Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Band-aids and Paper Clips Won’t Protect You Against Today’s Threats

Change doesn’t come easy for many, but it may be time to stop and rethink your chosen path. Maybe change is exactly what your enterprise needs.

Change doesn’t come easy for many, but it may be time to stop and rethink your chosen path. Maybe change is exactly what your enterprise needs.

There’s a price on your data. And it seems that every lowlife cyberthug, morally challenged competitor, and rogue-nation despot is after the bounty. In addition to external threats, enterprises like yours also face insider sabotage, identity fraud, and unauthorized access to systems and networks. Every day these threats grow in number and sophistication, complicating the task of staying ahead of the onslaught of threats. Put simply, a piecemeal approach to security and compliance coupled with disjointed risk management processes simply won’t get the job done.

Okay Gary, tell me something I don’t already know. Hold on. It’s coming. Stay with me, and I’ll tell you how to fix two of your biggest risk management challenges: securing your databases and reducing patch complexity to stay ahead of threats.

The Evidence for Change Is All Around Us

Proactive Security StrategiesToo many companies get caught up in a “checkbox compliance” mentality or use the “spray and pray” technique for deploying security products to get ahead of threats before they can wreak havoc on their business. Neither approach affords the level of protection needed today or does anything to allow you to better manage your limited resources.

You only have to look back at all the trouble nasty malware like Aurora, Stuxnet, and Night Dragon recently caused to realize something more needs to be done to protect company assets—especially those residing in enterprise databases.

CIOs, database administrators, and everyone in between are beginning to see the light. Many of these IT professionals understand the value of a layered solution that provides security in depth. However, far too many companies have layer after layer of point products that must be seperatly maintained and managed to provide security without any visibility into how effective they are at doing what they’ve been tasked with protecting. Moreover, their “patch early and often” approach simply isn’t a viable, sustainable strategy since it puts them in constant fire-fighting mode.

It’s time for a change. Of course, change doesn’t come easy for many. And it can feel especially unnatural when you’ve already invested heavily in point products. However, when those point products are leading you down a dead-end road, maybe it’s time to stop and rethink your chosen path. Maybe change is exactly what your enterprise needs.

The Study

At McAfee, we were interested in learning about the factors that consumers of risk and compliance products face in 2011. So we commissioned Evalueserve to perform an independent study. The study, titled Risk and Compliance Outlook 2011, surveyed 353 IT decision-makers, consultants, and security analysts around the globe to gain their views regarding the challenges they face in risk and compliance management.

Challenges in Managing Risk

Among the several challenges noted in the survey, the top three were: discovering security threats, uncovering vulnerabilities, and identifying which assets are adequately protected.

Although companies are aware of factors such as correlating threats, vulnerabilities, and asset value to the business; they still find it challenging to execute the measures necessary to address them. Understandably, organizations prefer to reduce their efforts while driving down risk, indicating a strong need for automation of the IT risk management process.

What’s working here

Effective risk management depends on accurate and comprehensive visibility into the enterprise IT environment: networks, servers, endpoints, operating systems, applications, databases and more—and the value of each to the organization. Overall, 74 percent of the participating companies agreed that visibility into the risk posture of their IT environment is important. And visibility translates directly into more efficient operations. Half the companies estimated that they save from six to ten hours per week if they have 100 percent visibility into the risk posture of their businesses.

So ideally, you would want to work with a security vendor who handles the majority of the heavy lifting when it came to discovering threats. This vendor would have the resources in place to immediately capture, analyze, and synthesize malware and malicious websites into a threat feed. In turn, this feed would automatically correlate with your system state data—including vulnerability, configuration, patch level, and application inventory—and deployed countermeasures. At any moment then, you would have visibility into which of your systems, if any, were at risk, so you could focus your attention on the critical assets that required attention from threats.

Databases Need Better Protection

CIOs and database administrators alike used to think that their databases were protected by the security implemented in their frontline applications and web interfaces that connected to the databases.

Unfortunately, that simply isn’t reality. Once a cybercriminal or piece of malware gets through that first line of defense, they have virtually unfettered access to the organization’s databases. In fact, findings from a 2010 Verizon Business Study showed that more than 92 percent of records breached involved a database. Since companies store their most critical and sensitive data in databases its imperative that companies apply optics to effectivly lock down databases from prying eyes. For many organizations, that data is their lifeblood, any loss, interruption, or security breach would mean disaster.

What’s working here

To meet their database security requirements and handle change management issues, 75 percent of the responding companies currently deploy configuration assessment tools. This is followed closely by file integrity monitoring and database activity monitoring products—both at 68 percent. However, a whopping 93 percent of respondents indicated that they were currently deploying or are expecting to deploy database activity monitoring (DAM) tools in the near future.

Strong change control monitoring, enforcement, and reporting are essential to effectively implementing and maintaining a risk management and compliance program for databases on an enterprise scale.

Patch Smarter, Not Harder

System patching remains the core remediation function in IT security. Generally, IT decision-makers are confident in their abilities to patch security flaws. However, they tend to invest tremendous numbers of work hours into the patching process, and out-of-cycle patches significantly disrupt their operations when they occur, which is way too often. To this point, the survey also showed that 82 percent of respondents feel that out-of-cycle patches significantly impact productivity.

One problem facing organizations today is determining which systems actually need to be patched or otherwise remediated. As a result, 44 percent of surveyed companies said that they overprotect by patching everything possible. “When in doubt, patch” is clearly not a good way to reduce patching time, manage costs or keep business-critical systems online. Correlated asset discovery, vulnerability detection, and countermeasure-aware risk assessment can help IT staff identify systems requiring remediation, prioritize patching, and avoid or at least delay patch roll outs.

What’s working here

Read Gary’s Other Featured Columns on Risk Management Here

Risk mitigation products are helping organizations streamline their patch management programs by automating the discovery of vulnerable systems, determining which countermeasures are already in place protecting these vulnerable systems, remediation and verification of patch operations, and auditing and reporting tasks. These products take the guesswork out of when and where to focus efforts—boosting security and ensuring regulatory compliance, while saving time and money. Study estimates revealed that an average of 12 work-hours could also be saved per week if patching frequency were reduced from weekly to monthly. Ideally, in time, patching—even in the event of a out-of-cycle patch—will be done once or twice each year. Imagine the time and hard dollar savings when this happens!

Strive for Strong, Effective Risk and Compliance Management

Overall, the Risk and Compliance Outlook 2011 report suggests that forward-thinking companies are avoiding checkbox compliance and fire-drill responses to security incidents. Instead, these companies favor sustained, continuous, and auditable risk management and compliance initiatives that address IT security as a business risk. And that’s promising news, as it helps ensure the best possible security posture and, by extension, meet compliance while reducing costs and allowing organizations to focus more on their core business.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.