- Gartner « Secure Thinking

Posts tagged - Gartner

Monday, January 16, 2012

Guest Post: The Growing State of Network Insecurity and What to Do About It

By Sam Erdheim, AlgoSec

Amongst all of the security trend data that came out near the end of 2011, one stat from the Ponemon Institute that highlighted a growing state of insecurity in the network jumped out at me. Specifically, 66 percent of IT security professionals surveyed stated that network security is not more secure than the previous year. This trend has been creeping up from the 50 percent-ish level to now two-thirds. With all of the technological advances we’ve made, why do we feel like we’re falling behind?

Changing threat landscape and the rise of APTs. This has been discussed ad nausea, so I won’t kick this dead horse much longer. But, the point here is that the “bad guys” continue to innovate more quickly, and we will never win a game of cat and mouse. We need to be proactive in our efforts and always balance those security efforts against impact to the business (every business has its own risk posture).
While increased mobility, virtualization, the cloud and next generation firewalls are all impressive technological advances, they all introduce new — or extend — complexities in the network. If not managed properly, these can open up security gaps for attackers to exploit. Putting this into something more tangible… Gartner states that 95 percent of firewall breaches are due to firewall misconfigurations, not firewall flaws. If a traditional, stateful firewall can have a thousand or more tangled rules, then you multiply that by 10, 20, 50, 100 firewalls and the math starts to get ugly. Add in the complexity of more granular policies with next-gen firewalls, and that’s a mathematical problem for only those true numbers geeks.

The increased sophistication of threats and the rising complexity of the network lead me to the discussion of “back to basics.” It’s not sexy, but it works. Too often we set and forget. In a blog I wrote for my employer, AlgoSec, called Trends Shmends, I highlighted how we have become obsessed with the latest and greatest, and in turn oftentimes overlook network security fundamentals.

To be more specific, firewall management is tough. And too many organizations are relying upon overburdened IT teams to manually deal with it via disjointed and ad hoc processes. Spreadsheet audits. Overwhelming numbers of rules per firewall, many of which are redundant or unnecessary or overly permissive. Manual change management processes to address a regular dosage of requests that leave proper testing, validation and documentation wanting… What’s the ultimate impact? Misconfigurations in your network, which lead to risky scenarios. And, potentially, business disruptions due to change management processes that do not instill confidence. Coming out of the holiday season, many organizations were in a holiday network freeze as any change, even if extremely beneficial, could potentially bring down the network. While many want to keep things as is (if network availability is up now, don’t mess with it), I would argue this is an opportunity to improve processes and security – and ultimately business continuity.

So where to focus? When it comes to your network keep in mind business risk with regards to every decision you make, from firewall management to asset management. And make sure this is continuous, not a point in time. Keep up with your documentation and controls. And leverage automation where possible. All of this will enable you to reduce human error, tighten up configurations and focus on additional initiatives to better secure the business. The next shiny object may be more exciting, but our first step should be to go back to basics.

Monday, August 1, 2011

Are we in denial? Protecting the country’s infrastructure

Jeff Schmidt, Global Portfolio Head of Business Continuity, Security & Governance Capability, BT

I’ve been joking around lately that my home seems to be a Delta airplane. But with all the travel, it has given me the opportunity to catch up on my reading. Just the other day, I was reading a blog post by Gartner’s John Pescatore, who was looking back at the series of black outs that have occurred in the United States over the years. The most recent was in 2003, and he asks the question: Are we still in denial about attacks that could cripple our nation’s infrastructure?

In the United States, 85 percent of the country’s infrastructure, including utilities, electrical, power plants, etc., is managed by the private sector. The introduction of an attack, by a government or an individual, poses a risk to that infrastructure, as we saw recently with the Stuxnet attack on Iran.

