Companies take to the security warpath

Eric Litt, chief information security officer at General Motors, calls it "management by inclusion". Simply put, it's an information security strategy that reduces operational risk by denying network access and services to all people and processes not previously vetted by the company. "If I don't know you're good, I don't talk to you," Litt says.

Litt is one of a growing number of security managers who say traditional reactive defences -- focused on blocking known threats at the edge of the network perimeter -- are no longer enough. What's needed are more-proactive security capabilities that emphasize quicker identification and resolution of both internal and external threats.

"You just cannot sit back any longer and wait for your LAN to go down or for your employees to complain," says Ed Amoroso, chief information security officer at AT&T. "You need to be looking at things before they become a problem."

Several factors are driving this trend towards more strategic security operations. Laws such as the Sarbanes-Oxley Act have put a greater burden on companies to demonstrate due diligence on matters related to information security. Worms, viruses, spyware and other types of malicious code are getting a lot better at sneaking past firewalls, antivirus defences and intrusion-detection mechanisms. And growing wireless use, remote workers and the trend towards Web services are giving hackers more avenues for launching attacks.

Another important fact: the time it takes for hackers to exploit software holes has been shrinking dramatically, giving users very little time to react to new threats. The SQL Slammer worm of 2003 took eight months to appear after the flaw it exploited was first publicized. In contrast, last year's MyDoom worm started making the rounds in less than four weeks.

"It's getting so nasty out there, it's frightening," Amoroso says.

To achieve its goal of more-proactive security, GM launched a sweeping overhaul of its processes, including the manner in which it authenticates users and systems, enforces security policies, controls access to network services, patches holes, spots intruders and responds to incidents.

It's a mighty task for a $US186 billion behemoth with global operations, thousands of partners and tens of thousands of users. But it's essential in order for GM to stay one step ahead of the bad guys, Litt says.

"We are in a competitive stalemate with the creators of malware," Litt says. "What we are trying to do is regain the advantage."

Lane Timmons, a security systems analyst, says a key to this is a better understanding of how your company's networks behave normally so you can spot abnormal activity more quickly.

After getting hammered by worms and viruses over the past few years, the orgainzation deployed several tools to help it spot and squelch attacks more quickly than the "hundreds of man-years of effort" that it used to take, Timmons says.

Among those tools is the network behaviour modelling product QRadar from Q1 Labs in. The software analyzes and models typical network activity over a set period of time and then uses that data as a baseline to identify abnormal activity that might suggest the presence of worms, Trojans, port scans or denial-of-service attacks.

Such behaviour modelling has dramatically improved the university's ability to detect and respond to both internal and external intrusions, Timmons says. "Our ability to do a real-time analysis of our networks has made a big difference," he says.

Actionable data

Integrating and correlating information from multiple security technologies is also crucial to enabling a more holistic view of the threats and vulnerabilities facing a corporate network, Amoroso says.

To this end, AT&T is retiring all its individual Internet-facing firewalls, intrusion-detection systems and antivirus tools and is integrating the functions into its IP backbone layer. The company has built a massive security event management system, called Aurora, that's capable of pulling in and correlating terabytes of network traffic and security data from the IP layer.

The data analysis allows AT&T to spot trends and signs of impending trouble far better than the fragmented view provided by the individual security technologies, Amoroso says.

"It gives us real actionable data, to respond to threats" before they materialize into full-fledged problems, he says.

Prep work

Being proactive also means ensuring that security is built into your application software and not bolted on later, says Mary Ann Davidson, CISO at Oracle.

Customers should ask vendors questions about their security practices, Davidson says. Questions should include, "How do you write secure code? Do you train your developers for that? Do you do ethical hacking to test your code? How are you making it easier for your customers to secure your code? What is the best practice for locking down your product?" she says.

What's crucial at GM, Litt says, is "making sure the code we get is really secure out of the box and that the vendors are not making us a testbed for their software." That's because most of the security problems companies are facing today are the direct result of software bugs that hackers are exploiting. Litt is working with several influential industry and user groups to pressure vendors to pay more attention to security.

"We are trying to use our combined voices to drive the software industry to think about security in a different way," says Litt, who for years has been including strict security terms and conditions in all of GM's software purchasing contracts.

GM is also applying the same concept to the software it develops in-house. The company has instituted "toll gates" for reviewing security at various stages in the product development lifecycle "even before the first line of code is written", Litt says.

In the end, however, there's a limit to just how proactive you can be, says Lloyd Hession, CISO at Radianz, a New York-based provider of telecommunications services to financial companies.

