News Stay informed about the latest enterprise technology news and product updates.

Ideal intrusion defense combines processes and people

What defines good intrusion defense? In the first installment of our special three-day series, Intruder Alert, IT pros say the best programs not only thwart insiders with bad computing habits, but also the spyware and other malware they let in.

A global IT service provider with 39,000 employees and thousands of computing devices is sure to be a tempting target for digital desperados. But which attack scenarios are most likely to keep the security chief up at night? Dave Bixler, CISO for Siemens Business Services Inc., a subsidiary of Munich-based Siemens AG, lists three:

  • Spyware;
  • Stolen or misplaced laptops with passwords that can be unlocked within minutes using any number of online tools; and
  • Employees who load sensitive files onto USB keys and then lose them.

    About Intruder Alert

    Intrusion defense programs are often touted for their ability to guard against today's evolving threats. Based on an exclusive survey of IT professionals,'s special news series Intruder Alert takes a look at real-world intrusion defense programs and which vendors are considered most valuable to those in the trenches.

    Series menu

  • DAY 1: Ideal intrusion defense combines processes and people -- What defines good intrusion defense? IT pros say the best programs not only thwart insiders with bad computing habits, but also the spyware and other malware they let in.

  • DAY 2: To executives, intrusion defense is a hard sell   -- Security administrators say intrusion defense frustrates them not only because executives are reluctant to buy in, but also because even the top products have a long way to go.

  • DAY 3: With intrusion defense vendors, one size doesn't fit all -- A majority of IT shops rely on Cisco and Symantec for intrusion defense. But others are just as happy using free open source tools.

  • INTRUDER ALERT: Looking at the numbers -- In February, surveyed 307 IT professionals from a variety of industries regarding their intrusion defense programs. Here is a look at some of the questions we asked and the answers they gave.
  • "You can go to any meeting and people toss these USB keys around," Bixler said. "I'm sure people leave them on airplanes and in hotel rooms with the data on them. I really worry about where my data goes and how to keep it from going where I don't want it to go."

    He's not alone. Of 307 IT professionals who responded to a February survey about their intrusion defense programs, a majority said their biggest concerns are insiders whose computing habits put sensitive data at risk and the spyware and other malware they let in. Those are the threats they most want their intrusion defense tools to address, but they're not always pleased with the results.

    "Spyware is a huge problem because the AV vendors have largely let us down," Bixler said. "The main vendors are starting to step up, but they were two years late to the table as far as I'm concerned. Spyware is another flavor of virus, and the last thing I wanted was another tool to put on everyone's desktop to take care of what's essentially another virus."

    Where the worries are
    When asked what aspect of their intrusion defense tools they would most like improved, 35.6% of respondents said they want better detection and prevention of insider threats, such as employees abusing policy and downloading proprietary information onto flash drives.

    More than 32% said they want better spyware prevention, fewer false positives and the ability to separate serious attacks from network noise. More than 30% want a better way to detect unknown/zero-day attacks, while 25.8% want better virus and worm prevention and 25.2% want a better way to correlate threats to vulnerabilities.

    Asked what would prompt them to switch to a different IDS/IPS vendor, 45.4% said a different vendor's product would have to better detect and prevent attacks. More than 35% said they'd switch if a different vendor's product were easier to install, administer or manage.

    If another vendor's product offered a wider array of security functions and features, 33% would switch. More than 32% would migrate to a different vendor whose product better integrates with the enterprise infrastructure; and 25.2% would make the move if it were less expensive while providing as much security as their current tool.

    Of all the insider threats Bixler worries about, wayward mobile devices weren't always high on his list. That changed the day a departing employee turned in a laptop without telling the IT staff what the password was.

    "I went on the Internet looking for freeware to set the administrative password on the box," he said. "It took eight minutes from the time I found the right freeware on Google to when I was able to open the laptop. I did this while talking on the phone and I'm not particularly good at this stuff."

    User education a big weakness
    Jeremy Martin can understand why IT professionals are so concerned about insiders. He's a Colorado Springs, Colo.-based penetration tester who spends his working days trying to bust into the networks of large commercial enterprises and government entities like the U.S. Department of Defense.

    He'll start with a basic scan and work his way through the network until he's found all the vulnerabilities. He dabbles in social engineering, sending out phishing e-mails to see if anyone will open them. His goal is to show clients where they are weakest on security and how intruders are getting in.

    Unfortunately, Martin said, most organizations' biggest weakness is user education. "People are opening those phishing e-mails," he said. People will write down their passwords or use the same password over and over."

    As for spyware, Martin said in most outbreaks a bad infection can be traced back to users with bad computing habits.

    "Spyware is an issue in that people open an e-mail or visit a site they shouldn't, then the spyware is dropped onto the machines," he said.

    Words of advice
    When clients ask him how they can seal security holes, Martin offers this advice: Employees across the board must learn their organizations' security policies and follow them consistently.

    "You need to make sure everyone understands the policy through training," he said, adding that people must know what is and isn't considered appropriate use of the Web, e-mail and so on. Plus the usage policy must be consistent for top executives and junior employees alike.

    Of course, those polices must also be well defined. "One thing I keep seeing is a lack of definition in the policies," Martin said. "So they're open to interpretation and people interpret things differently."

    City of North Vancouver IT Manager Craig Hunter, whose department oversees workstations used by 350 employees, agrees user education is important. But he said the average employee will never become an information security expert.

    "The best you can do is embed security into systems so the users don't see it," he said. His philosophy: "Make it easier for users to do it right than to do it wrong."

    More on intrusion defense

    Strategies for defending against zero-day exploits
    Learn how to create and implement a cohesive intrusion defense strategy with guest instructor Joel Snyder of Information Security magazine. As a bonus, CISSPs and SSCPs are eligible to earn CPE credits from (ISC)2.
    To that end, his IT shop ensures workers' application sessions are terminated when they're no longer needed. The department uses a content filter -- from San Diego-based Websense Inc. -- to block Web sites that might otherwise drop malware onto the network, including spyware, which has caused the department problems in the past. It also uses IronPort Systems Inc.'s Brightmail appliance to reduce spam and viruses.

    The best defense is always layered
    Looking at big picture, Bixler, Martin and Hunter agreed that user awareness is only one part of a larger, layered defense. That way, if an intruder punches through one end of the network, he would be stopped by devices and procedures deployed in other parts of the network.

    "It's also important to have software that monitors activity not just on the network but also on the individual PCs," Martin said.

    One word to the wise, he added is to use one AV vendor on the network and another on desktops. "One vendor may update signatures more quickly and broadly than another," Martin said. "So with both, you have better coverage."

  • Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.