Traditional network layer firewalls rely on ports and protocols for security policy enforcement and management. This approach has traditionally provided adequate visibility and control, but with today’s changing threat vectors, has become completely ineffectual.

The task of securing an organization from the Internet has become very difficult now Internet hosted application delivery technologies have utilised random port hopping as compared to the ‘good old days’ when they simply used HTTP port (80) or HTTPS port (443) for everything. The problem is magnified by the fact that network layer firewall platform development has stagnated for over a decade while internet hosted application delivery has rapidly evolved.

Over the past few years, most enterprises have adopted additional filtering technologies in an attempt to fill the widening gap between the capabilities of traditional network layer firewalls and the requirements of risk management. One of these technologies is the web proxy/cache, which was originally deployed to accelerate applications and save bandwidth.

Proxy/caches do a critical job, providing a single point of controlled egress to the internet, typically saving about 25-30% of bandwidth and accelerating HTTP-based application delivery.

The exponential increase in traffic volumes and the proliferation of web-hosted applications has exposed the flaws in the additional filtering technology approach. Traditional web proxy implementations have limits in that it can’t keep up: web proxies struggle with today’s throughput numbers, adding latency to real-time applications. In addition, developing functional control by proxies for every web-based application takes time and slows development of proxy-based solutions to a point where enterprises can’t control all of their traffic except by a very broad brush approach – just a few of the applications running over some of the more common protocols.

As a result, many enterprises are concerned that they have become overly dependent on this inefficient and expensive architecture…

In essence, a firewall must enable an organization to see and control, in a policy-based manner, what users and applications are doing between the private network and the Internet. But traditional network layer firewalls have fallen down on the job. Security and risk management requirements have changed, and firewalls must now understand both users and applications.

More band-aids (i.e., web proxies and other filtering technologies) are not going to fix the problem.  However, the answer may be found in a next-generation firewall.

Next-generation firewalls put application visibility and control back into the firewall, removing the need for the deployment of additional filtering technology.  This approach has brought the enforcement of security policy (and the control over what users and applications are[h1]  doing) back to the firewall, where it belongs.  In doing so, proxy & filtering solutions can be utilized for what they were designed to do: acceleration and bandwidth management.

There is no doubt that next-generation firewalls and web proxies are critical to the enterprise IT infrastructure, but like many things, these two are best deployed when they play to their own strengths.

We’ve heard that many times, probably just as many as we’ve seen attempts to prove the statement wrong.  Like car insurance, there is no incremental ROI in the literal sense.  You don’t see your wallet get fatter as a result of buying a policy.  Remember what insurance is for, however:  it provides a fixed payout on a variable risk.  Your premiums pay for coverage up to a certain amount (the fixed payout) which you can access in a wide variety of circumstances (you hit someone; someone hits you; your car is stolen).  There is non-monetary value to be found in the knowledge that your policy is in place and up to date.  You don’t need to squirrel away funds for a rainy day, so you can use that capital for other purposes.

In the information security space, we invest in technologies which hopefully improve our organizations’ ability to respond to unknown threats.  We evaluate their effectiveness by combining increased visibility to the types of things they control with some kind of commercial assessment of how important those things are to our businesses.  IPS tells us what kinds of known exploits or other malicious activities are on our networks; our knowledge of whether our networks are vulnerable to that activity tells us whether it is helpful information or not.

CISOs need to focus on seeing combined benefits across their projects, ideally by having them all feed into a common reporting scheme.  For example:

A large enterprise has deployed various technologies across the estate (PKI, secure messaging, IPS, next-gen firewall, monitoring, scanning).  Each of those activities generates its own reports, highlights benefits/errors/exceptions, and generally chatters away on its own. 

Next year, the Board indicates that budgets need to be trimmed 15%.  How does the CISO respond?

You can’t authenticate 15% fewer transactions

You can’t sanitize 15% fewer messages

You can’t deploy 15% fewer IPS signatures

…etc. 

Historically what we’ve seen is stretching out the lifecycle of deployed technologies, so instead of replacing something on a 3-year cycle, push it to 4 or even 5.  And, inevitably, the plans to increase headcount feel pressure.

