Published: 01 Apr 2004
Patrick Heim keeps a watchful eye on the clock. Not the clock in his San Francisco office, but what he calls the "virus doomsday clock," which counts down the time until the perfect worm brings the Internet to its knees.
Unlike IDS, a well-tuned IPS won't require a lot of baby-sitting.
Patrick Heim, VP of Enterprise Security, McKesson
"We're at about 5 minutes 'til midnight," says Heim, VP of enterprise security at McKesson, a $50 billion provider of health care management products and services. "We've already seen hybrid code that crosses over multiple platforms. We've seen code that creates hive networks that talk to each other. We've seen destructive ones. We've seen flooding ones. If someone synthesized the worst aspects of these into something new, we could be in deep trouble."
What's Heim doing about the threat of a doomsday worm? Everything he can, including beefing up risk assessment activities, tightening system configurations and access controls, running different flavors of AV on the gateway, servers and desktops, and evaluating new host- and network-based intrusion prevention systems (IPSes).
"We even have a budget for something we just call 'antiworm,'" he says. "We don't know what it's going to be, but we need to plan for the automated threat right now."
The issues facing Heim resonate across all enterprise security programs. How do you prepare for a doomsday worm when you don't know what it will look like or when (or even if) it will come? How do you balance efforts to head off the "big one" with the need to address hundreds of less-emergent but more quantifiable threats? How should you revamp you organization's policies and procedures to respond to new regulations and constant technological change? And which security technologies can help you achieve these goals without breaking the bank?
Information Security's "2004 Priorities Survey" shows that leading organizations are tackling these problems at multiple strategic, technical and operational levels. Conducted in February and March by Information Security research partner TheInfoPro (TIP)1, the survey is based on 175 one-hour interviews with U.S.-based Fortune 1000 companies, providing a rare behind-the-scenes look at the security practices and spending plans of multibillion-dollar firms such as McKesson, Motorola, Reed Elsevier/ LexisNexis, Panasonic and ABN AMRO.
The good news, according to the survey, is that 2004 security budgets are stable or growing at most Fortune 1000s; only 20 percent of interviewed companies say they're planning to spend less on their current vendors over the next 12 months. In particular, consumer goods/retail firms and health care/pharmaceutical companies are investing heavily in security in 2004 (see "2004 Security Spending Shift by Industry"). The bad news is that security budgets -- and the managers in charge of them -- are spread thinner than ever.
Faced with a constant barrage of cyberattacks, increasingly complex and perimeterless networks and growing regulatory pressure, Fortune 1000s are evolving a portfolio approach to IT risk management. Where smaller companies still pour the bulk of their budgets into perimeter technologies -- 74 cents per security dollar -- Fortune 1000 spending is evenly distributed among perimeter, infrastructure and security management (see "Budget Allocation by Overall Security Spending").
At the perimeter, the legacy base of network- and transport-layer security gear is being upgraded or supplemented with enhanced traffic inspection technologies, such as IPSes and Web-application firewalls. One-quarter of surveyed companies are evaluating SSL VPNs for application-specific access control. New investments in antispam software will taper off dramatically as it becomes a standard part of e-mail filtering, much like gateway AV.
At the infrastructure level, enterprises are focusing on new identity and access management tools aimed at reducing the cost and complexity of account administration in heterogeneous environments. User provisioning is in more plans as companies shift from homegrown software to packaged tools. In 2005, many security shops will evaluate (or, in some cases, reevaluate) single sign-on (SSO). Investments in host-based IDS and IPS will also grow, though more slowly than perimeter-based IDS/IPS. Spending on new wireless LAN security tools will also grow, though resistance to wireless still runs high.
The focus of security management is on vulnerability management products and practices, including assessment scanning and configuration management. Patch management is a top priority, with 16 percent of surveyed organizations planning to spend more on this activity in the next six months. While investments in security dashboards are growing, many organizations still rely on homegrown tools and manual, qualitative processes for risk management.
The Perimeter Is Dead...Sort Of
Leo Cronin, senior director of information security at LexisNexis, has spent the last two years creating a decision-support tool that would help him model "bad incomes" -- risks in which he can quantify the impact of a threat given a target's vulnerability and the probable cost of remediation. While an inexact and evolving science, Cronin's effort has enabled LexisNexis and its parent company, media conglomerate Reed Elsevier, to develop a scorecard of high-impact threats.
"It was clear that worms and viruses have the highest potential for financial and other losses to the company, mainly because of their frequency and the high potential for maliciousness," he says.
Smart switches and smart antennas are the best way to do good wireless security.
