Will today's threats push PKI into the mainstream?
For many enterprises, Nolte's faith in PKI is tempered by the slowness with which the technology has been developed for commercial use. Whitfield Diffie and Martin Hellman, considered the fathers of PKI, have acknowledged commercial advancement has been far slower than first expected -- held back by standardization and capital development issues. Up to this point, it has been most widely used by the government.
Indeed, in CoreStreet's Cambridge offices, it's clear to see who the company's biggest clients are. A shelf on a conference room wall is lined with the seals of the Department of Homeland Security, Army, Air Force, Department of Defense and a number of intelligence agencies. But company President Phil Libin said commercial deployments have been picking up in the past year.
"There's more of a focus on disaster recovery in the private sector, and when you're in a recovery phase you want to re-establish services people expect despite the damaged infrastructure," he said. "You want to make sure people can still buy gas even though the credit card system is down. Validation tools can help. We're starting to talk to people working on contingency plans for gas stations, supermarkets and so on… We're looking at how you let people make transactions with existing IDs like a driver's license."
But despite its disaster management potential, Nolte doesn't see PKI as the silver bullet to slay the insider beast. "From my perspective, we're getting to where we need to deal with the insider threat," he said. "We're not there yet. Awareness and training are essential. But I also think we're moving toward the point where you need a license to use the Internet -- another way of proving you are who you say you are."
Centralize it, log it and stay sharp
For those who aren't in the position to mount a DOD-style war on malicious insiders, the key now is to keep a sharp eye on who is entering your building or puttering around on your computer network. For Calpine's Curry, the best defense is a centralized system to monitor various computer systems for abnormal activity and log it all.
Curry found his solution in an appliance from Westwood, Mass.-based Network Intelligence Corp. "Two years ago we had all the intrusion detection, router switches, etc., and we were logging 60 gigabytes of data a day from different pieces of infrastructure," he said. "That's
difficult to store. If you just want one day of information out of everything stored or see who is doing what on the Internet, it could take as long as two weeks to get data, depending on what you're looking for."
He added, "It makes more sense for us to use an appliance. We track 900 events per second -- 1,500 when you factor in the servers -- and it's easier to centrally manage tracking of all this activity across multiple devices in the network."
The initial appliance cost his department around $20,000. Include subsequent add-ons and the cost approaches $50,000. It's been worth it, he said. "We have an internal security team that manages the threat response and issues on the policy end. Now I can provide the team with an interface so if they worry that someone has gained unauthorized access, they can order up a report that chronicles that person's network activity, seeing what changes he's made across the system, and seeing if it squares with what that person should be allowed to do."
Using simulations for better preparedness
Happy State Bank's James said his team has also gotten a better grip on where the network threats are using software from Boston-based Core Security Technologies, not to be confused with CoreStreet.
"Before Core, we didn't know what shape we were in," James said. "We had a firewall but no way to know if it was configured properly. Any server with internal or external exposure, we now have a better sense of when abnormal activity happens."
One reason is that they can run simulations of how different threats would affect the network. Instead of hiring a $100,000-a-year security professional to manually exploit systems and measure the threats, he said the Core software "can simulate every type of exploit for every type of system and I get a report to hand to our security committee and executives."
But like the others, James said there's no magic bullet for stopping insiders with an appetite for destruction.
"The internal threat should be anyone's No. 1 fear," he said. "Keeping out external attacks is one thing. But when it's from someone with trusted access, it's harder to get a handle on, especially as the company grows. Once upon a time I knew all the employees. Now we're so spread out it's harder."