But the other area, which is perhaps hardest to measure, is suspending new projects.  So perhaps the original plan had called for replacing the message hygiene, IPS, and FW platforms with new UTM capabilities.  If the budget pressure can be met by suspending that, it’s likely the project would be deferred, even if OpEx increases as a result.

And that’s the crux.  Quantifying benefits derived from security investments is difficult, much like quantifying benefits from auto insurance, if you haven’t had to file a claim.  But continued spend on maintenance as a ratio of technical capabilities realized is unavoidable, and a useful starting point.  You need to be honest about those capabilities, since obviously you could be entirely self-serving in reporting the model, and every firm will have a ratio which is right for them. 

But that gives us the common reporting scheme I mentioned at the start.  For any given product category, its features will fall into one of a small number of buckets:

1)       Obsolete

2)       Industry-comparable

3)       Unique/vendor-specific

Anything on this list needs to be individually demonstrable.  So if a mail hygiene system has the ability to remove viruses and malware, you have to be able to measure both the number of such items removed, and what percentage of the total that number represents.  If it can’t be measured, it can’t be treated as a discrete feature on the product. 

Each of those will, in turn, have a utility value for the individual enterprise.  I would suggest using a scale of 1-4 would be appropriate, where 1 is the least useful and 4 is the most.

The sum of each feature’s category and utility values gives you a broad view which you can plug into the ratio with corresponding spend.  And it separates you from worrying about how to quantify benefits only when catastrophic events occur.

CISOs are among the best-positioned to drive schemes such as this into the corporate rhetoric.  They can avoid the impassioned defense of individual vendors by focusing on product categories first, and they can frame the results in commercial terms to other members of the senior leadership team.  This isn’t a scheme to provide an exhaustive analysis, it’s a rough-cut sorting mechanism to provide one incremental level of improvement over how to present value equations to peers.

I would suspect your answer is that your MSSP has provided you with top flight protection against attacks, enabled your company to meet its compliance goals, kept your device signatures up to date and delivered reports that contain information that’s relevant to your IT team up through your Board of Directors.  After all, that’s what you pay them for, right?

But what if you had the opportunity to peek at what your security colleagues were getting from their MSSP?  Would you feel like the guy in the middle seat of coach, when they found out that their colleague flying in business class paid the same amount for their ticket?

Without trying to create ‘FUD’, are you checking up on your service provider and are you validating the components and service levels? After all, the best security services at many times are ones you don’t know are there because they are catching, preventing and defending against attacks before you know about them.  So is your MSSP doing all they should? Are they supporting and proactively preventing mischief in your enterprise and driving along your corporate mission to ensure that you are well paired? For starters, if you’re not a BT customer and you’re reading SecureThinking, is it because your MSSP isn’t investing in thought leadership or because their blog is a simply a series of intelligence summaries that you already pay for in your monitoring contract?

And, if you’re reading this blog today and you’re a BT customer, you didn’t have the opportunity to attend BT’s annual Security Leaders’ Conference this September.  It’s one of the events I look forward to throughout the year; the 3 days when we bring our customers together with our in-house security rock stars, industry analysts and partners to share, connect, and collaborate.

When we first put together this concept 6 years ago we made certain to keep the sales pitches at bay and focus on developing the conference as a vehicle for thought leadership.  We offer our customers unfettered access to our senior leadership team to ask the hard questions about road maps, technology development and service delivery and, in return, to offer their input into those key areas.   Then, there are the roundtables, keynotes, and track sessions where our customers can take a step back from the tactical responsibilities of their day job to focus on the bigger picture and hear many different, yet well-informed, perspectives.

Being a security practitioner is a tough job.  Amidst the constant changes, new risks and threats, how do you keep up with it all and sleep well at night? While BT’s customers still face these challenges on a daily basis, they do so in a collaborative environment; not only with their teams at work, but with also with their teams at BT whose passion it is to protect our customers, their people, reputations, and intellectual capital.

