Losing The Battle
Security shot up the priority list of not just CIOs but also higher management in 2012 as the world witnessed the effects of countless breaches on top organisations.
As a fresh year presents itself, several questions are keeping those CIOs and management awake at night. Namely, are we next? And, is our infrastructure strong enough?
It seems that investing in the top security solutions available are not enough. Technology is constantly evolving, and so is the IT threat landscape. Subsequently, it is extremely difficult to keep up with.
“If we look back over the last year, it’s clear that attackers have been able to breach the security defences of many enterprises,” says David Emm, Senior Regional Researcher, Global Research and Analysis Team, Kaspersky Lab.
“We also found further evidence of malware being used as cyber weapons and there were attacks on cloud-based systems.”
Despite this, Emm is reluctant to admit that hackers are ‘winning the war’ against security solutions.
“For one thing, it’s important to remember that security breaches make headlines, not ‘malware fails to penetrate enterprises across the globe’,” he says.
“For another, security is not like a TV – i.e. either on or off. Rather, it’s a process, and one that takes in many different aspects – including security software, strategy, staff awareness and more.”
Robert Lipovsky, Malware Researcher, ESET, emphasises the human element as a key factor in the victories hackers have accumulated in the last year.
“We’re seeing a shift in terms of infection vectors from the machine to the human side so there is lots of sophisticated malware that is exploding and some software vulnerabilities, but it’s much easier for them to exploit human vulnerabilities through things like social engineering. It can be easy to trick humans to open or download things. I would hope that businesses have policies set up about software patching and updates, but where they often lack is employee education.”
Whilst the human element is undeniably a significant factor, and it is of course true that big breaches garner more attention than the failed attacks, the fact remains that existing security has evidently failed on numerous occasions.
This is simply down to the fact that data is now born to be free and shared and as such a significant re-evaluation is required, according to Miguel Braojos, VP of Sales Southern Europe, Middle East and Africa (SEMEA), SafeNet
“Successive waves of data breaches, big and small, are highlighting how breach prevention that focuses on protecting the network simply isn’t working. While the determination of hackers is a great part of the problem, a prime reason 20 years of breach prevention is unravelling is down to our changing relationship with the data itself,” he says.
“Traditional perimeter defences are failing because they are so out of step with how much we need to share data about ourselves to live our digital lives. Indeed the compulsion to share and exchange our data is what hackers exploit. So a fundamental change of security posture needs to take place.”
The big question
Once an organisation has accepted that this fundamental change is necessary, the next big question is, of course, how?
According to Nicolai Solling, Director of Technology Services at help AG, the process of re-evaluation should be centred on solid planning.
“Once all of the base security in an organisation has been addressed, the more in-depth enhancements of security should then take place where each and every identified risk is mitigated with the correct policies, processes and ultimately technical solutions,” Solling says.
Enterprises and decision makers need to understand that there is no single product, system, policy or practice which can deliver 100% certainty or protection, says Alaa Abdulnabi, Regional Pre-Sales Manager, Turkey Emerging Africa and Middle East, RSA.
“Organisations must be ready to revise their strategies based on the proactive measures, they must anticipate unpredictable attacks. This way they are armed with the right tools and measures to minimise the damage associated with an unexpected breach without wasting any time. The new approach should be based on the fact that breaches are part of everyday life and it is a matter of time and the aim today is to be ready when the breach happens,” he says.
Jamil Ezzo, General Director of ICDL GCC Foundation, adds that enterprises should look from the ground up by reviewing the policies, procedures, systems and skills.
“IT is an integral part of business today so it needs to be on the business agenda and not only on the IT agenda. Senior management needs to take overall responsibility as it requires a holistic approach. Additionally, sufficient time and resources need to be allocated to the evaluation process.”
When it comes to making those changes, the first and most significant thing that needs to change is the general outlook of security.
The goal of security must shift from primarily protecting the perimeter to continuously monitoring both the external and internal environment to detect threats early and minimise damage, Abdulnabi says.
“Security can no longer be lumped up with compliance regulations or procedures as the slow, structured nature of compliance activities do little to protect IT environments. Today, enterprises require a security analytics system that can collect, manage and study a much wider scope of security data.”
Knowing your enemies
Braojos says by knowing exactly who the enemies are and what they’re after, enterprises can always stay one step ahead.
“You don’t protect yourself against these kinds of sophisticated organisations by building a bigger wall around your house – they will simply build a bigger ladder. You protect yourself by making it so difficult to access what they crave – which is always your data – that they give up and move on to someone else,” he says.
“In business terms, you create a very poor return on their investment in trying to steal your data. How do you do this? You put yourself in the mindset of your adversary and understand what they want to steal from you. From there, you’ll quickly realise that protection must be moved closer to what really matters – the data itself. Encryption is an ROI killer for any would-be attacker.”
Security infrastructure is shifting from point products to an enterprise integrated approach based on key foundation elements that allow proactive alerting, real time monitoring, analytical correlation, predictive threat management and simple management.
Subsequently, most security solutions can be solved by taking a look at people, their data, the apps they use and the infrastructure they cross, according to Niraj Mathur, BDM-INS Services Practice, GBM.
“Security is always about in-depth defence with a layered approach to mitigate risks. Organisations must evaluate and deploy technology, keeping in mind their business needs and the threat landscape. Processes must be implemented to mitigate risks, as well as reviewed and updated regularly to keep up with today’s threat landscape,” Mathur says.
Solling says an enterprise organisation needs to have the right information security strategy in place with organisational and technical requirements suitably aligned.
“The security roadmap needs to have a phased approach where visibility is a cornerstone. You can only control what you can see and apply the policies accordingly. Simple things like privileged password management, two factor authentication and patch management need to be in place and these need ongoing maintenance.”
The strategy should be one that’s specifically tailored to the needs of that specific business, Emm adds. “Not one based solely on a generic best practices template or centred around loose ‘guestimates’ about the overall cost of cybercrime.
“What’s important is gauging how malware has impacted the business historically and how it might do so in the future. It’s also important to measure the effectiveness of the security tools the business uses and to have a process for updating the strategy to meet new threats as they arise.”
The need for a chief security officer or dedicated security team has been debated in IT circles for a while.
However, if an enterprise decides a re-evaluation of infrastructure is required to suit modern security threats, the time for a CSO has arrived.
“It is no longer possible for the IT team to ensure security and best practices implementation across all systems at all times. It is always burdened with time pressures and limited resources,” Mathur says.
“Hence, it is very important that an internal, independent and dedicated team be formed to work in tandem with the IT teams. The CSO in such organisations would report to top management and ensure appropriate attention is given to security threats. With most organisations wanting to adopt best practices, it is more important now than ever before to form a dedicated risk and compliance team.”