"One of the key issues is that we can't really figure out what the next threat scenario is going to be," he says. "A year ago, for example, nobody was up and jumping over spyware. It's kind of suboptimal to want corporate commitment and resources to be deployed today if you don't know what it is being deployed to really stop."

Instead, the goal should be to better prepare yourself for attacks, Hession says. And that means being able to identify threats early, have a good incident-response and backup process in place and ensure that there is no "skills mismatch" between your security team and the attackers when the attacks do come, he says.

"There is no silver-bullet technology or singular process change" for addressing this problem, Litt says. The goal should be to "social-engineer security into your processes versus putting it in as an afterthought," he says.

Time is of the essence

Advance warning can be useful in preparing and prioritizing defences, says Lloyd Hession, CISO at New York-based telecommunications provider Radianz. In May last year, for example, his company received advance information on a critical protocol vulnerability in its voice-over-IP networks that received little of the broad attention that worms and viruses get but was vital to fix nonetheless, Hession says.

Radianz was notified of the vulnerability by its security intelligence service from Symantec, which it uses to monitor impending threats to its security. Symantec's DeepSight threat management system collects data from firewall and intrusion-detection systems from about 20,000 sensors placed on customer networks around the world and looks for patterns suggesting worm or virus attacks.

Ensuring that all internal and external systems attempting access to a corporate network have the proper security configurations can prevent otherwise secure networks from being compromised by rogue machines. So, too, can timely patching, says Tim Powers, senior network administrator at Southwire Co, a maker of electrical wires and cables.

"This is a game where we used to have a few weeks to prepare. Now, days matter," says Powers, who is using an automated patch management tool from LANDesk Software to test and deploy patches across his network. "It's about doing it better and faster and just lowering the time between getting patches and getting updated."

Weapons in the armory

Technology vendors are pitching a variety of tools and approaches to help companies better prepare for attacks. Among them are the following:

Intrusion-prevention systems

These products, evolved from network intrusion-detection systems, help companies block both known and unknown attacks. Most products in this class work by looking for known virus signatures and anomalous network behaviour that might indicate the presence of a worm or virus.

  • UnityOne IPS, TippingPoint Technologies

  • What it does: In addition to identifying and blocking threats, the tool supports traffic classification and rate-shaping functions for high-priority applications.
  • Attack Mitigator IPS 5500, Top Layer Networks.

  • What it does: The ASIC-based hardware appliance is designed to deal with content-based attacks, such as worms and Trojan horses, as well as rate-based attacks, such as distributed denial-of-service attacks.
  • Juniper IDP, Juniper Networks

  • What it does: It's a rules-based intrusion-detection and -prevention tool.
  • Proventia, Internet Security Systems Inc

  • What it does: This appliance has more than 225 built-in rules for detecting and blocking hybrid threats.

Endpoint security products

These ensure that endpoint devices, such as PCs, notebooks and handhelds, have appropriate protections in place, including active firewalls and updated antivirus software and patches, before letting the devices access a corporate network.
  • Cisco Security Agent, Cisco Systems

  • What it does: This software combines host intrusion-prevention functions with spyware/adware protection and host firewall and operating system integrity assurance.
  • Check Point Integrity, Zone Labs

  • What it does: It combines PC firewall technology with central policy management and policy-based enforcement on endpoint devices.
  • Secure Enterprise, Sygate

  • What it does: It combines endpoint agent technology with policy management servers, LAN-based enforcement servers and remediation capabilities.
  • CyberGatekeeper, InfoExpress.

  • What it does: This product suite combines functions for monitoring and enforcing security policies on local and remotely connected systems.

Security incident/event management technologies

This class of products is used by companies to gather, consolidate and analyze information from multiple-point technologies such as firewalls, antivirus products and intrusion-detection systems. The goal is to enable better identification and response to key security incidents.
  • Security Manager, NetIQ

  • What it does: It consolidates data from across the enterprise network and combines event correlation, visualization, trending and forensics to help companies get a more holistic picture of their security.
  • Security Manager, NetIQ

  • What it does: It consolidates data from across the enterprise network and combines event correlation, visualization, trending and forensics to help companies get a more holistic picture of their security.
  • Enterprise Security Manager, ArcSight

  • What it does: It correlates events and information from multiple devices, including asset value and vulnerability data. It also supports automated investigation and resolution of problems.
  • nFX Open Security Platform, NetForensics

  • What it does: It supports event normalization, threat visualization, reporting and analytics, policy compliance monitoring and incident resolution management.

Show Comments