By: Tareque Choudury, CSO and Head of Professional Services, BT MEA 

The Middle East and Africa is a dynamic region with a wide array of cultures and varying political landscapes. Over the past six months we have seen the region change radically through populist-led movements and information technology has been at the heart of these changes. With information technology being so prevalent in the lives of millions across the region, information security is a topic that is being discussed in government offices, by the media and at office water coolers.  And the two hot topics would appear to be  the security and privacy of social networking and trying to find an answer to that perennial question of what is the best anti-virus program to get?

The mindset of many people is that Middle East and Africa are always a few years behind when it comes to information technology and security; but this assumption couldn’t be further from the truth. I am seeing many companies implementing application level firewalls and IPS devices, executing business continuity projects, starting risk management initiatives and GRC (governance, risk and compliance) programs across their organizations; I have even met a few companies who have a roadmap for cyber security strategies. 

Probably the most interesting topic I am speaking to CSOs about is their mobile security strategy; what do they do with all these tablets and smart phones coming in to the organization? The new work force want to use their own phones that they have an affiliation to; the executives are being given iPads to work with and many enterprises offer Blackberry services; and they all want corporate email, access to shared services from their devices and want their favourite social networking application loaded.  Conundrum? Just a little….. However the market is listening and there are some good technologies to enable the management and control of enterprise mobile devices.

CITC, the telecommunication regulatory body in The Kingdom of Saudi Arabia, recently released a statement warning organizations across the country that there has been a massive increase in the number of threats infiltrating  its borders .  The advice has been that organizations need to increase visibility and that they should become more vigiliant; proactive initiatives should be put in to place, such as ethical hacking programs  on organizational infrastructure to determine their own existing vulnerabilities and source code reviews for any applications developed in-house.

In South Africa, parliamentary powers have enacted laws that put the responsibility for information technology and governance squarely on the shoulders of the board of directors.  Placing accountability and responsibility all the way at the top, should ensure that IT governance is taken seriously by the business community. So, as you can see, there’s a lot to talk about in Middle East and Africa and many of the issues faced in this region are similar to what is being discussed around the world. Until next time, goodbye (English), Salaam (Arabic), Totsien (Afrikaans) and Kwaheri (Swahili)!

Carnival Cruise Lines is one of the best-known cruise lines in North America and one of the most profitable in the world.  Like many high-profile consumer brands, Carnival faces significant data security challenges:

• To keep critical competitive information safe
• To protect its customers’ data
• And to comply with PCI-DSS requirements

To meet these challenges, Carnival Cruise Lines has been working with BT’s Managed Security Solutions Group to monitor its overall security posture as well as provide specific reporting data on PCI-DSS related activities.  As well as meeting PCI-DSS compliance requirements, BT’s monitoring services provide the security team at Carnival Cruise Lines with real time monitoring and alerting, enabling the cruise lines to be acutely aware of its security status at all times.

To read the full case study in our Resource Center click here.

Last week I had the pleasure of meeting with some of Chicago’s outstanding CISOs and CSOs.  We met for dinner to discuss those thorny and gnarly issues that keep us working overtime to make sure that our companies are secure and our employees excel at work.  So, what was on our menu that night?

The first hot topic was methods of securing data across companies with disappearing perimeters.  BT, like many companies, works to enable its workers to literally work anywhere to boost their productivity and enhance their work-life balance.  But as the office walls disappear, new challenges abound.

While we touched on what value firewalls and IDSs provide, much more time was spent discussing endpoint security, such as personal firewalls, antivirus products and good patch management processes.  I see particular value in hard disk encryption on laptops, which renders stored data nearly useless to thieves. 

Obviously, mobile devices are top of mind for us.  Not only do we have to worry about laptops — with more companies supporting a “BYOD” (bring your own device) policy, we have a whole new set of things to be concerned about.  For example, it seems inevitable that companies will need to let employees bring their own hardware platform into the workplace.  And, while we all love our iPads, iPhones, Blackberries, and Android phones, with hundreds of thousands of apps available for download and many thousands more becoming available each day, how do we secure them?  While I wish I could say that we came up with a solution during dinner, this topic, for now, still generates more questions than answers.

