SAN FRANCISCO -- Headlines today focus more on negative security aspects than positive ones; it's time to change...
Security success was the message SANS Institute director John Pescatore offered at a session at RSA Conference Tuesday.
Using real-world examples, Pescatore outlined how seven organizations across various industries not only used security products and services effectively, but also achieved measurable results from them.
"The vast majority of malware that does get in doesn't lead to a breach," Pescatore said during his first example. However, with the right security portfolio, he said, enterprises can reduce the effects malware has when it does infiltrate the network.
To prove his point, Pescatore explained how one organization reduced the rate of successful malware execution by nearly two-thirds by layering three security technologies.
When tested, the Australian Government's Department of Defence allowed in 100% of network vulnerabilities, 65% of which successfully executed. After implementing strict application whitelisting, 85% of malware exploited, but the execution rate dropped to 15%. After adding least privilege user access to the mix, successful exploits fell to 80%, with only 5% executing. Once OS patching was included, the number of vulnerabilities that successfully exploited the network dropped to 65%, and only approximately 2% executed. (Note: further controls were added, but that data was unavailable.)
In his second example, Pescatore explained how adopting new technologies is critical to achieving security success.
Virginia Commonwealth University, Pescatore said, was looking to secure its distributed campus network from malware threats caused by student and staff endpoints. It implemented a network-based advanced threat detection appliance at its Internet ingress point. This helped not only increase the University's intrusion detection rate, but also decrease the number of attacks requiring remediation by 35%.
Out with the old, in with the new
Sometimes, Pescatore noted, replacing old technologies with new ones can solve security problems.
Boston Financial Data Services found its traditional antivirus tool wasn't detecting and mitigating advanced persistent threats, which resulted in the company reimaging four PCs per week post-attack. After Boston Financial adopted host-based security on its Windows PCs, the number of PCs needing reimaging dropped to one PC every three months.
Pescatore also said organizations should never be wary to try new security technologies, some of them may just hold the key to success.
When a healthcare organization was ready to renew its vulnerability scanning technology, Pescatore said, it adopted a newer, more effective product that reduced spending by 75%. These savings allowed the company to add tools to increase its scanning surface.
Pescatore also noted that newer, less conventional methods can help organizations reduce vulnerabilities for breach prevention.
Instructure, an educational technology company, was looking to reduce vulnerabilities in its business-critical applications. Rather than completing the job in-house, the company contracted a managed bug bounty service to detect flaws. With the same dollar investment, Instructure increased the number of testers from the three it had in-house to 63 at the managed bug bounty service. This eventually resulted in a tenfold increase in vulnerability detection.
For his final example, Pescatore noted how enterprises should look to solve the problem at the root of the issue.
When Aetna, for example, was looking to reduce vulnerabilities on its corporate applications, it took a look at the bigger picture: the software development lifecycle (SDLC). Using Cigital's free BSIMM (Building Security in Maturity Model), it integrated benchmarked improvements into its SDLC. The company decreased the number of high and moderate vulnerabilities by 92% and reduced the number of hours it took an analyst to do a threat modeling approach from 40 to two. SDLC productivity also increased an estimated 15%.