Q&A: Staying Ahead of Network Security Issues
Where should IT focus its attention in protecting network assets, what investments offer the best return, and how can IT to avoid common mistakes when developing its security strategy?
With IT budgets under pressure, it's difficult to adopt innovative security solutions. We look at where IT should focus its attention, where to make investments, and how to avoid the biggest mistakes IT often makes in developing its security strategy.
For insight and perspective, we turned to Ken Pappas, vice president of marketing and security strategist at Top Layer Security.
Enterprise Strategies: Thus far in 2009, we’ve seen the outbreak of the Conficker worm, continued attacks on Web sites (particularly social networks), and continued network breaches across industries. What do you each see as the top threats to network security for the remainder of the year?
Ken Pappas: More of the same, but more creative and stealthier. Hackers are bright people, they study human behavior and adapt to it. You will see more IP enabled devices that hackers will attempt to break into, not just for data theft but also to disrupt our quality of life.
A recent study from Verizon Business found that more electronic records were breached in 2008 than in the previous four years combined, yet new stimulus legislation is pushing health care organizations to upgrade their medical records to electronic form. How will this affect the security of the health care industry and specifically of the medical records? Won't this result in increased hacking against hospitals and medical offices?
The finding of more records breached I feel is false. Laws today require companies to disclose breaches; in the past, this was not the case. Nobody knows for sure how many records earlier were breached because nobody was counting. Today our laws mandate they be disclosed, and keep in mind not all records breached need to be disclosed. You need to be over a certain threshold as I understand it. Will the movement to electronic health-care records increase the likelihood of a record breach? Sure. New regulations are requiring that any network that is connected to or accessing health-care facilities must also have the same level of security within its network. This is a step beyond what we previously had. Although I feel we are on the right track, we are not out of the woods on electronic record breaches. They will still occur.
We’ve seen increased attention geared toward the utilities industry and the new Smart Grid. What are some of the potential outcomes threats pose and how does this affect the larger scheme of things -- power outages, government regulations?
I can tell you that the reports of power facilities being breached is news that happened a while ago and that our power grids and the networks today running them are very different. I can’t say more, but I am confident that we are not going to see any major widespread power outages in our future. New government regulations have changed the way our power suppliers run and manage their networks, and we have a lot of smart people managing them.
Threats are coming at IT from all directions.
Yes, they are. An argument exists today around inside versus outside threats. Where are most of the threats coming from? Who cares? The fact of the matter is that threats originate both internally and externally. Security needs to address both.
What should IT's strategy be to stay ahead of hackers' next moves and combat all these different entry points, especially given that IT budgets are under extreme pressure lately?
It’s difficult to adopt innovative security solutions when your IT budget is under pressure or when regulations and even your business partners are demanding you have viable security technology in your network.
Top Layer recognizes this and has brought to market several creative ways in which enterprise networks can upgrade their security at little or no capital expenditures. We understand that older firewall and first-generation IPS [intrusion prevention system] technologies will not protect your networks from tomorrow’s threats. That’s why we have created the competitive Trade-In and ZERO CapEx programs.
Where should IT focus its attention, and what tools are "nice to haves"?
I must admit, IT has a tough job and security needs to be considered at all points in the network, tethered and un-tethered. The "end point" is a blur to many of us. Many devices today connect and access data on our corporate networks. Cell/smart phones are part of the network and IT must consider security in any device to protect its network and its data. Although IPS has been around for about seven years, it surprises me that so many enterprise companies either don’t have one or are still using IDS [intrusion detection system] for security. I honestly can’t talk about any security device or technology that I would consider a "nice to have." That decision needs to be made by the CSO in the organization.
It has been struggling having to manage a variety of security tools and technologies, but it is tough (if not impossible) to integrate these tools. Can you suggest a few best practices, along with a tangible real world example, of how organizations can successfully integrate these elements to improve security and effectively maximize their investments?
I could not agree more. I have seen a lot of smart security solutions on the market, but they are all stove-piped and none are sharing the information or learning from one another.
I think sharing information is the direction we need to move. At Top Layer we recognized this and have created what we call the Security Eco-System, a group of vendors willing to share their logs and alerts with other security platforms in an open format so that one security appliance can learn what another security appliance just learned and possibly take action.