The other topic that provoked a great deal of discussion as the economy emerges slowly from recession is how we secure new acquisitions.  The biggest problem facing CSOs in this area is — how do we change the culture of a new acquisition without breaking the business model that made them a desirable target?  But, the bottom line is that at the end of the day, CSOs are responsible for the security of all company assets, whether organic or acquired.  From my view, the key is good communication with the acquired management team and a strong security awareness campaign, since employees remain our first line of defense.  After that, it comes down to pure risk management and understanding the biggest threat against the acquired company — and mitigating that piece first.

And, from that discussion, we found ourselves deep in the nitty-gritty of Risk Management.  I know this message is getting tired, but the reality is that having a mature risk management program with real stats and data to back up your risk register can be a great tool in communicating at the boardroom level.  We can’t be Chicken Little, but we do need to rely on cold hard facts that resonate with the senior management team. 

The example I used was how to relate a fraud case to the senior leadership team in terms of revenue lost from the bottom line.  For example, if you lose $1 million in a fraud, how much revenue would it take to make up for that net loss?  Well, if the revenue was from a service with a 15% margin, it would take nearly $7 million in new revenue to make up for the loss.  Putting the cost of crime in terms of revenue helps the CFO and senior management appreciate the importance of reducing crime through security.

By the time we reached dessert, we’d hashed through these and other very interesting topics.  And, while we didn’t come up with concrete solutions or definitive answers, we learned a lot from sharing our common experiences and unique responses. 

I’d like to thank everyone who came and invite you all to carry on the conversation in cyberspace.  Leave a comment below, or let me know what you think in the Security Leaders Group on LinkedIn.

With many of the security incidents that have occurred, customers are now uncertain as to which companies they should trust and which companies they should be concerned about.  One way to overcome this hurdle is to disclose information on a company’s security strategy in order to instill confidence.  

But the question arises – is it in the best interest of a company to reveal security controls?  Or is disclosing this information making the company a target for hackers?  We asked our experts for their thoughts on this issue. 

Vaune Carr, a principal consultant for BT Global Services, expressed her opinion on the topic:

When it comes to disclosing a company’s security defenses, many organizations insist on being secretive.  I happen to agree.  If a company has a need to talk about their security strategy, my suggestion is to be more controlled about any discussion of their specific computing environment as opposed to openly publicizing the information where it can possibly be used against them.  Why?

Well, it is simple, really.  An organization that reveals its specific hardware and software measures to the public or to competitors or to others runs the risk of opening themselves up to attack, or they make it easier than it would have been if an attacker had to guess what was on their end.  In fact, while having a public discussion of its security posture, the company may be unintentionally drawing attention to incomplete controls, literally inviting hackers into their networks.  And for those who are confident in their controls, it seems they are basically daring a criminal to prove them wrong and hack into their systems.  Why put your organization in that position? 

Ultimately, it is not the investment in tools that makes an organization good at security.  What makes ALL the difference is how you manage, monitor and maintain these tools.  But in the end, as you decide with whom you want to discuss how good your organization is at security, just make sure to provide some pertinent metrics. 

Jim Tiller, vice president, Security Professional Services for BT Global Services agrees:

I agree with Vaune.  And it’s worth briefly exploring the pros and cons of sharing security information.  Most enterprises will have standardized, best-practice security controls, such as firewalls, IDS/IPS, and the like – generally very predictable.  Add to this that even entry-level script kiddies can determine the type, software and version of many systems. So it can be argued that you may not be giving away information that can’t be easily discovered surreptitiously.  What we’re really talking about are the details and nuances.

Let’s ask the big question — Are there any advantages of sharing security information? Well, in some ways, yes.  A prominent security challenge is knowing what works and what doesn’t.  By sharing information with others, you can learn from one another and find a more refined and effective balance for your environment.  

Then there is concept of information as a deterrent, which is based on the “path of least resistance” for a threat, assuming that when a potential attacker knows your network is being monitored, for example, they will move on to another, less secure target. Unfortunately, this doesn’t apply to many forms of threats – deterrence in infosec is a gamble at best.  Lastly, a consistent and popular argument is consumer impression.  An online bank that shares details on their security controls to customers may increase customer confidence and loyalty; seemed to work for Bank of America.