While the industry does have standards, these are not necessarily deployed or approached in the same manner and leave a lot to interpretation and approach to implementation. Add in the lack of ability to measure the effectiveness of controls, and you have a problem with regards to consistency. Add in that when events happen, in the public and private sectors, there is an inclination to not share information, creating a greater load on the industry to come up with individual approaches. In fact, critical infrastructure information that is at times deemed confidential and top secret, is a barrier to sharing information at the right level of detail and in a timely fashion. The situation becomes even more complex when you add into this an ever-changing technological, threat landscape and growing number of access points in the enterprise.

Having a better baseline — and not processes for the sake of process, but for the sake of ensuring critical infrastructure is protected — is essential. Another essential is the creation of a set of standards for reporting and sharing, along with the right controls in place for incident response and the proactive means to stop an attack prior to it becoming a media event.

Incorporating processes and controls quickly will allow for a better cyber security posture for real-time and situational awareness. It also would allow for the appropriate retrofitting of current, and the alignment of future, processes to ensure the appropriate systems are in place to meet Smart Grid protection needs today, tomorrow and in the future.

Friday, July 29, 2011

The Managed Security Services Market: A Decade in Review

By Tara Savage, Senior Marketing Manager, BT Global Services

It seems hard to believe that the mainstream Managed Security Services market is already ten years old. While it might seem like just yesterday that Bruce Schneier founded Counterpane Internet Security, the vendors, the technologies, the threats, and the consumers have all matured far beyond their years.

While many predicted the death of the space almost immediately, outsourcing security is actually gaining momentum as more and more business realize just how enormous the task of securing even the most basic network is.

To find out what Ray Stanton, BT’s Vice President of Professional Services has to say about how to combine people and processes with technology for a successful partnership, check out this article from SC Magazine.

Thursday, December 2, 2010

Innovation Series: To innovate or not to innovate: That is the question

Innovation Series: To innovate or not to innovate: That is the question

By Ben Rothke, Senior Security Consultant, BT Global Services

As part of a series on SecureThinking, we’ve recently focused on innovation. We’ve discussed and debated the pros and cons of innovation within large multinationals. Yesterday, we examined innovation in higher education. David Escalante, Director of Computer Policy & Security at Boston College, asked if innovation doesn’t occur in Higher Education, then where else would it occur?

Now that we understand why universities must innovate, we’ve asked our expert, Ben Rothke, what considerations must be in place when innovating. Here is his perspective on the topic:

If Hamlet had been a CIO, rather than considering “to be or not to be,” he would have pondered — “To innovate or not to innovate: that is the question.”

The truth is that innovation can be fickle. On one side, “he who hesitates is lost.” On the other hand, “Good things come to those who wait.”

When it comes to technology, should a university be at the leading edge of innovation? Or settle for the status quo at the trailing edge? Ultimately, the answer is the proverbial it depends.

One of the bastions of innovation is MIT, where Kerberos was created. Up the Charles River sits Scott Bradner who has pioneered security innovation at Harvard.

On the other side of the spectrum are the thousands of smaller schools, with reduced budgets and less cutting-edge requirements. For those institutions to be overly innovative is to tread in waters often far too deep for them.

Innovation for the sake of innovation is obviously foolish. As Gartner notes in Five Myths of Innovation, few organizations truly understand the strategic and operational commitment required to obtain ongoing value from innovation. A university therefore needs understanding and commitment before innovating, as opposed to far too many who take a just do it approach.

In some ways, innovation is like a dog — really cute (with the exception of poodles), but requiring significant effort.

Some of Gartner’s key findings are:

Many are confused about innovation – what it is, what it can do and whether it can or should be formally managed
Even those considered to be highly innovative struggle to maintain a consistent and ongoing level of innovation
An accelerated pace of business change is compounding the problem of how to address the innovation imperative

With that, universities (and for that matter, all firms) should take the following recommendations to heart:

Create an imperative for innovation and establish the explicit link to revenue growth, operational restructuring or business model change
Define processes and metrics to encourage innovation that extends beyond the boundary of a centralized innovation or R&D organization
Develop processes to tap into outside sources of innovation
Apply technology within the framework of a structured problem-solving process to encourage participation and enhance ideas
Recognize the diverse roles required to sustain innovation and reward people for performing them
Cultivate the capability for continuous innovation to grow and transform the business and to stay aware of external threats and opportunities

Digest this: innovative schools need to be inherently innovative to make innovation work — the point being that there is no magic pixie dust to make innovation work. You need to understand what innovation is and how to make it work.

