Feature

Collaboration is key in enterprise security puzzle

Collaboration is the key to successful information security. 

For example, UK national threat intelligence became much richer when it was expanded to include other government departments, according to former MI5 chief Eliza Manningham-Buller.

Collaboration.jpg

“It is important not to say: this is exclusively our job,” but instead tap into the skills and resources required to do the job through strategic partnerships, she said.

Manningham-Buller was talking to cyber security professionals at supplier Trend Micro’s 25thanniversary Directions customer event in London last week

Trend Micro itself has developed several strategic cross-industry partnerships with technology firms like VMware, Virtual Computing Environment (VCE) and Amazon Web Services (AWS).

But there is no “silver bullet” - security is about forming strategic partnerships with those in the security community that can offer the technical controls that map to business needs, said JD Sherry, vice-president technology and solutions at the supplier.

Trend Micro not only aims at providing key pieces of the security puzzle, but has invested heavily in cloud-based threat intelligence to help organisations identify the elements they need to put together.

Being swamped with threat information is a common problem faced by national intelligence agencies like MI5, said Manningham-Buller.

The challenge, she said, is prioritising that information and deciding what to turn into action that can result in better protection.

Targeted attacks

Cyber threat intelligence services are designed to help organisations identify the threats that are most relevant to them and know if any particular attack is generic or targeted specifically at them.

The switch from generic to individually crafted attacks aimed at specific companies is one of several new trends facing IT security teams, said Rik Ferguson, vice-president of security research at Trend Micro.

In contrast to the familiar high-volume opportunistic attacks that rely on poor security patching, targeted attacks typically use highly crafted social engineering techniques against key individuals to get past firewalls.

Social media, especially LinkedIn, enables attackers to craft very credible phishing emails to trick key individuals into downloading malware that enables attackers to bypass controls and access networks.

Such attackers can lurk for weeks, months and even years on networks undetected, in part due to what Ferguson terms “myopic” security, where individual security products all indicate nothing is wrong.

“Focusing on particular things in isolation means organisations can’t see the forest [of threat] because they are too focused on individual trees,” he said. 

Only by enabling a macro view that includes context and security analytics capability, he said, can a chain of seemingly benign events become more meaningful and potentially expose malicious activity.

Context-aware security

“Context is king in security right now. For example, someone accessing a computer in a server room would not raise an alert, but if that person was identified as a cleaner, it would,” said Ferguson.

Security strategies need to incorporate new approaches such as context awareness to cope with new challenges presented by emerging technologies.

Chief among these challenging trends are consumerisation, cloud and commercialised cyber threats on an industrialised scale that are becoming increasingly sophisticated and targeted.

Consumerisation is everywhere; it is a transformation happening to every organisation,” said Andrew Rose, principal analyst at Forrester Research.

Research shows that around 38% of information workers are using smartphones for work, half are using laptops and 17% are using tablets.

“Of the laptop users, half are owned by the employees themselves, while of the tablet users, 70% are employee owned,” said Rose.

“People prefer to use their own kit because it is familiar, faster and better than company kit and it enables them to work in increasingly flexible and innovative ways."

However, this trend has tremendous implications for corporate data security because the company no longer has control over data being replicated on multiple devices that are employee owned.

The risks are enormous, said Rose, with at least 700,000 known threats against Google’s Android platform, which is the most popular mobile operating system. But Trend Micro says given the recent rapid increases including malicious apps, the total number of threats is closer to 820,000.

Hackers are also not the only ones stealing data, he said. Many Android apps are coded with permissions that enable developers to tap into a wide variety of data sources. This includes data about calls, contacts and geographical location. “Data is leaking away from consumers and corporations,” said Rose.

Cloud security

Cloud computing continues to gain momentum as companies increasingly chase after the cost and efficiency benefits. At same time, security concerns are decreasing. Research shows a 22% decrease in concern about security in the cloud in the past year.

Yet security and privacy issues remain, said Rose, such as those raised by the revelations about the US Prism internet surveillance programme, which Forrester estimates could cost the US cloud computing industry between $135bn and $180bn in lost sales.

In the majority of cases, it is trivial for cyber attackers to get in

Andrew Rose, principal analyst, Forrester Research

Other issues include the fact that information about security provisions is often vague and it is unclear whether cloud service providers can guarantee virtual boundaries between data in multi-tenant virtual environments.

It is also often difficult to ascertain whether reallocated disk space is wiped properly, that penetration testing is thorough, and that entire servers will not be seized by US law enforcement because of wrongdoing by a single customer of a cloud service.

This lack of clarity is particularly worrying in light of the fact that, according to the latest Verizon data breach report, 65% of data breaches are directly related to cyber crime and 19% are linked to state-sponsored activities, said Rose.

While the volume and sophistication of cyber attacks is increasing, Forrester research also shows that stealing data remains relatively easy.

A study shows that only 1% of data breaches represent a high level of difficulty, 22% represent a moderate level of difficulty, but in 67% of cases there is only a low level of difficulty.

“In the majority of cases, it is trivial for cyber attackers to get in,” said Rose.

Organisations need to improve their ability to detect and deal with intrusions quickly as many intrusions are discovered weeks and even months later, and often by third parties, he said. According to Trend Micro, there are on average 1.8 successful attacks a week on large organisations.

Attacks tend to take place far faster than organisations are able to respond, said James Nunn-Price, partner and UK cyber and public sector security lead at Deloitte. “Getting in is quick, but responses tend to be slow,” he said.

Phishing is another area that needs attention, said Rose. According to the Verizon study, phishing is the first stage in 95% of so-called advanced persistent attacks and other research shows around 35% of phishing emails are successful, rising to as high as 90% where messages are targeted at specific individuals.

Identify data assets

In the face of the security risk presented by the emerging trends of cloud, consumerisation and industrialised cyber threats, Forrester recommends that organisations identify their most crucial data assets and concentrate cyber defence efforts around them.

Rose, a chief information security officer (CISO) for 10 years, said this could dramatically simplify the task and be tremendously empowering for a CISO, as Forrester research indicates that critical data assets usually represent only around 1% of all corporate data. 

“Yet few organisations are able to do this because they are still not classifying their data,” he said.

Poor application patch management is another common area of failing, said Rose. “Simply by keeping security patches for all software up to date, organisations can eliminate a lot of risk,” he said.

Above all, said Rose, organisations should prepare for failure by focusing on the capacity to respond to and mitigate cyber attacks that typically exploit the weakest point to get in and then move laterally to get to critical data.

There has to be a change in security thinking, said Raimund Genes, global chief technology officer for Trend Micro. “If someone wants to get in, they will,” he said.

While organisations still need traditional security defences, Genes said these technologies will not help against determined attackers who target specific firms through key individuals.

“Organisations need to switch to an inside-out approach to security and seek to protect data where it is. They also need to move beyond simple sandbox technologies that will cause smart malware to hide and implement smarter sandboxes, and processes that enable them to make sense of what the sandboxes trap,” he said.

Overall, Genes said organisations must have a way of dealing with all sources of security intelligence to be able “to put the pieces of the puzzle together”.

Consumerisation, cloud computing and virtualisation, and cyber threats are the key parts of the puzzle Trend Micro is focusing on to enable what the company terms a “smart” protection strategy based on the correlation of various sources of threat intelligence.

Trend's Sherry said: “Smart protection should be layered, interconnected, real time, and transparent to the user; it should be simple, centralised and automated."


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in September 2013

 

COMMENTS powered by Disqus  //  Commenting policy