Leo Cronin, Senior Director of Information Security, LexisNexis
As in many large companies interviewed for the Priorities Survey, LexisNexis is investing in "active" perimeter technologies that supplement passive scanning gear, such as stateful inspection firewalls, signature-based IDSes and gateway AV. Although LexisNexis layers controls at the perimeter -- for instance, using reverse proxies to insulate its Web farms -- Cronin remains concerned about application-layer attacks, which were a close second to malware on his bad incomes list.
"The problem is that people still can drill into applications with port 80," he says. "They can potentially do a lot of things through HTTP. We've got some fairly key online properties. Things like defacements, tampering and DoS attacks could cause financial and reputational loss, as well as downward pressure on the stock."
Cronin recently deployed an inline IPS and is evaluating a dedicated Web application firewall. "We're trying to make sure those well-known attacks or people doing SQL injection or site tampering are prevented from doing so," he says.
The Priorities Survey shows that more and more companies are taking the plunge with perimeter-based IPSes, which rank fourth in The-InfoPro's Heat Index.
McKesson's Heim says he's also evaluating IPS as an alternative to passive monitoring.
"We haven't been able to get good value out of traditional IDS," he says. "They're not really intrusion detection systems. They're attack detection systems." Heim also bemoans the high overhead of IDS administration.
IPSes, on the other hand, "can give you a positive return even when you have staffing constraints," he says. "If it's reliable and if it's a mature product, a well-tuned IPS won't require a lot of baby-sitting."
Though it has a lot of promise, IPS is an evolving technology. When it fails, it often fails spectacularly, says Kevin Mock, VP of vulnerability management at ABN AMRO.
"Intrusion prevention is a neat idea, but I'm not 100 percent sold on it," Mock says. "When you say, 'I'm gonna shut off traffic,' you'd better be sure you aren't inadvertently producing a problem on your network."
The focus on layered controls and application security underscores the fact that, in most companies, the line between the perimeter and the infrastructure has nearly disappeared. Nowhere is that more evident than in wireless networking.
Rogue wireless access points continue to be the bane of many security managers, exposing networks to war driving and opening up core servers and applications to attack. Most organizations have adopted a multipronged approach to wireless security that blends policy, process and technology.
"We think we've done the right things to control unauthorized wireless," says Mock. "We have policies against implementing it without the proper controls, but we know there will still be some people doing it incorrectly." As a matter of policy, ABN AMRO's networking team performs routine sweeps for rogue access points with wireless sniffers.
Many Fortune 1000s are eager for something more. In the next 12 months, one-quarter of companies in the Priorities Survey plan to invest in wireless LAN security tools, such as wireless access controllers that address user authentication issues at the network edge. Nearly one-fifth of surveyed companies will invest in wire- less device security, such as onboard encryption and content scanning.
"We've spent a lot of time over the past 18 months looking at this and coming up with a policy and a set of best practices for implementing wireless," says LexisNexis's Cronin. "It has led us to working with vendors who have a clear strategy and road map for providing smart antennas," devices that communicate with a network switch to determine access control parameters for Wi-Fi nodes.
"Smart switches and smart antennas are the best way to do good wireless security," Cronin adds. "The passive antenna technology that's out there today, with its junky encryption, just isn't cutting it."
Also driving investments in wireless security is that, unlike some security initiatives, there's a clear business benefit to doing wireless securely -- and a clear risk if you don't.
"We've been successful in convincing management that wireless security is important to the company," Cronin says. "If we're going to do more wireless installations, we need to take the security issue seriously and treat it like the Internet. Where we've made a lot of investments in perimeter security, we need to make the same level of investment in wireless."
Just as wireless crosses the barrier between the perimeter and the infrastructure, some enterprise technologies are hot because they're championed (and often funded) by multiple groups: security, help desk, applications, even the business units themselves. Case in point: identity management.
More than 40 percent of Fortune 1000 firms will invest in new identity management solutions in the next two years, according to the Priorities Survey. While many of these investments are in user access management and entitlement solutions -- user rights provisioning and deprovisioning, automated password reset, SSO, etc. -- some companies are testing the waters in federated identity management, which extends entitlement beyond the company's core user base. Of the 39 security technologies analyzed in the survey's Heat Index, identity management, user provisioning and SSO ranked first, second and third, respectively.
Bill Boni, CISO of electronics giant Motorola, views identity management not as a security solution but as part of the company's overall management framework. Facing a flat security budget this year, Boni is placing a premium on products that will have the broadest -- and most visible -- impact on corporate operations.
"My focus is not on an individual application, or lines of business, but on solutions that cover a wide arc of the company's business," he says. "We're looking at enterprise access management more broadly across a whole subset of our critical applications to increase efficiency and improve effectiveness."
