Editor’s Note: This news story is part of SearchSecurity.com's "Eye on" series that brings together various perspectives on security topics throughout the year from SearchSecurity and its sister sites. In the month of June the series examines CISO management issues.
A plethora of high-profile data security breaches that marred the first half of 2011, and other recent high-profile attacks, such as Stuxnet, Operation Aurora and state-sponsored persistent threats, have dominated the discussion in the information security community. These incidents have highlighted a critical question for nearly all enterprises: How can an organization be more proactive, monitoring the threat landscape for actionable information to improve IT security programs?
While log management, security reporting tools and automated patch management systems can be effective in helping prevent successful attacks and collecting data after the fact, experts say in most organizations a more proactive security program is sorely needed, namely one that get’s employees thinking about risk management to thwart attacks before they infect endpoint machines. But turning around a security program stuck in a reactive mode is easier said than done.
“You want to be as close to current as you possibly can about the threats that are most significant to your organization,” said Scott Crawford, a research director in the security and risk management practice at Boulder, Colo.-based consulting firm Enterprise Management Associates. “There’s a trend toward collecting wide-ranging information, complementing that with internal expertise and using that expertise to better inform the tools of automation.”
There’s a huge gap between where the threats have moved to and what we have in our infrastructure investment and protective measures to defend against those attacks.
Khalid Kark, vice president and research director, Forrester Research Inc.
IT security programs: Start by looking internally
CISOs should have a general idea of the kind of attacker that is likely to target the organization, said Adam Rice, global chief security officer at communications vendor Tata Communications Ltd. Rice said Tata uses its own threat service internally and has an incident response team that monitors the latest vulnerabilities and attacks.
“A lot of times people take a shotgun approach and they’re not focusing on exactly what they should,” Rice said. “You have to have an eye on what the risk is and direct your program toward what you are protecting against.”
Once an organization has an idea of the specific threats that may impact the environment, Crawford said, IT teams can then tune the event-monitoring systems accordingly.
Most organizations already have the technologies in place to begin being more vigilant, experts say. The 2011 Verizon Data Breach Investigations Report (DBIR) found many organizations that experienced a breach had anomalous activity in their logs, but failed to notice or act on it. The volume of information being collected by systems can be overwhelming, said Wade Baker, director of risk intelligence for Verizon Business and one of the principal authors of the Verizon DBIR. Forensics investigators from Verizon have found many organizations fail to properly tune and monitor their intrusion detection and log management systems. One telling statistic from the report is 86% of breaches were discovered by a third party.
Baker said on average only 20% of breaches investigated by Verizon started with an attack that could have been detected by an IDS. More often, he said, attackers use stolen credentials and gain privileged user account access to bypass early detection systems.
“A lot of times the driver to implement IDS or log monitoring systems is to check a compliance box rather than really wanting to be good at threat detection,” Baker said.
It is not just enterprises that are having trouble addressing the constantly changing threat landscape. An antimalware vendor said it had to deploy up to 15 updates to its endpoint security software in one day to keep up with the constantly evolving malware environment, said Khalid Kark, vice president and research director at Cambridge, Mass.-based Forrester Research Inc.
Not only is malware constantly changing, but cybercriminal organizations are evolving almost as quickly. Independent cybercriminals use automated toolkits that attack targets of opportunity. More recently, hacktivist groups have carried out attacks against specific enterprises to disrupt business and further their political agendas. Similarly, well-funded, state-sponsored cybercriminal gangs have initiated attacks to infiltrate government contractors and other firms over a lengthy period of time to steal intellectual property.
“If you are a high-value target, and I’m a hacker, I’m going to try to create a specific targeted attack for your environment,” Kark said. “It is becoming increasingly difficult, irrespective of whatever defense capabilities you have, to be able to keep track of the sophistication of some of these attacks and keep track of the specific technologies being used in these attacks.”
Can an information security programs easily adapt?
Nearly all endpoint security vendors sell threat intelligence services that provide near-real-time alerts on emerging threats that matter most. Organizations can become too reliant on them, Kark warned, accepting the service’s data while missing out on actionable data pertinent to the specific industry. In addition, in order for the services to be effective, more resources need to be put in place. An internal team needs to make risk-based decisions based on the threat service data.
Security budgets are also misaligned, according to Kark. About 25% of security budget spending is on network security technologies, yet about 70% of the threats are directed at the application layer, Kark said. Forrester found that only 10% of security spending is on application security tools and processes.
“There’s a huge gap between where the threats have moved to and what we have in our infrastructure investment and protective measures to defend against those attacks,” Kark said.
Improve IT security programs: Chief risk officer
While defensive technologies are important, a good comprehensive security program is also going to consider the employees in an organization, said Jeff Reich, director of operations for the Institute for Cybersecurity at the University of Texas San Antonio. Determine who has access to sensitive servers, who are the most trusted and who are the most likely to fall for a social engineering attack.
“What are you doing for the receptionist out front who is the most likely person vulnerable to social engineering?” Reich asked.
CISOs must have a business acumen and ultimately should be the organization’s chief risk officer, who can blend the technical skills and knowledge of the threat landscape with business critical thinking and social skills. The person will help determine the risk profile of the organization and what steps are needed to accept, transfer or mitigate those risks, Reich said.
While there is no winning formula to creating a successful information security program, Reich said the most effective programs are driven by CISOs who spend most of their time with the company’s clients, business partners and employees.
“You should no longer be a geek behind a locked wall,” said Reich, who has spent 30 years as a CSO. “You’ve got to make effective risk management strategy part of their decision making.”