your existing tools and data sources and work in increments," Kandek said. The challenges may be huge, but there is no need to be discouraged.
What's important is to actually do something. 2012 has shown us that security is lagging, and organizations are overdue for a change.
"Bang your drums LOUDLY - gather up all of the news over the last 12 months and bring it to your next business line meeting...security can NO LONGER be an after thought - it must be a strategic focus for the firm," Invincea's Ghosh said.