Ideal intrusion defense combines processes and people

About Intruder Alert Intrusion defense programs are often touted for their ability to guard against today's evolving threats. Based on an exclusive survey of IT professionals, SearchSecurity.com's special news series Intruder Alert takes a look at real-world intrusion defense programs and which vendors are considered most valuable to those in the trenches. Series menu DAY 1: Ideal intrusion defense combines processes and people -- What defines good intrusion defense? IT pros say the best programs not only thwart insiders with bad computing habits, but also the spyware and other malware they let in. DAY 2: To executives, intrusion defense is a hard sell   -- Security administrators say intrusion defense frustrates them not only because executives are reluctant to buy in, but also because even the top products have a long way to go. DAY 3: With intrusion defense vendors, one size doesn't fit all -- A majority of IT shops rely on Cisco and Symantec for intrusion defense. But others are just as happy using free open source tools. INTRUDER ALERT: Looking at the numbers -- In February, SearchSecurity.com surveyed 307 IT professionals from a variety of industries regarding their intrusion defense programs. Here is a look at some of the questions we asked and the answers they gave.

"You can go to any meeting and people toss these USB keys around," Bixler said. "I'm sure people leave them on airplanes and in hotel rooms with the data on them. I really worry about where my data goes and how to keep it from going where I don't want it to go."

He's not alone. Of 307 IT professionals who responded to a February SearchSecurity.com survey about their intrusion defense programs, a majority said their biggest concerns are insiders whose computing habits put sensitive data at risk and the spyware and other malware they let in. Those are the threats they most want their intrusion defense tools to address, but they're not always pleased with the results.

"Spyware is a huge problem because the AV vendors have largely let us down," Bixler said. "The main vendors are starting to step up, but they were two years late to the table as far as I'm concerned. Spyware is another flavor of virus, and the last thing I wanted was another tool to put on everyone's desktop to take care of what's essentially another virus."

Where the worries are
When asked what aspect of their intrusion defense tools they would most like improved, 35.6% of respondents said they want better detection and prevention of insider threats, such as employees abusing policy and downloading proprietary information onto flash drives.

More than 32% said they want better spyware prevention, fewer false positives and the ability to separate serious attacks from network noise. More than 30% want a better way to detect unknown/zero-day attacks, while 25.8% want better virus and worm prevention and 25.2% want a better way to correlate threats to vulnerabilities.

Asked what would prompt them to switch to a different IDS/IPS vendor, 45.4% said a different vendor's product would have to better detect and prevent attacks. More than 35% said they'd switch if a different vendor's product were easier to install, administer or manage.

If another vendor's product offered a wider array of security functions and features, 33% would switch. More than 32% would migrate to a different vendor whose product better integrates with the enterprise infrastructure; and 25.2% would make the move if it were less expensive while providing as much security as their current tool.

Of all the insider threats Bixler worries about, wayward mobile devices weren't always high on his list. That changed the day a departing employee turned in a laptop without telling the IT staff what the password was.

"I went on the Internet looking for freeware to set the administrative password on the box," he said. "It took eight minutes from the time I found the right freeware on Google to when I was able to open the laptop. I did this while talking on the phone and I'm not particularly good at this stuff."

User education a big weakness
Jeremy Martin can understand why IT professionals are so concerned about insiders. He's a Colorado Springs, Colo.-based penetration tester who spends his working days trying to bust into the networks of large commercial enterprises and government entities like the U.S. Department of Defense.

He'll start with a basic scan and work his way through the network until he's found all the vulnerabilities. He dabbles in social engineering, sending out phishing e-mails to see if anyone will open them. His goal is to show clients where they are weakest on security and how intruders are getting in.

Unfortunately, Martin said, most organizations' biggest weakness is user education. "People are opening those phishing e-mails," he said. People will write down their passwords or use the same password over and over."

As for spyware, Martin said in most outbreaks a bad infection can be traced back to users with bad computing habits.

"Spyware is an issue in that people open an e-mail or visit a site they shouldn't, then the spyware is dropped onto the machines," he said.

Words of advice
When clients ask him how they can seal security holes, Martin offers this advice: Employees across the board must learn their organizations' security policies and follow them consistently.

"You need to make sure everyone understands the policy through training," he said, adding that people must know what is and isn't considered appropriate use of the Web, e-mail and so on. Plus the usage policy must be consistent for top executives and junior employees alike.

Of course, those polices must also be well defined. "One thing I keep seeing is a lack of definition in the policies," Martin said. "So they're open to interpretation and people interpret things differently."

City of North Vancouver IT Manager Craig Hunter, whose department oversees workstations used by 350 employees, agrees user education is important. But he said the average employee will never become an information security expert.

"The best you can do is embed security into systems so the users don't see it," he said. His philosophy: "Make it easier for users to do it right than to do it wrong."

More on intrusion defense Strategies for defending against zero-day exploits Learn how to create and implement a cohesive intrusion defense strategy with guest instructor Joel Snyder of Information Security magazine. As a bonus, CISSPs and SSCPs are eligible to earn CPE credits from (ISC)2.

To that end, his IT shop ensures workers' application sessions are terminated when they're no longer needed. The department uses a content filter -- from San Diego-based Websense Inc. -- to block Web sites that might otherwise drop malware onto the network, including spyware, which has caused the department problems in the past. It also uses IronPort Systems Inc.'s Brightmail appliance to reduce spam and viruses.

The best defense is always layered
Looking at big picture, Bixler, Martin and Hunter agreed that user awareness is only one part of a larger, layered defense. That way, if an intruder punches through one end of the network, he would be stopped by devices and procedures deployed in other parts of the network.

"It's also important to have software that monitors activity not just on the network but also on the individual PCs," Martin said.

One word to the wise, he added is to use one AV vendor on the network and another on desktops. "One vendor may update signatures more quickly and broadly than another," Martin said. "So with both, you have better coverage."

Tags: Network Intrusion Detection (IDS),  Network Intrusion Prevention (IPS),  Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) Aligning network security with business priorities Best Intrusion Prevention and Detection Products Port scan attack prevention best practices Lesson 4: How to use wireless IPS Lesson 1 quiz: Risky business Hacker attack techniques and tactics: Understanding hacking strategies SIMs tools and tactics for business intelligence IPS and IDS deployment strategies I'll be watching you: Wireless IPS Know when you need IDS, IPS or both Network Intrusion Prevention (IPS) Research Information Security Policies, Procedures and Guidelines Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation GAO report cites government weaknesses, data leakage

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary