Security tools help reduce insider threat.

By Bill Brenner, News Writer 21 Sep 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Will today's threats push PKI into the mainstream?
For many enterprises, Nolte's faith in PKI is tempered by the slowness with which the technology has been developed for commercial use. Whitfield Diffie and Martin Hellman, considered the fathers of PKI, have acknowledged commercial advancement has been far slower than first expected -- held back by standardization and capital development issues. Up to this point, it has been most widely used by the government.

Indeed, in CoreStreet's Cambridge offices, it's clear to see who the company's biggest clients are. A shelf on a conference room wall is lined with the seals of the Department of Homeland Security, Army, Air Force, Department of Defense and a number of intelligence agencies. But company President Phil Libin said commercial deployments have been picking up in the past year.

"There's more of a focus on disaster recovery in the private sector, and when you're in a recovery phase you want to re-establish services people expect despite the damaged infrastructure," he said. "You want to make sure people can still buy gas even though the credit card system is down. Validation tools can help. We're starting to talk to people working on contingency plans for gas stations, supermarkets and so on… We're looking at how you let people make transactions with existing IDs like a driver's license."

But despite its disaster management potential, Nolte doesn't see PKI as the silver bullet to slay the insider beast. "From my perspective, we're getting to where we need to deal with the insider threat," he said. "We're not there yet. Awareness and training are essential. But I also think we're moving toward the point where you need a license to use the Internet -- another way of proving you are who you say you are."

Centralize it, log it and stay sharp
For those who aren't in the position to mount a DOD-style war on malicious insiders, the key now is to keep a sharp eye on who is entering your building or puttering around on your computer network. For Calpine's Curry, the best defense is a centralized system to monitor various computer systems for abnormal activity and log it all.

Curry found his solution in an appliance from Westwood, Mass.-based Network Intelligence Corp. "Two years ago we had all the intrusion detection, router switches, etc., and we were logging 60 gigabytes of data a day from different pieces of infrastructure," he said. "That's

The internal threat should be anyone's No. 1 fear. Jason James VP of IT, Happy State Bank

difficult to store. If you just want one day of information out of everything stored or see who is doing what on the Internet, it could take as long as two weeks to get data, depending on what you're looking for."

He added, "It makes more sense for us to use an appliance. We track 900 events per second -- 1,500 when you factor in the servers -- and it's easier to centrally manage tracking of all this activity across multiple devices in the network."

The initial appliance cost his department around $20,000. Include subsequent add-ons and the cost approaches $50,000. It's been worth it, he said. "We have an internal security team that manages the threat response and issues on the policy end. Now I can provide the team with an interface so if they worry that someone has gained unauthorized access, they can order up a report that chronicles that person's network activity, seeing what changes he's made across the system, and seeing if it squares with what that person should be allowed to do."

Using simulations for better preparedness
Happy State Bank's James said his team has also gotten a better grip on where the network threats are using software from Boston-based Core Security Technologies, not to be confused with CoreStreet.

"Before Core, we didn't know what shape we were in," James said. "We had a firewall but no way to know if it was configured properly. Any server with internal or external exposure, we now have a better sense of when abnormal activity happens."

One reason is that they can run simulations of how different threats would affect the network. Instead of hiring a $100,000-a-year security professional to manually exploit systems and measure the threats, he said the Core software "can simulate every type of exploit for every type of system and I get a report to hand to our security committee and executives."

But like the others, James said there's no magic bullet for stopping insiders with an appetite for destruction.

"The internal threat should be anyone's No. 1 fear," he said. "Keeping out external attacks is one thing. But when it's from someone with trusted access, it's harder to get a handle on, especially as the company grows. Once upon a time I knew all the employees. Now we're so spread out it's harder."

Tags: Security Awareness Training and Internal Threats,  Information Security Incident Response,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Information Security Incident Response Data breach notification legislation: What info must be released? Incident response planning Mature SIMs do more than log aggregation and correlation New partnerships, creative thinking help security bust recession Senators hear call for federal cybersecurity restructuring Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security incident response 101 Firms muddle security breach response, expert says Microsoft Conficker worm offers attack prevention lesson Information Security Incident Response Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary