SHARING AMERICA'S TECH NEWS FROM THE VALLEY TO THE ALLEY
With no sign of a silver bullet when it comes to security technology, policies and procedures are becoming all the more important when facing increased threat levels. Guiding how a company responds to data breaches and denial of service attacks, experts say getting things right at the policy level has never been so critical, reports JJ WORRALL
Organizations who require superior security solutions are demanding more at policy level than ever before, with many accepting that the security technology available at present simply cannot be expected to withstand increased numbers of malicious threats.
Donnachadha Reynolds, security consultant with Integrity Solutions told ComputerScope that, “The current state of affairs regarding technical ‘silver bullet’ solutions is, unfortunately, that technical solutions alone are failing to meet the challenges posed by newer risks such as malware and social engineering. What we see is that solid security starts with the unglamorous basics. Good policies and procedures reflect a business that knows what it is trying to protect.”
It’s a point which Cisco Ireland country manager, Adam Grennan concurred with to a large degree. “Security always starts with the setting out of the security policy for the organisation and clearly communicating that policy throughout the organisation. Once this has been done then the policy can be implemented through the use of security tools.”
David Keating of DataSolutions though, warned against underestimating the importance of choosing the right tools alongside effective policies. “Security has to be driven by policy and procedure but with all the information that is generated by both users and the solutions they use; most organisations need tools to effectively monitor this information to enforce policy,” he said
Keating continued, “If you take something simple like a firewall or router logs; on their own they will create reams of information that policy and procedure might determine should be reviewed by IT to identify the tell-tale signs of security incidents. In reality to do this without the right tools would be a full-time job so to implement policy, security event and incident management (SIEM) tools such as EnVision from RSA need to be deployed.”
IT GOVERNANCE With incidents of data breaches, advanced persistent threats (APTs) and denial of service attacks on the rise, and being regularly discussed at boardroom level, RSA’s own Robert Griffin was keen to point out that while policies and procedures are an essential part of any security infrastructure, they remain “only a part”.
The chief security architect would note that polices and procedures have to participate in a larger IT governance process that ensures that IT is looking at risks appropriately, investing wisely in technology, operating as effectively as possible and “responding to the real business needs”.
Said Griffin, “IT governance itself needs to be part of the larger enterprise governance program that addresses the risks that could threaten the enterprise, its employees, its customers and the larger society in which we all participate.”
For the RSA man, the most important development in terms of security policies and procedures in the recent past has been the recognition that they must be part of a “larger risk-based governance model”. He added that frameworks such as the ISO 27000 series of standards or industry guidelines, including as the oft-commented on “Cloud Security Alliance threat taxonomy”, enable enterprises to define and assess the mechanisms they want to use to address the threats they face.
“There are many mechanisms that enterprises can use to provide the control and transparency required for responding to threats,” revealed Griffin. They include clear privacy and security policies that encourage appropriate employee behaviour; risk-based step-up authentication technologies for enhanced security on high-value transactions and so on. Decisions related to policies and procedures-like decisions related to technology investments-have to be made in the light of the risks the enterprise faces and the appropriate ways to respond to those risks.”
WORRYING One major concern for Integrity’s Reynolds is the basic policy failures of Ireland’s businesses. He asserted that “development and maintenance of policy and procedure has not kept pace with either legal or technical developments” in this country. In fact, he contended that the average policy he sees “is over five years old”.
Expanding on his point, Reynolds added that those half-decade-old policies don’t reflect legal standards at work across Europe regarding personal data protection in the workplace. “We have never seen a requirement for internal mandatory reporting of incidents. Most worryingly, there is no appetite to address these concerns. Most incidents in Ireland go unreported. Due to poor policy and procedure, legally pursuing individuals who steal your information is difficult for most companies. The end result is stark.”
He continued, “Companies embrace new technology, such as mobile intelligent devices, without looking at basics. They need to look at what they are trying to protect, what are the risks associated with this data on the platforms it is being accessed on, and what practical precautions staff should follow to protect this data. They also need know what they should do if something goes wrong, and how they can verify the integrity of the devices handling the data.”
FULLY TESTED Sian John, a security strategist with Symantec made the point that to handle any security attacks correctly, it’s essential to have a “fully tested and understood incident response procedure”. This, she added, is something that’s routinely overlooked by many organisations.
“They either do not have an incident response procedure or if they do, it has not been tested. This document should not be purely technical but also include the reactions of executives, PR and business leaders,” she said.
“With the advent of many of the cyber-security issues we’ve seen over the last few months, it’s key to ensure that these policies are not only developed but also tested via dry runs of the procedure to identify any gaps and issues before an incident occurs.”
