The Next Step for IT Security

A Roundtable with Kaspersky, LANDesk, McAfee and Trend Micro

“Nobody wants to be the next headline trying to explain why 2.5 million customer records have been lost, or how their network was hacked, despite their already stringent security measures”
-Steve Workman, LANDesk

The Panel…

Randy Drawas, Chief Marketing Officer, Americas, Kaspersky
Steve Workman, VP of Product Marketing, LANDesk Division
Rees Johnson, SVP of Product Management, McAfee Inc.
Ron Clarkson, Director of Endpoint Security, Trend Micro

BM. Security software and hardware markets are evolving in response to the fact that corporations are now providing employees and customers with increased access to both internal and external content. What challenges does this development pose from a content and threat management perspective?
RD. Organizations are constantly facing the threat that someone will use confidential company data in a way that is not consistent with the policies or interests of the organization. This could include making proprietary content available to public sources potentially embarrassing or hurting the enterprise, or using content for some kind of personal gain. Actions such as these compound the need for companies to define and implement security policies to manage who, whether they’re employees, partners, customers or suppliers, has access and what they can do with that information.

It’s important that there are reliable/secure ways to provide access to data, but the biggest challenge comes when an IT administrator has to integrate several different technologies – remote access tools, VPNs, web and wireless connections, etc. – to ensure that access is monitored to be flexible and secure.

SW. The biggest challenge is that the risk of compromising data increases dramatically. A study of recent data breaches reveals that many of them resulted from the simple theft of a laptop, or the loss of a USB thumb drive or other mass storage device, such as backup tapes.

A very real solution to a stolen laptop is full disk encryption. As long as the user doesn’t leave the laptop in sleep or standby mode, data encryption will protect the machine’s contents. And if you can prove the device was encrypted, you don’t have to report a security breach.

Other challenges include verifying that data is protected when being used across the network via email, etc. Or, what happens when a new security threat emerges while employees are traveling with their company laptop? These are just a few of the challenges that IT and security managers face in this new environment.

RJ. As more and more companies offer employees the ability to work remotely or telecommute they have to offer access to internal data stores over VPN. While VPNs offer relative safety of sending and receiving information, they don’t protect a remote worker who was just surfing the internet and accidentally picked up a virus, spyware, rootkit or some other malicious software. This could potentially expose the corporate network when the employee connects.

The change in motivation from fame to financial gain is driving more sophisticated cyber-criminals to steal information that can be used for profit. According to Gartner, 80 percent of attacks are financially motivated; up from 50 percent two years ago.

The increasing variety of threats is forcing companies to deploy more security technologies to protect themselves. This increases the cost of managing security and decreases security visibility if these technologies are not integrated or managed by a single management console.

RC. While the landscape is definitely changing, the base tenet of defense in depth remains sound and true. Corporations have historically focused a lot of resources on building up their perimeters in response to external threats. URL filtering and Intrusion Prevention/Defense are perfect examples of technologies that historically have lived, to a large extent, in the perimeter. With the proliferation of laptops and mobile employees, a strong perimeter is now only half the story of a company’s sound defense in depth strategy. Now more than ever, a strong endpoint solution is needed that can provide perimeter-like protection for the endpoint, no matter where it travels.

BM. Corporations and government agencies increasingly need to make organizational IT resources available outside the traditional workplace. What technologies are evolving to tackle this issue from a security perspective?
SW. There are a number of technologies that offer hope to IT and security managers coping with today’s threat environment. A major challenge is the increasingly mobile work force.

How do you update an employee’s laptop when he or she is on the road more than 50 to 60 percent of the time? One solution is a mobile management gateway, which works behind the scenes to ensure the device is policy-compliant by checking each time the employee connects to the internet, be it from a hotel room or broadband connection. There’s no need to update the machine with patches and signatures because it’s been happening all along, without any effort on the user’s part.

In addition, network access control can help secure the network from outside threats. Companies want to manage guests and contractors entering company buildings with their personal laptops. Technologies today can ensure that individuals connect with a ‘clean’ laptop, and obtain the network access needed without gaining full access to the corporate network.

RJ. From a security perspective, installation of up-to-date anti-virus is critically important. Anti-spyware technology protects from spyware, adware and other unauthorized downloads that steal confidential information, decrease end user productivity and use unnecessary network bandwidth.

