In-Depth

CSO Worries High, Actions Lax

CSOs worry about infected or unknown PCs logging onto their networks, but only one-third of companies are doing something about it

• By Mathew Schwartz
• 06/29/2005

CSOs worry about infected or unknown PCs logging onto their networks, yet many aren’t proactively tackling the problem.

According to a recent survey of 141 chief security officers and security executives by Vernier Networks, only one-third of companies now identity and track their users from login through consumption of network resources, to log-out.

Half of organizations, however, simply admit users at the network edge, and 13 percent don’t track users’ login or network usage at all. Neither of those approaches is effective for screening out infected PCs, or blocking internal attacks, since a user or malware on the PCs has carte blanche access to network resources. Indeed, given the prevalence of unrestricted access, it’s no surprise that two-thirds of organizations say they’ve traced breaches to internal sources.

To cope, almost 90 percent of CSOs, the survey found, want more fine-grained controls for user access to the network, and to improve their organizations’ monitoring and overall network security. While half of organizations don’t currently track new systems entering the network, 62 percent plan to implement system-level processes to do so within the next year.

As the CSOs’ thinking highlights, “security around the network perimeter, while essential, is not sufficient to rid organizations from costly intrusions,” says Simon Khalaf, president and CEO of Vernier. “Our survey results indicate the immediate need to offer security within the fabric of the network and completely manage access to the network through pre-emptive, proactive, and reactive security.” For example, in light of recent attacks on “credit card processing centers and commercial banks,” he notes, such an approach would have helped safeguard such organizations.

According to the survey, two-thirds of security executives rate their primary network security concerns as worms, viruses, and hackers. Of course stopping hackers from exploiting known vulnerabilities, or blocking malware outbreaks, requires keeping patches up to date. Yet from a time-and-budget perspective, patching continues to be a problem. Still, half of respondents manage to patch their externally facing servers at least weekly. One-third patch at least bi-weekly.

Desktops, however, don’t get upgraded at the same pace. While one-third of security managers apply critical patches to desktops within a week or less of the patch’s release, half take between two weeks and a month to patch.

Increased budgets may help some organizations better tackle patching. This year, say 63 percent of respondents, security budgets will increase, and 12 percent characterize the increase as dramatic. Yet 30 percent of CSOs won’t see increased funding, and 7 percent say their security budgets will decline.

When it comes to quarantining, today only 13 percent of organizations monitor each system on the network and quarantine it when it starts to behave suspiciously. In contrast, 57 percent of organizations lock down a network segment when there’s a problem, and a quarter may shut down the entire network. Meanwhile, five percent admit their intrusion-response protocols are “chaos.” Most CSOs say even if they had the technology, they wouldn’t quarantine individual, infected PCs until they’re remediated. Instead, they prefer to handle such problems at the network level. Of course, implementing quarantines, automated patching, and other facets of endpoint security requires a somewhat piecemeal approach, given the nascent state of the discipline, and a lack of products which fully implement such endpoint security standards as Cisco’s Network Admission Control (NAC) or Microsoft’s Network Access Protection (NAP). CSOs realize this, with two-thirds saying they expect that between two and five different products will eventually be needed to fully defend against network-level intrusions.

Related Articles

Q&A: Endpoint Security for Unknown Devices
http://www.esj.com/Security/article.aspx?EditorialsID=1315

Untangling Endpoint Security Initiatives
http://www.esj.com/Security/article.aspx?EditorialsID=1230