DATA BREACHES Following up on John’s point regarding incident response testing, several of the security experts who spoke to ComputerScope were asked what approach they would take to handle both data breaches and denial of service attacks were they to find their own companies under attack. In the case of the former, Cisco’s Grennan said the best response is simply to concentrate on the advice in the Security Breach Code of Practice in Ireland’s Data Protection Act, while Reynolds also said the Office of the Data Protection Commissioner is “a very worthwhile place to ask for advice”. RSA’s Griffin commented that handling a data breach requires maintaining an IT security approach which is based on data collection and analysis in the first place. This, he added, creates security intelligence that detects both inadvertent security issues and “skilled adversaries”.
“For example,” he continued, “data loss prevention (DLP) technologies can look for the presence or movement of sensitive information in unexpected or risky places, such as by discovering private banking customer information in spreadsheets attached to e-mail messages, a situation that exposes the financial institution to legal problems and erosion of customer confidence. But the security intelligence that’s needed now has to be able to identify potential malicious activity from even more subtle and complex indicators.”
Take financial institutions for instance, Griffin noted how trading algorithms can be of inestimable value. Detecting that those algorithms may be at risk of theft by an employee leaving the company requires “correlation of access patterns related to those algorithms, indications of the algorithms being collected in unauthorised locations and association of that correlation with information about the employee, such as indicators they might be thinking of leaving the company”.
Similarly, he said, detecting the movement of personal information across national borders requires correlation of geographical information with knowledge of sensitive information. “This new approach to security requires not only effective technology, but also organisational structures and business processes that support proactive security intelligence,” Griffin added.
DENIAL OF SERVICE What then, should be done in response to a potentially crippling denial of service attack? “This,” said Grennan, “is one area where technology can help to mitigate the effects of such an attack.” On a similar note Integrity’s Reynolds said handling such incidents in a practical manner “requires some sort of solution where huge connections to the Internet are used that cannot be saturated by malicious traffic”. Large organisations, he said, can afford these or “alternatively, third party organisations can provide a transparent front-end service with this capability fronting for your web services”.
Continuing his point, Reynolds said that mitigation may require “religious patching” for both operating system and applications. “Anyone who believes they can leave a service hooked up 24/7 to the Internet and not patch it properly is inviting trouble. Every organisation should have a stated policy to patch,” he added.
For his part, Griffin said a combination of security intelligence derived from technology such as continuous external monitoring of response time, internal tracking of IP patterns and evaluation of traffic against empirical performance models, with adaptive strategies for response, “such as contracting for availability of virtual resources for burst responses”, will be “very effective” in handling denial of service attacks.
UNDERSTAND THE RISK EXPOSURE Looking ahead, Symantec’s John was keen to point out that the next year will see IT and information security becoming “more connected to the business”, having “being seen much more as an enabler” in the past. The security strategist claimed this there will be a greater focus on ensuring that “any spend is helping to drive forward the business’ objectives, whether that is policy or technology driven”.
John also said that there’s currently a drive towards “integrated risk and threat views across the estate”. So rather than defining technical issues and “buying lots of point product technology” to deal with the issues, she claimed it will be important to understand the risk exposure across the business and how the organisation stands against mitigating that risk.
“Therefore,” she continued, “the focus is on unified threat and risk management reporting and the ability to model different actions in order to ensure that the actions being taken appropriately mitigate risk.”
GOVERNMENT For Reynolds, any evolution of polices and procedures over the coming year to 18 months depends, in Irish terms, on “the Government changing its attitude to data protection”. The security consultant added that, “we have a voluntary ‘Code of Conduct’ for personal data protection. There isn’t much to stop this becoming a mandatory law except the will to do it.”
Elsewhere, advanced security management will, according to Griffin, leverage enhancements in visibility and in governance capabilities to put in place more effective processes, organisational structures and security technologies to combat data breaches and occurrences of denial of service. He also noted that advances in security controls themselves, such as in new cryptographic techniques that support limited visibility into encrypted information, will also emerge over the coming year.
BYOD Meanwhile Cisco’s Grennan addressed the burning issue of the bring your own device (BYOD) revolution. The security and risk mitigation of this, Grennan claimed, is becoming a rising concern in businesses across the globe. “Policies need to be adapted to cater for BYOD along with the rollout and development of new tools to implement these policies,” he said.
Grennan also commented that, as the surge of interest in the cloud and Big Data continues feverishly, “the true nature of shared services and infrastructure will have an impact on both tools and policies, how they are implemented, governed, controlled and monitored”. Organisations will need, he said, to be more mindful of the impact which transmission and continued storage of “personal identifiable data” may have on their customer base.
“Authentication, authorisation and auditing of applications and data will be key to the continued success and measurement of a good infosec policy,” concluded Grennan. “When addressing APTs, trust of auditing data and the ability to demonstrate a segregated control/management/data plane in order to protect the network will be invaluable. Also, it’s inevitable that software defined networking (SDN) and OpenFlow will allow for additional segregation in the data plane with differing levels of control, based on the signature or classification of that data plane.”
Read more: http://techinamerica.com/category/security/