IT departments should concentrate their IT security spending on network and systems monitoring in the coming months if they want to get the best value for their money, say IT security professionals.
Although most organisations are adequately protected by antivirus systems and firewalls, many IT departments are failing to actively monitor their networks effectively to check for signs of malware and hacking.
This is leaving businesses exposed to hackers and organised criminals, who are often able to skirt around protective security systems by exploiting unpatched vulnerabilities in software.
Marcus Alldrick, chief information security officer (CISO) at Lloyd's of London, says that active monitoring of risks is the key element missing from most corporate IT security policies.
"There are only so many protection measures a business can put in place," he says. "Business cannot concentrate only on protective measures, they need to look at detective measures."
The problem is that traditional anti-malware packages are not keeping up with evolving security threats. And security software suppliers tend to focus on high-risk threats.
"More than half of the security software security vulnerabilities identified in 2009 have yet to be patched by suppliers," says Bernt Ostergaard, research director at Current Analysis.
For organisations running legacy systems, patching can be problematic.
As Gary Cheetham, CISO at insurance firm NFU Mutual, says, "Many projects to replace legacy systems were put on hold in the recession, but patching of vulnerabilities on these systems has not been maintained."
And virtualisation is adding further complexity to patching, says Ray Stanton, head of business continuity, security and governance at BT Global Services.
"Although virtualisation has many cost and efficiency benefits, it needs to be architected with security and patching in mind," he says.
Hackers typically probe all sites within global organisations looking for vulnerabilities. Attacks are likely to include denial-of-service, blocking up the e-commerce site with an empty shopping cart attack, and filling up the DNS traffic with amplification attacks. These are all by legitimate activities by themselves, but when used massively they disrupt websites.
"In reality, cybercriminals are using a blend of medium to low level threats to chip away at security to access systems and gain control of them," says Alldrick.
"The job of the security professional is to piece that all together, which requires the help of systems to consolidate all the information centrally," says Bryan Littlefair, CISO of the Vodafone Group.
Ideally, IT departments should extent monitoring to third-party suppliers.
Organisations are increasingly required to take responsibility for the protection of their data by new regulations by government and the Financial Services Authority that require protection of data in transit as well as at rest, says Cheetham.
"IT security professionals need to start opening up new lines of communication with service suppliers to ensure they understand how data is protected to ensure this complies with company, industry and government regulations," he says.
Beyond investment strategies, the overall strategy of information security professionals coming out of the recession should be to get more involved in business projects from the outset, says Cheetham.
"To be successful and cost effective, security and assurance need to be part of the DNA of any IT project from the embryonic stages," he says.
Detection systems to complement protection
- Intrusion detection and prevention systems
- Anomaly detection and analysis systems
- Network content analysis systems
- Security Information and Event Management (SIEM) systems
Firewall-based intrusion detection systems are supplied by a range of companies, including Qualys, Bluecoat, Cisco, IBM and Juniper.
Security Information and Event Management (SIEM) systems
Organisations should ensure that the SIEM takes inputs from as many of the infrastructure monitoring systems as is feasible.
"You have to cast the widest possible net to capture possible activities going on, which can be correlated to gain a view of possible attacks going on - whether they are slow and mean or brute force attacks," says Ray Stanton, head of business continuity, security and governance at BT Global Services.