Innovation is not a discrete set of functions within a specific unit. Rather, it must be university wide. Innovation requires complete integration into all processes, technologies, people, structure, management, and direction.

Any university that desires to develop innovation as part of its DNA needs to create an overreaching culture where innovation can extend into every process and every staff member.

Innovation is a significant endeavor. For those who are committed, innovation is a game changer. For those who are not, they are like the Detroit Lions, perennial losers.

Thursday, July 29, 2010

We have security problem blah, blah, blah – can you help us?

By Ben Rothke, Senior Security Consultant, BT Global Services, CISSP, CISM

Two years ago, my colleague Ben Tomhave and I wrote an article titled, Information Security and the Importance of Context.

Perhaps we were ahead of our times, as a new report from Gartner — Effective Security Monitoring Requires Context — echoes some of the same sentiment.

In the report, Gartner Distinguished Analyst Mark Nicolett notes that the rapid discovery of a breach is key to minimizing the damage of a targeted attack. And if you are the victim of a targeted attack, anything less than a targeted remediation effort is insignificant.

In those 49 words, Nicolett subtly delineates between an organization that is on top of its information security effort, and those that are playing information security charades.

It’s 2010 — and far too many organizations are still clueless regarding their security risks. They buy security products, write security policy, and do security things; but they lack the context in which to execute security initiatives. They end up doing a security dance, but in the words of Billy Idol, they are dancing with themselves.

There are myriad excellent security books, articles and blogs; but the only way to use that information within your organization is to have a context in which to apply security processes.

The industry has also created a plethora of security best practices, which are often quite effective. But if you don’t know your security problems, the “bestest” of the best security practices won’t do much for you.

So what do you need to know? Know your enemies, know your security threats, and within that context, create a security strategy.

Nicolett breaks context down into four areas: user, data, application, and external threat. Creating a matrix of your risks against those areas is fundamental. Once that is done, a formal information security strategy can be executed. The addition of context to your security event monitoring infrastructure will increase the likelihood of early discovery of a targeted attack, resulting in shorter recovery time, reduction in losses and other benefits.

For organizations that have done that, they find their security product purchases are radically different. Rather than securing themselves against blah, blah, blah threats, they have metrics to show how effective they are. Security purchasing costs go down, while the level of protection improves.

On the web, content is key. When it comes to information security and protecting your digital assets, context is key. Know your context and protect your infrastructure. If not, it is back to blah, blah, blah security.

Wednesday, July 7, 2010

Hi, my name is hype, and I am your security product

By Ben Rothke, Senior Security Consultant, BT Global Services, CISSP, CISM

In a just released report from Gartner, Look Beyond Vendors’ Architecture Hype When Selecting Network Security Products, analyst Bob Walder astutely notes that the factors that network security vendors prefer to stress are frequently irrelevant to their enterprise customers.

CISOs and security professionals making products purchasing decisions need to cut through the marketing hype and identify their own real-world needs. They also must test network security products against those needs to find the most appropriate functionality and performance at the lowest possible cost.

Two of the pragmatic recommendations Walder makes – first, determine your enterprise-specific requirements for network security products with a focus on factors such as required security mechanisms, acceptable network performance impacts, and available IT and information security skill sets. And secondly, develop a detailed testing plan for evaluating network security products against these predefined requirements.

What far too few companies seem to realize is that computer security products can’t do it alone. The reality is that effective information security requires a strategic protection program that integrates people, products and technology.