Boni plans to roll out the EAM solution for employees, then eventually migrate it to partners and suppliers. "The proof of concept is, if you can do the employee access control model efficiently, you can get your learning curve off the internal model. Then you evaluate how it will scale to external organizational access and collaboration."
Despite their architectural complexity and high TCO, identity management solutions are popular be- cause of their straightforward business proposition.
"What helps seal ID management is reducing the complexity to end users," says McKesson's Heim. "End users don't care about your admin processes and efficiencies. They care about having fewer passwords to deal with."
Model for Security
My focus is on solutions that cover a wide arc of the company's business.
Bill Boni, CISO, Motorola
For all the talk about security metrics, ROI and risk modeling, "cyber-risk management" remains an oxy- moron at most companies.
"Security is still a black art, not a science," Heim says. "We don't know where we should be spending our money."
The Priorities Survey shows that many Fortune 1000s are trying to address this fundamental problem through technologies and procedures that help prioritize security activities and spending. Much of the interest and investment in this space has crystallized around vulnerability management -- specifically, automated patch management, configuration management and so-called security dashboards.
Gauging enterprise purchasing plans for security dashboards is difficult because there's little consensus about what the term means. But whether or not they call it a dashboard, most Fortune 1000s have embraced the concept of decision-support software that provides a consolidated view of multiple security data points and workflows.
Dashboards that guide operational security activities are in greater demand than those that provide executive reports, according to the survey. One reason: Some security managers are reluctant to provide executives with details of threat status for fear of overreaction.
ABN AMRO uses a commercial dashboard to provide a rollup view of its vulnerability remediation work. The company subscribes to an alert service that notifies administrators of high-priority vulnerabilities affecting systems under their local management. But, for the alerts to be accurate, admins have to continuously provide system status updates to the dashboard.
"If they've profiled their systems properly, they'll get alerts only for the vulnerabilities that affect them," says Mock. "It makes everybody's job a little easier."
Mock is also interested in leveraging the dashboard concept for other threats, including viruses and physical security issues. For now, some of what he considers to be "dashboard work" derives from manual processes, including old-fashioned elbow grease and shoe leather.
"For me, the dashboard doesn't have to be Web pages," he says. "It can be a Word document that our enterprise network steering committee gets to be able to understand the health of the network. How safe are we? Where are our problems? How quickly have we patched, and if we didn't patch quickly, why is that? We have to have a business rationale to say, 'Have we spent enough money, did we do a good job, and are our defenses working and effective?'"
McKesson's Heim, a vocal proponent of security metrics, says security dashboards won't live up to their potential until there's more business unit input in the process.
"It's really hard getting the business involved," he says. "The goal is to leverage all the network and systems intelligence tools to understand the systems, then overlay a grouping of physical and logical assets into business processes. Then you ask the business owners to qualify business exposure for various business processes. From that, you can basically de-compose it back into the exposure values that compose those processes.
"Right now, it's not doable," he adds. "It has to be automated through workflow software. You need to have something that tickles the business owners every month, two months, six months -- whatever the criticality is -- to update the information. The critical missing factor is, and has always been, the business overlay: defining what the actual asset values are."
While mature, holistic security dashboards may be a few years off, many companies are jumping headlong into other automated security management tools, including patch and configuration management.
Nearly 70 percent of surveyed companies are already using a patch management solution. For Microsoft platforms, the tool of choice is Systems Management Server (SMS), which is free to Microsoft enterprise licensees.
But SMS and other automated patching tools aren't plug 'n play.
As with security dashboards, auto-patching must be part of a management process.
"Auto-patching is good for low-level vulnerabilities and for systems that are low priority," says Mock.
"If you take them offline, nobody's going to yell too much."
For high-availability applications, ABN AMRO's release management team meets once a week to "talk about patches, status, what needs to go out and when," says Mock. "They test patches to make sure they don't break applications. Then, they'll release a delta, and everybody goes to a central point to get it."
A fundamental challenge to patch management -- particularly in large, distributed organizations -- is basic discovery, identification and standardization of OS and application images, says Mike Cervine, senior manager of enterprise security at Panasonic's Management Information Technology, the manufacturer's IT services branch.
Cervine and his team are responsible for the security of 10,000 employees across the Americas. Like many other security managers in the Priorities Survey, his greatest concern is a nasty worm outbreak affecting multiple parts of the distributed enterprise.
"We have a very large and diverse audience," Cervine says. "As a result, we have many different levels of the OS out there."
One of Cervine's top priorities for 2004 is rolling out an enterprise configuration management system to standardize server images. "You have to know what you have, what you need to address, and where exactly to address it," he says.
Andrew Briney, CISSP, is editorial director of Information Security magazine.