The experts weigh in on their top picks for protecting enterprise networks.
Network World asked security pros to name their No. 1, must-have, go-to security tool. We received responses from industry analysts, enterprise security practitioners, academics, and members of industry associations. Many of the experts we interviewed pointed out that there is no silver bullet when it comes to security, so your best bet is a defense in depth strategy that combines as many of these approaches as possible.
SysInternals and Windows GodMode
Ron Woerner, director of CyberSecurity Studies at Bellevue University: "There are certain things all network, IT, and security professionals should have in their toolbag. The most important is knowledge; i.e., where to learn more about a particular topic, technique, or tool. It’s impossible to know everything; so focus on where to get quality instruction and information."
Woerner recommends two websites: www.howtogeek.com and blogs.msdn.com/ for reference; and two toolkits: SysInternals and Windows GodMode. The former is a grouping of simple Windows tools and the latter is administration applications already available in the Control Panel.
Yier Jin, assistant professor of computer science and electrical engineering at the University of Central Florida, says knowledge is the key. "I would say cybersecurity awareness is the one, best tool. Many breaches are caused by internal workers who lack cybersecurity awareness and; therefore, click links from spam email, which often initiates the breach. For tools, I recommend Microsoft Enhanced Mitigation Emergency Toolkit (EMET), an excellent toolkit that every company should have."
Secure@Source, Q-Radar, ArcSight, Splunk
Jeff Northrop, CTO at International Association of Privacy Professionals, uses the term data security intelligence to describe tools that help IT understand their data landscape. "Currently, we have business intelligence tools, data integration tools, data discovery tools, data encryption tools, compliance tools, and SIEM tools. All require an understanding of what data is collected; where it's located; how it's structured, categorized, and used. Most vendors operate in one or two of these areas; but a few companies have recognized a need for better information on the data they're responsible for protecting; extending their products to meet this need." Northrop lists Informatica’s Secure@Source; IBM’s Q-Radar, HP’s ArcSight, and Splunk.
Insider threat protection
Mike Papay, vice president and CISO at Northrop Grumman says, "In the context of destructive malware and insider-enabled data loss, businesses should invest in security tools that protect from the inside out. Similar to a broken windows policing strategy, security tools that can baseline, and then detect and alert on anomalies in network and client behavior helps businesses mitigate problem-activity early in the threat cycle.”
Privileged identity management
"I recommend Privileged Identity Management (PIM) tools that control the administrative password and, in some cases, shared business passwords and credentials," says Andras Cser, vice president and principal security/risk analyst at Forrester. "These tools are absolutely critical to prevent data breaches by making always-on system administrator access to on-premises and cloud workloads a thing of the past. PIM tools check out and change passwords for critical workloads, which makes attackers' snooped administrator and root passwords worthless. Also, PIM (generally) enforces close monitoring and recording of all programmatic and/or human administrative access to machines."
"There are three tools that all companies should have," says Gary Hayslip, deputy director and CISO for the City of San Diego, "patch management, data backup, and full disk encryption. These tools provide the basic cyber-hygiene foundation, which enables companies to continue to grow safely and respond to incidents. Then, as the revenue stream increases, they can add more security controls to the organization. If I had to choose just one, I'd say patch management. Having a patch management solution in place reduces risk exposure to the organization by keeping its IT assets up-to-date, which makes it harder for the bad guys. However, there's no guarantee that any, one solution will resolve all issues."
David Giambruno, senior vice president and CIO at Tribune Media, suggests that enterprises should move toward the concept of a software defined data center. "We're using VMware’s solution stack for its micro-segmentation capabilities—summarized as security at the element layer," he says. "Historically, this was incredibly challenging with hardware but, in the software world—where everything is a file—you can wrap everything with a security posture. Security follows wherever the element goes either internal or external. The audit-ability, operational automation, and visibility changes defensive capabilities." Giambruno deployed Cyphort for its capabilities to see east/west traffic in the cloud.
"One interesting new area is using technology to provide a layer between the user and SaaS solutions, so the enterprise can manage authentication and encryption and hold its keys, while maintaining close-to-full functionality with the software as a service (SaaS) solution," says Dr. John D. Johnson, global security strategist and security architect for John Deere. "There are also new solutions for cloud file storage and sync (like Box) that add encryption, data loss protection, and granular reports." For BYOD, he recommends products that keep corporate data in a container and prevent it from moving, such as Bluebox, which puts a flexible walled garden around certain data and apps, and applies corporate rules.
Endpoint detection and response
Neil MacDonald, vice president and distinguished analyst at Gartner, advises clients to first remove administrative rights from Windows users, then invest in an endpoint detection and response (EDR) solution that continuously monitors and analyzes the state of the endpoint for indications of compromise. MacDonald emphasizes that EDR solutions provide continuous visibility that, when combined with continuous analytics, can help enterprises shorten the time that an attack goes undetected "For server workloads, I’d replace anti-malware scanning with an application-control solution to prevent the execution of all unauthorized code, which keeps the vast majority of malware off the system and, also, reinforces good operational and change management hygiene.
Randy Marchany, IT security lab director & security officer at Virginia Tech, says the flaw with static perimeter defense is that most organizations focus on inbound traffic rather than outbound traffic. Continuous Monitoring , also known as Network Security Monitoring or Extrusion Detection, focuses on traffic and log analysis. He recommends the FireEye Malware Detection appliance, Netflow data (which provides invaluable information that determines if internal machines have been compromised), and tools such as ARGUS Software, SiLK , the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team, and/or the Bro network security analyzer.
Advanced security analytics
Johna Till Johnson, CEO at Nemertes Research, recommends Advanced Security Analytics (ASA), which provide real-time insight into—and, increasingly, proactive responses to—situations that indicate a potential breach, compromise, or vulnerability. ASA merges security event/incident management and monitoring (SEIM) with analytical capabilities often derived from Big Data technologies. It also includes forensics and Intrusion Detection Systems/Intrusion Prevention Systems. Johnson recommends tools from vendors such as Agiliance, Blue Coat, Damballa, FireEye, Guidance, HP ArcSight, IBM, Lastline, LogRhythm, McAfee/Intel, and Splunk.
"My vote for security's best option is collaboration tools. Yes, we have plenty of silver bullets; what we really need are more tools that allow communication and collaboration for our distributed workforce. We need to capture tribal knowledge to make staff more effective. We need to invest in tools that make staff more agile," says Rick Holland, principal security/risk analyst at Forrester Research.
Frank Kim, CISO at the SANS Institute, believes security capabilities that detect attackers and anomalous activity are even more important in the face of advanced threats which bypass traditional, preventative mechanisms. As a result, threat intelligence and robust information sharing are key aspects of modern cyber defense. But it's also about advanced analytics and the ability to mine internal and external sources of data. Building a data science capability to intelligently analyze large amounts of information provides organizations with actionable information that allows security teams to respond more quickly.