Too many firms are putting their hopes in the vendors and their products, without first knowing what their specific information security problem is. When embarking on a security product purchasing decision, how many companies can answer the following fundamental question: What is your security problem and how do you expect this security product to solve it? The reason many security product deployments fail is that this essential question was never fully answered.

Any CISO who can’t answer that question is simply helping the sales rep reach their quarterly quota, while doing a disservice to their own organization.

The biggest mistake in security product procurement is that people buy security products without knowing specifically why they are making the purchase. So what is the solution?

Stop that cycle by considering the following:

Understand the limits of security products – There are no silver bullets. Information security is far too complex to be solved by a single appliance.
Implement information security products in a systematic and methodical manner – Detail your requirements and map them to the product. Don’t let the vendor drive the requirement process.
Information security strategy - Don’t buy information security products if you don’t have a formal information security strategy.
Policy – It is the underpinning of an effective information security program. Security products abhor a policy vacuum.
Focus inward – Don’t look at the micro level of a security product. Instead, examine the macro level of the security issues of the system or network you want to secure. Don’t first obsess on the products. Focus on your staff, internal procedures, requirements, etc. After you have done the appropriate research and analysis, then you can obsess on the products.
Most security products are quite similar – As a general rule, most established COTS security products are essentially indistinguishable from each other and can fundamentally achieve what most organizations require.

Friday, June 25, 2010

Keeping it Simple, Before You Drift into the Cloud

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

This past week Gartner held its annual Security and Risk Management Conference at National Harbor, just outside Washington, D.C. It’s interesting to note that in the last couple of years, Gartner has shifted the conference from being the IT Security Summit to focusing on risk management as a fundamental element of security.

One of the top risks to be managed, according to vice president and distinguished analyst, John Pescatore, is the explosion of botnets. While most companies have dealt with botnets as something to respond to once they have been detected, Pescatore urged companies to focus on preemptive strikes: looking for ways to detect botnets prior to activation.

As companies place more of their trust and their resources in the cloud, preempting botnets becomes particularly important. Pescatore suggested that the future of securing virtualized environments lies in web security gateways, application aware firewalls and web site security products.

But what can you do now to preempt botnets, especially if you’re struggling to find budget for security spend at the same time as more of your business processes are moving into the cloud?

What about leveraging your existing security infrastructure, particularly your firewalls? BT MSSG has had significant success in using its customers’ firewalls to detect botnets through log analysis and event correlation. Based on a fundamental understanding of botnet behavior, the BT MSSG team reasoned that since every botnet needs to call home at some point in order to be activated, outbound messages traversing a firewall will create detectable patterns of behavior that accurately indicate botnet activity before it has the opportunity to take over your network.

While there are many more things that can be done to protect your company against botnets, this is a productive first step with an immediate and tangible return on investment.

Monday, November 30, 2009

Security Trends and Cyber Monday: What John Pescatore’s Comments Mean To You

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Most internet users give little thought to security issues beyond asking their teenaged neighbor if it’s safe to send pictures of Fluffy to their kids at college. Despite untold billions spent on awareness campaigns for the home user and at work, seemingly endless patches to Internet Explorer and Firefox, and any number of other reparative measures, we still have the same basic problems today that we had 10 years ago: users make mistakes that appear to have no real consequences, but in fact can be massively troublesome, and even potentially expensive.

John Pescatore, VP and Research Fellow for Gartner Research, was recently interviewed by Tom Field at BankInfoSecurity.com, in which he gave his opinion on the pressing security issues of the day. Among his various suggestions, the most intriguing is the notion that internet activities should be insured and, more importantly, that users should have some kind of incentive structure in order to become insurable.

Cyber Monday is just the beginning of the online seasonal frenzy that will run its course over the next few weeks. Your family, your colleagues and your staff are all likely to buy something online. Some of them will start by looking for coupon codes, or responding to apparent promotions received by email. And a smaller subset will end up going to the wrong sites, picking up some kind of nasty malware, and generally having a rotten time when their machine gets taken over, or they enter the credit card information into the wrong place. Who is really responsible for the costs of cleanup and recovery under those conditions?