Other technologies include: SiteAdvisor, which helps warn end users of potentially dangerous sites; host IPS protects endpoints from zero-day threats that exploit software vulnerabilities; network access control solutions help prevent insecure systems from connecting to a network; data loss prevention protects confidential data from leaving the company; encryption protects data on laptops or devices if they are lost or stolen

RC. In keeping with a good defense in depth strategy, the most effective technology to employ is an existing technology – endpoint protection. Companies should ensure that every endpoint that accesses their organizational IT resources from outside the traditional workplace is protected. It is becoming quite common for companies to partially or fully subsidize a consumer endpoint protection product for their employees to use at home.

RD. From a secure content management perspective, new technologies are emerging to provide centralized systems to manage user access, whether they are connecting from wireless access points, VPNs, web gateways or dial-up connections. These tools help the previously discussed problem of managing multiple point products.

Moving beyond connectivity, the involving technologies also include the types of control users have over the data they are using. For example, an organization may choose to implement a virtual environment such as Citrix or VMWare to ensure that enterprise content doesn’t actually leave the facilities. Or they might implement technology that makes it impossible to remove data from a remote PC.

BM. In a recent executive survey, 66 percent of respondents said they perceived system penetration to be the largest threat to their enterprises. Are they right to be concerned? And what steps should they take to prevent system penetration?
RJ. Yes, they should be concerned. As the motivation has changed from fame to financial gain, attackers are attempting to gain access without getting caught. And, this is not limited to external attackers, many of today’s data breaches come from internal attackers. These attackers are more dangerous because they know how to access systems and where the most important and valuable data assets are kept.

Companies should take the following steps to limit system penetration: install up-to-date anti-virus/anti-spyware software; use Host IPS solutions to lock down systems from being accessed; run security audits to determine which systems are most vulnerable; deploy network access control solutions to limit access by systems that don’t meet security policies; limit physical and electronic access to critical systems; not allow end-users to run as administrators; deploy encryption and DLP technology to limit exposure to data losses.

RC. Yes, they are very right to be concerned. The leading method of system penetration today is via drive by downloads using web browsers. Initially, the download may be very innocuous. But that changes when it phones home and morphs into a malicious program. These web threats are particularly dangerous to mobile endpoints that do not have the advantage of a corporate perimeter to protect them. As a result, a company’s endpoint protection plan is becoming increasingly critical.

RD. The threat from an external, opportunistic attacker continues to be great, although insider breaches are still a major concern.

To prevent system penetration, security best practices should always be observed, whether it’s on a desktop, smartphone, server or network. Always use updated anti-malware solutuons, intrusion detection/prevention, data leakage prevention, firewalls, whitelisting and access control software to reduce the attack surface. Keep machines and servers fully patched and adopt strong user education programs to train the workforce on security threats and issues.

SW. The layers of security you can deploy can get pretty deep and formidable, perhaps enough to make the bad guys move on to another, easier, less-protected target. For example, you can add a host-based intrusion prevention system (HIPS) that offers buffer overflow protection and application control as well as other security capabilities to combat what is known as the zero-day threat – protecting against malware for which no signatures or patches yet exist. Remember, most targeted attacks happen without the victims knowing they’ve been hacked. Bad guys are hired to write malware specifically designed to attack your data and network, so your antivirus is not going to have a signature to detect it. HIPS can help neutralize the threat, no matter what.

BM. Adhering to various security, governance and privacy regulations is proving a minefield for many companies. How has compliance legislation affected the way companies look at their sensitive data? And how have technology vendors responded?
RC. Compliance legislation has provided security practitioners with the resources they have long asked for to properly implement long-standing industry best practices. Technology vendors have responded with marketing tweaks to existing products to solve compliance woes, for example, vulnerability scanners, and in some cases completely new products, a security policy manager for example. At the end of the day, usually a very long day when compliance is involved, nothing replaces a good solid foundation of properly implemented security policies, procedures, and best practices. Technology can play a part in compliance, but technology can never provide compliance.

RD. Compliance legislation has forced companies to rethink the way they handle audit procedures, reporting procedures, financial systems, personnel training and controlling access to sensitive data. Technology vendors have responded by adding stronger capabilities to flag potential data leakage or access control violations, and making auditing and reporting features more robust to stay in line with compliance requirements.

