The SANS Institute's latest threat report should be a reminder to security teams that now is the time to rethink the traditional approach to security as 2010 plans are being prioritized, with a strategy to transform security into a capability that is as dynamic as the attack landscape.
Threat reports are usually a tough read as they highlight the successes of hackers without suggesting meaningful preventive actions that IT can take. But the SANS report, The Top Cyber Security Risks, found that traditional security is woefully inadequate in protecting the business infrastructure against infected websites and penetration through popular applications such as Adobe Flash and Microsoft Office.
Read Eric Ogren's recent security columns:
Secure virtual desktop software enables remote client security: Virtual desktops control endpoints and cut costs for an Atlanta-based financial company. The setup helps IT control core essentials and enforce acceptable use policy.
Security vendors can learn from ConSentry Networks demise The switch-oriented NAC vendor serves as a sad reminder that security often only has niche appeal, says security expert Eric Ogren.
At VMworld 2009, companies focus on virtual desktops for security: While security is not a major theme at VMworld 2009, companies are turning attention to virtual desktop infrastructures to improve security and address remote employees.
The SANS research indicates what most organizations should already know: attacks are penetrating through the browser and end-user installed web-oriented applications. Yet it is a nightmare for IT administrators to patch all of those application vulnerabilities. In fact some of the applications do not even have upgrade or patch processes. Most IT and security organizations, if their pleadings for a clean slate and a blank check were granted, would change their approach to managing security and to controlling the technical infrastructure. For those who are lucky enough to start with a blank slate, here's a few recommendations on where to begin:
Separate endpoint and server security processes. Server configurations are relatively static, lending themselves to whitelisting, configuration control, predictable secure data paths and data center perimeter security. Endpoints have a variety of applications and user preferences that defeat attempts at standardization. IT can try to solicit end-user support to ban apps that do not have upgrade schemes or have a poor security history, but there will always be risk. It is clear that rigorous patching of servers and endpoints is a mandatory best practice to plug vulnerabilities with traditional technology.
Evaluate Software as a Service (SaaS) security. End-user devices such as home desktops, laptops, netbooks, and iPhones communicate in paths that avoid corporate security filters. Directing traffic through a Security 2.0 service such as that offered by Trend Micro or Zscaler can lower the risk of endpoint infection, no matter where in the world that endpoint is located. SaaS has the additional promise of flexibility to rapidly add new security services to the entire user community without requiring endpoint software deployment and administration.
- Evaluate virtualization at the endpoint. Endpoint virtualization gives IT greater control over configuration drift, data loss, and malware persistence. There are multiple flavors of endpoint virtualization available for proof of concept projects. Virtual workspaces provide an isolated environment for remote users that includes an IT configured browser and VPN client; virtual desktops provide a secure data center operating environment for local users with ample LAN and wireless bandwidth.
Be sure to measure operational metrics such as number of endpoint refreshes, number of endpoint-related service desk calls, and IT time spent in software administration tasks when investigating approaches that may allow IT to eliminate unproductive processes.
Trusteer just released a similar report that shows the difficulty of controlling configurations A sample of 10,000 machines taken one day this month found that nearly 70% had antivirus installed but were still infected. Another 31% had no AV installed.
The SANS report has a good example of a successful attack which is worth a read, tracing the attack from an infected website through a client browser and into the datacenter. If nothing else, use this example to walk through the security mechanisms to evaluate security effectiveness.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.