For example, Top Layer has worked with Bradford Networks, a leader in network access control, to create an API that would allow our logs and alerts to be sent to the Bradford Appliance; in the event an end-user's PC began to broadcast malicious content, the Top Layer IPS would do its job and block that malicious traffic from spreading to other devices and servers in the network. Top Layer would then pass this information along to Bradford's appliance, which can decide how to handle the end-point device (for example, by re-directing it to a remediation server, blocking it completely, or having IT retrieve it for "maintenance"). This is how we see various security devices working in enterprise networks in our future.
How can IT know it's getting the most for its money or has made the right investments? Is it possible to over-invest in security?
It’s always possible to over-invest in security the same way it’s possible to over-invest in a car or personal insurance. It boils down to what you are comfortable with and what "risk-avoidance" level are you willing to accept. You can also under-invest and leave yourself open to attacks, business disruption and possible fines.
What are the biggest mistakes IT makes in developing its security strategy?
The biggest mistake I believe IT makes is looking at what it presently has in its networks rather than first identifying what they are trying to protect, then going back and determining if what they presently have in their network for security provides the best level of protection. Back in the early 2000s, the big challenge networks were facing was DDOS [distributed denial of service] attacks. Enterprises went out and bought DDOS appliances. Some companies today still believe their networks are protected because they have this DDOS appliance when, in fact, many new threats have entered the market that a DDOS appliance doesn't guard against.
Another area I see within enterprises is their security policy and when it gets reviewed. When I am invited to deliver a security presentation, I ask the audience: “When do you update or review your security policy?” Some say annually, others say quarterly. I tell them that’s the wrong approach and that a security policy needs to be reviewed when they read the media about a breach and ask “Can this happen to us? Are we protected? Do we need to modify our policy?”
The other side is to watch for new products or technologies entering the market. Ask yourself, “Does our current security policy cover this? Will this introduce new threats or ways to gain access that we have not addressed?” This is why assigning a date to reviewing your security policy will not work in today’s market.
What best practices can you suggest to avoid these mistakes?
Talk to your peers in the industry. Get educated on what technologies are working and are not. Firewalls were good in their day, but let’s face it -- the hackers have figured it all out and now viruses, Trojans, and malicious content are just flowing in. You need more than firewalls today. If you don’t have security specialist on staff, hire one. The days of anointing someone who has worked in IT and whom you now consider your security expert are over.
I’ve spent time with a number of very intelligent IT staff individuals, and I frequently ask: “How do you know you have not been breached?” These individuals have a false sense of network and data security, relying on a firewall, IDS, or older IPS they may have. Since none of these devices has picked up any malicious content, they think they are covered.
When given the opportunity to introduce Top Layer Security’s third-generation IPS on their network and configured in a ‘listen’ only mode, they are shocked to see the traffic we are picking up that their existing firewall, IDS, or IPS is allowing to slip by. It’s an easy sale after that.
I would caution all IT: don’t get comfortable with what you have. Take a look at newer, innovative technology and refresh your security as often and cost effectively as you can. We know costs are important, and we know that IT’s mantra is (or should be) “Protect Corporate Assets and Data,” but that's difficult and daunting task when funding is limited. (To that end, Top Layer Security this year introduced its Free IPS program that lets enterprises trade in their older security products.)
IT should also not be lulled into thinking they are protected just because they may have received PCI compliance and certification. Look what happened to Hannaford Food Chain! IT needs to be diligent with data security, educating CxO-level management to understand the risk levels if technology is not adopted or implemented in their enterprise.
What products or services does Top Layer Security have that address the issues we've discussed?
Top Layer Security has been delivering the most innovative and advanced IPS solutions for more than ten years. Unlike many of the IPS products from our competitors, we have a third-generation IPS that is not dependent on signatures. We also offer a security managed service that will maintain the Top Layer IPS equipment in the event you do not have the expertise or wish to free up your valuable resources to do other tasks.
Our products are installed in many sensitive enterprises, providing network and data protection and reliability with our solid-state hardware architecture and with the lowest latency in the IPS industry. This is key for financial and VOIP enterprise networks.