SW. With all the news about privacy breaches, corporations are beginning to see the wisdom of implementing many of these compliance mandates. Promising new solutions such as whitelisting applications on the endpoint help prevent malware from spreading their malicious effects.

For example, consider the ongoing security debate – do I enumerate the bad or enumerate the good. Enumerating the bad (with signatures, patches, etc.) is ultimately a losing, reactive battle. By contrast, enumerating the good shows a real shift in the security mindset. This type of whitelisting is one of the most effective ways of controlling malware. If the solution can be easily managed and scale to an enterprise environment, think of the power available to neutralize the bad guys.

RC. Compliance challenges governing security compliance force companies to safeguard of data assets. Regulations like PCI, SOX, the Data Protection Act and other data privacy laws are forcing organizations to safeguard data and deploy stronger security. IT operations demand rapid remediation of systems that are vulnerable to attack and are out of compliance.

In today’s environment it is not enough to just know about regulations and corporate IT policies, companies have prove that they are in compliance with them. Vendors are using compliance regulations to help drive security solutions to a higher level within the organization. Many times the CIO/CEO/CFO is involved ensuring that their companies are in compliance, so this elevates the technology investments to these higher levels within the organization.

BM. Data protection is currently a huge focus for companies across America, but recent research – as well as several high-profile security breaches – indicates many are still not doing enough. How can IT executives make the business case for investing in these technologies?
RD. The most expensive security breach is the one that hasn’t happened. Still, it’s always difficult for an IT administrator to make the case to the CEO for increased budget resources because it’s difficult to quantify a risk that’s not very visible. IT executives can use business cases on known breaches (TJX, Hannaford) to outline just how costly an incident can be and spell out how technology investments can reduce the damage from a security breach.

SW. Besides the threats themselves, the biggest challenge facing security administrators is more political than technological. Security budgets are already being consumed with the traditional forms of protection. IT managers are saying, “You’re telling me we need to keep doing what we’re doing, and spend more on additional protection layers, all with the same budget?” Well, the answer is yes. The additional security won’t materialize out of nowhere.

Most organizations would agree it would be cheaper to secure the environment in the first place. The good news is through a number of the newer suite solutions, managers can expand security measures for roughly the same dollars they’re spending today, or at worst, a little more. Rather than spend money on seven or eight different point products, these dollars can be consolidated with suites that actually offer more – and layered – protection for a similar investment.

RJ. The business case for data protection technology is critical. Sometimes data protection technology decisions are made in response to an event – the CEO’s laptop is stolen, there’s a data breach where customer information was lost, etc. These events and others like them are driving acquisitions of data protection solutions. Instead of waiting for these things to occur, companies should focus on being proactive in protecting their data. They should look at the potential costs associated with a data breach.

RC. DLP (Data Leak Prevention) is currently a buzzword that is increasingly appearing in boardrooms and budgets – and with good reason. Many high-profile cases of lost data spring to mind and companies cringe at the thought of having their brand name gracing the headlines. Two high-level drivers top the list when making business cases: privacy regulations and brand protection. Whether it is a patient’s social security inadvertently sent in an email or a stolen laptop with customer credit card information, effective data protection starts with sound policies and procedures and can then be supplemented with technology.

The worst IT security incidents of 2007

TJX Companies: the company revealed that hackers had access to between 46 million and 215 million customer records for 17 months. The costs of the breach reportedly reached $216 million.

Monster.com: Intruders using legitimate usernames and passwords entered the system and made off with 1.3 million job seekers’ records, including addresses, names and phone numbers.

Medicaid: a CD containing personal information of 2.9 million Medicaid and child healthcare insurance recipients was lost in shipping. Officials would not reveal whether the data was encrypted.

Gap: A laptop containing the personal information, including social security numbers, of 800,000 employment applicants was stolen.

SAIC: A Pentagon contractor failed to encrypt data on 580,000 military households before transmitting it over the internet. The data was stored on an unsecured server and included names, addresses, birth dates and social security numbers.

Tae Kim: A former auditor for the US Department of Veterans Affairs was arrested after being caught using fraudulent credit cards. His home computer contained 1.8 million records pertaining 185,000 unique individuals.