What we’re really talking about is that disclosing details about your security controls publicly can play to a hacker’s desire to make an example of you. It’s like poking a dangerous animal — you’re increasing the chances of getting bit.  You better be sure of those controls, because they’ll be tested. In fact, I will go as far to say it’s less about the content of the information and more about the culture of the threat. Tell a hacker you’re secure and, regardless of your security control sophistication, they are attracted to you like a shark to blood – you become something to be conquered.

Therefore, as with all things security, it’s weighing the advantages against the risk and managing information disclosure.  It is well within reason to share certain information at varying degrees of detail with different groups and in different conditions, as long as there is clarity on the value-to-risk ratio you get from doing so.  Nevertheless, being a professional paranoid… my default rule is “loose lips sink ships.”

Weigh in with your thoughts.  Do you believe an organization should share security information or keep it under wraps?

               BT MSSG      & 

          Sanjay Mehta, Senior Vice President, Breach Security

The nirvana of that moment in time when you are completely secure without a single vulnerability in sight is unfeasible and, even if it were possible, it would be fleeting.  Despite our fondest wishes for this moment, we accept the fact that our networks are vulnerable and are in a constant state of flux, causing the vulnerabilities to alter and the risks to change.  Organizations struggle with how to continue to develop their core business while managing their risk and doing it all with fewer people and resources than they had last year.  The only way this is possible is to work smarter – but how does that translate into practice?

We accept that our security is flawed, so it becomes critical that we place security devices wherever we have high or unacceptable risk.  It is essential that the security alerts from security products like WAFS, firewalls, IDS/IPS as well as host information and application logs are centralized.  The devices we select are critical and should be chosen in line with risk.  It is worth bearing in mind that web applications are one of our largest areas of risk and were one of the key areas of focus in PCI DSS 1.2 which was based on the forensics of card breaches.

Once the devices are selected, then the complexity of managing this new technology comes into place and again, outsourcing is a serious option for companies that are constrained by head count.  The footprints of what has happened on our network is in our log files, and it’s impossible to check the multitude of consoles for the vast array of product that we have, so it is critical we centralize our log files and have the capability to correlate and look for patterns of attacks.  Unfortunately, security breaches are not limited to 9 to 5 or business hours, so our security monitoring framework must be built to take this intelligence, look for patterns of attacks and be manned 24×7.

This week’s RSA Conference pinpointed the problem of treating compliance as a single point in time. 

Most companies breathe a sigh of relief once PCI compliance is “achieved” via an audit or code review.  IT professionals move on to the next priority, and often, compliance “maintenance” is forgotten.  In doing so, they fail to understand that audits and code reviews are outdated the moment they are completed.  Web applications continue to be developed and altered, and as a result, continued compliance can’t be ensured with the “one-time look” that occurs with audits and code reviews.  And it would certainly be cost-prohibitive to conduct an audit or review with each application change.

Fortunately, continuous PCI compliance can be achieved using a web application security solution that provides real-time, continuous security for all protected web applications. 

In today’s compliance landscape, it’s simply not enough to know that a problem exists.  Sophisticated web application security solutions help companies mitigate problems.  Organizations need to have a real-time solution – not just a single look in time – to be truly secure and PCI compliant.

Here is more information on how vulnerability scans and code reviews compare to web application firewalls:

It wasn’t very long ago that Network Intrusion Prevention System (N-IPS) vendors were in furious debate over who released the signature first after a new exploit was discovered, protecting their customers fastest from the attack du jour.  The story line went something like this:

1) Microsoft announces <some large number> vulnerabilities on Tuesday

2) Fast forward 80 days: Threat X is discovered, targeting one of the above vulnerabilities – this is the classic Day Zero

3) Fast forward somewhere between eight minutes and two weeks: numerous IDS vendors release some large number of exploit-based signatures

The winner of the “competition” was always the vendor who released their exploit signatures in the shortest timeframe after Step 2; and then, issued the press release.  So went the early days of Network IPS.

