Organizations spend lots of money on a variety of security products but they are frustrated because they are still getting compromised. Why? The threats organizations face have changed in the past year or two, but the way we approach security hasn’t.
“When you’re dealing with the common cold, you wait for the first symptom to appear,” says Cole, who will lead a panel discussion on emerging security threats and trends at the upcoming SANS Security West conference (May 10-18, 2012). “Once you have a fever, sore throat or runny nose, you go to the doctor. The doctor gives you medicine to treat the symptoms, and in a few days you feel better. This is how companies traditionally approach information security. They wait for something visible to occur, react to that visible sign, and in a few days or weeks, the organization is better prepared to fight that kind of attack.”
The problem is that, in recent years, the threat has changed from the cyber common cold to cyber cancer. If you wait until cancer symptoms emerge, it may be too late for successful treatment.
“Doctors will tell you that prevention as well as early detection is most important,” says Cole. “Unfortunately, organizations are treating cyber cancer like a cyber cold and waiting for visible signs to do reactive security.”
We need to switch to new proactive and adaptive ways to deal with new threats he says A few interesting examples make a lot of sense.
Two of the biggest threat vectors are web browsers and email clients, the “sources of evil.” Organizations counter the threats by seeking ways to block attachments or blacklist websites. These measures don’t always work. Instead, Cole suggests that organizations run their web browsers and email clients in separate virtual machines on the local client devices. This is a twist on traditional virtualization.
“Users can click away all day,” says Cole. “They can open attachments and get infected, but it can all be contained to that virtual machine, and the overall damage level can be controlled. If necessary, that virtual machine can easily be wiped clean and rebuilt.”
Another problem is that companies put a lot of effort into perimeter security measures to try to stop attackers from getting into the network. Once an attacker is in, however, the network is pretty flat, and information all too accessible. Cole suggests aggressive network segmentation to protect high-risk clients and limit exposure to attack. If a client system is compromised, you can contain and control the damage.
Cloud computing security is a major concern, but a risk-based approach will enable companies to make good business decisions about moving to the cloud.
“A lot of people pull back in fear when they think of the cloud,” says Cole, “but automatically saying ‘no’ is no way to deal with security issues. If someone asks if they can do something in the cloud to save the business money, and the security people say no, then security won’t get invited to the meetings anymore, and the business unit will go ahead and do what it wants anyway.”
It’s better to categorize applications by risk:
Category 1: Applications that are cloud-ready.
Category 2: Applications that might be cloud-ready if certain measures are put in place.
Category 3: Applications that should never go to the cloud based on their risk factors.
Cole recommends encrypting all data that goes into a public cloud. “Encrypt it and manage the keys in such a way that no one but you has access to the keys,” according to Cole.
And finally, Cole’s panel of experts will talking about the hot issue: BYOD. Most organizations think in terms of the technology to secure the devices and the data that goes on them. Cole recommends working with your legal department first.
“Get an attorney to help you set your policies and documentation, and get workers to sign off explicitly on the issue of ownership of data on the device and the liability for it,” he says. “Have a policy that states that the organization can go into the device at any time – even after an employee’s termination – and delete or modify the corporate data on the device.”
This is a huge issue because the implied ownership of the information gets transferred to the employee once the information is downloaded to the worker’s personally owned device. However, the company still has all the liability for the information in the event that something happens to it.
On the technology side, organizations should look at ways to sandbox or segment corporate data that makes its way onto workers’ personal devices. Cole recommends automatically going into the device every day (or every few days) and wiping the company data. Then, if a device is lost or stolen, only recently downloaded data is compromised.
“Losing one day’s worth of information is far better than losing several months’ worth,” explains Cole. “Since most people only use their smart phones or tablets for temporary access to the corporate network, it won’t matter if data is deleted at the end of each day. This isn’t intended to be their primary device for work.”
These all sound like practical approaches to improving security. Sometimes, all it takes to solve a problem is to have a different perspective on what you’re trying to achieve.