Right now we pay for clean-up, but very indirectly, because the losses are generally borne by the banks that issue the credit cards. Sometimes, after a failed PCI audit, the merchants might be penalized, or suffer a chargeback if they didn’t validate a transaction correctly. Those costs – plus administrative overhead and markup – do eventually come back to the consumer in the form of fees, higher prices, or reduced availability of purchasing options. But since we don’t see them on the “Checkout” page, it’s as if they don’t really exist.

And this is the root of the issue. As users we perceive that everything we do online is free unless we consciously choose to accept to pay for it ourselves. But we also feel entitled to push all remaining costs (for development, or delivery, or risk management) back to the supplier, manufacturer, or their proxies. The status quo is so powerful that any one provider who tries to change it will see their customer base evaporate overnight, shifting to a competitor who could withstand the expense an extra day.

The system, for all its efficiencies, has introduced costs which wiggle their way into all the little nooks and crannies brought about by automation and complexity. “But if I buy it online, it has to be cheaper!” you cry. But what constitutes “it”? Yes, you’ve removed retail space and all those expenses, and your order fulfillment is doubtless more efficient, but you’ve also introduced multiple new opportunities for risk, fraud, and expense, none of which you, as a consumer, are currently willing to pay for.

There is evidence, however, that the balance is beginning to shift. Some credit card issuers are already charging a premium if you make a purchase in a country foreign to your billing address – this is nominally a hedge against the increased risk of fraud, and it has the added benefit of being a massive profit center to off-set other costs incurred in the domestic market.

Pescatore’s notion that the users need to demonstrate some form of insurability requires at least two steps: the user goes through the motions and then the underwriter bestows its blessing. This will fail as long as a single-step option, i.e., the status quo, is available. Think of Pescatore’s suggestion as PCI for retail consumers, but with much sharper teeth. There will be huge outcries against such a scheme, but as consumers we must accept that our choice to use e-commerce vendors introduces additional costs into the system. We can pinpoint where those costs originate quite accurately, based on the nature of the abuse, and it is those locations which should bear the costs (if they are legitimately responsible) or be able to pass them along the supply chain (if they are not). While I am rarely a defender of banks, the current regulations limiting consumer liability to $50, simply because a credit card in their name was involved, are far too simplistic.

One way to make such a model more palatable is to pool the risk. Lots of cards track purchases and accrue credits to a cash-back credit account, so we know the mechanics are easy enough. Instead of charging consumers outright (thereby increasing transaction costs each time they make a purchase), collect fees on certain higher-risk transactions, pool the premiums, and then disburse those funds on a quarterly or annual basis to cover loss from any transaction using that issuer’s cards. Don’t allow the banks simply to treat this as a fresh revenue stream; require any fees collected to be used first to offset incentive and IT conversion costs, second, to cover losses for otherwise-compliant merchants, and only third, to go to the bank’s bottom line.

In the meantime, modify the merchant fee structure to offer immediate penalties and incentives for compliance with next-gen PCI. Create a new PCI demarcation for IT shops that can help smaller merchants modify their web sites to use more robust processor engines. Help the smaller merchants by making it more attractive for them to run their credit card processing through larger, more established e-commerce providers, and create a market for those providers to buy books of business (via a combined cap cost and annuity) from the small and fringe processors.

Finally, make the increased cost of all this visible to the consumer. Pescatore wants a dashboard to tell a CEO if his network is safe, but a consumer needs to know that his purchase price is paying for more than just the item and the “free” super-saver shipping. Smart merchants and credit card issuers can leverage their compliance with such programs as a stronger value proposition to attract consumers, and more active participants in the risk-pooling model will help distribute accountability while amortizing recovery costs.