Then, rather suddenly (around 2005), Step 2 shortened from 80 days to 10, then five, to two, and then finally to one day.  This made some of us in the industry take pause, and to think – there’s something far more sinister at work here.

What was ignored broadly then, and is glossed over broadly now by many IPS vendors, is that the above timeframe is nonsense at its core.

Instead, we need to look at this very differently:

1)       New software is released to market.  This is Day Zero.

2)       Fast forward 0 seconds: Vulnerabilities exist in this software, but not many people know about them

3)       Fast forward several weeks: Attacks are underway against these vulnerabilities, but they are isolated and targeted

4)       Fast forward three months: Software vendor announces vulnerabilities and patch on Tuesday

5)       New, broadly used exploits are discovered against those announced vulnerabilities

6)       Security vendors scramble to be the first to market their protections to Step 5

What is overlooked (Steps 2-3) is fundamental to the challenge we face: the day a new piece of software is released to the market, there are vulnerabilities, and there are certainly hackers exploiting them as fast as they can discover them.  The protection gap — rather than being from the time a new vulnerability is announced to the day a new attack is discovered — is actually the time from when the software is released to the time the vendor issues the patch.  Then the cycle starts all over again.

So what is Day Zero now?

Day Zero needs to be thought of as the day a new piece of software is released.  And in order to protect yourselves in our second scenario above, you need to know that your network protections are guarding against what we don’t know, versus what’s made the headlines.

That’s where Vulnerability Analysis on your IPS comes into play.  It’s no longer adequate to look for what’s been announced.  You need to be ready for what the hackers are doing long before the press release comes out.  That’s where McAfee and BT come in – we have more than 350 researchers on staff finding vulnerabilities and fixing them long before the software patches come available, and eons ahead of the rest of the industry.  And it’s why we can claim that our platforms, and hence BT Managed Security Solutions Group, protect customers on average 80 days ahead of the threat.

The proof is in the results.  Verifying a vendor’s claims can be a challenge, and it’s precisely why independent validation is so important.  Want more info?  Visit http://nsslabs.com/IPS/McAfee-M8000.html for more information and to understand why vulnerability analysis and IPS detection accuracy are so important.

As Director for Network Security, Mike Nielsen is responsible for all elements of McAfee’s Network Intrusion Prevention Systems on the highly successful I and M-series platforms.  Mike is a veteran of the telecom and security industries, with more than 15 years experience in developing, deploying and marketing high-speed network and security solutions. 

http://nsslabs.com/IPS/McAfee-M8000.html

Do you perform any testing on your IDS/IPS?   What are your test procedures when applying a signature update, deploying a policy change, or enabling some new analysis module?  After all, you wouldn’t consider releasing production software without adequate testing, so shouldn’t the same apply to the IDS/IPS deployment process in a production network environment?

The reality is that few organizations perform much, if any, testing on their IDS/IPS infrastructure.  Many consider IDS/IPS as part of the networking infrastructure, where most changes are considered operational tasks that do not go through a development life cycle that would include testing in a lab environment prior to a production rollout.  The big problem with this approach is that while most changes to a router or firewall can be validated immediately, IDS/IPS changes typically have no immediately measurable impact.

Without having an explicit list of measurable test objectives, you have to rely on empirical testing.  This is actually simple to do with an IDS/IPS because you have an abundance of empirical data available, i.e., your existing network traffic.  To empirically test the impact of IDS/IPS changes, a simple procedure would include:

1. Capturing a good sample size of existing network traffic, such as 24-hours of network traffic.
2. Replaying the captured network traffic against the current and new IDS/IPS configuration using a tool such as the open source tcpreplay.
3. Compare the alerts generated by the IDS/IPS in both replay runs to determine any impact of the new configuration.

This same traffic payload is now kept as a baseline and used for automated testing before every future IDS/IPS update.  Another feature of tcpreplay is that you can replay a lot of captured network traffic in a short period of time, which allows for testing many hours worth of network traffic in a few minutes and for load testing your IDS/IPS.

The current version of tcpreplay is 3.4.3 and is available at http://sourceforge.net/projects/tcpreplay.