Q&A: IT Risk and Security Management
A recent breach in Utah once again raises the need for IT to implement IT risk and security management on servers. What's holding IT back?
A recent breach at the Utah Department of Technology Services once again turns the spotlight on IT risk and security management on servers. If it's so important, why haven't more IT departments implemented it? What should it include, and what's the best way to get started? We asked Torsten George, vice president worldwide marketing and products at Agiliance, an independent vendor of security risk management solutions.
Enterprise Strategies: The recent breach announced by the Utah Department of Technology Services (DTS) -- where the exact size of the breach keeps changing -- highlighted a key problem: the lack of IT risk and security management. The breach was made possible by a configuration error at the password authentication level that was not detected until after the attack. What's the state of IT risk and security management these days?
Torsten George: Security risk management is still in its infancy. However, last year's record number of cyber attacks and resulting public disclosures from RSA, Lockheed Martin, Sony, the IMF, and NASDAQ has triggered a major shift in the IT security market. According to The 2011 State of the CSO survey by CSO Magazine, 57 percent of survey respondents have already shifted to a risk-based approach and 61 percent indicated that they will put even more value on a risk-driven strategy.
Today, progressive and security-minded organizations are shifting from a tactical view of security to a strategic approach, whereby risk is security's new compliance. Instead of relying on a point-in-time assessment of an organization's risk and compliance posture, security risk management presents a pro-active, continuous assessment -- leading to better situational awareness and streamlined mitigation processes.
Organizations are moving towards embedding security into their business processes and automating data collection to continuously monitor their risk posture and prioritize remediation actions based on business criticality. To achieve this, interconnectivity of security tools, big data scalability, collaboration, remediation, and incident response are required.
How difficult is it to implement IT risk and security management on servers? Does server or storage virtualization make it more difficult or is that technology irrelevant to IT risk and security management?
There are several major challenges organizations face when moving to a risk-based approach:
- Tight IT budgets
- The inability to keep up with evolving threats using perimeter-based intrusion detection and signature-based malware detection
- Most security tools operate in a silo and are not integrated and interconnected to achieve a closed-loop process of continuous monitoring
- A majority of existing security tools lack risk-based prioritization. They produce a wealth of logs but don't tell you which vulnerabilities to mitigate first
As a result, it is often impossible to make risk visible, measurable, and actionable.
Leading security risk management software as defined by analysts can leverage data feeds from a variety of existing, point-based security tools and therefore is not limited to servers or virtualized environments. In fact, an essential measure of an effective security risk management tool lies in its holistic reach, meaning it should cover an organization's enterprise architecture as it relates to business units or departments, infrastructure (including but not limited to data center assets, applications, cloud environments, and mobile devices), and big data analysis and correlation (enabling the prioritization of only the most important threats, vulnerabilities, incidents, assets, and applications for the CIO).
Why don't enterprises like Utah DTS employ it? What impediments do enterprises encounter? Is this a matter of budget, staff resources, or something else?
We have encountered the following impediments to deploying IT security and risk management:
- Although security may have achieved a high degree of mind share among strategic IT initiatives, it has not become a top priority from a budgetary standpoint.
- Many organizations still believe that if they are in compliance with regulatory mandates, they're also secure.
- Security risk management is a relatively new disciple; the federal government is an early adopter. In contrast, state and local governments often don't have the budget for the necessary additional software layer on top of their existing security tools.
- Lack of C-level recognition that closing gaps in the organization's security posture requires situational awareness and responses based upon real data.
- Fear that existing security tools need to be replaced to implement a security risk management framework.
- Lack of involvement by subject-matter experts in business units who have the needed insight into an organization's risk posture.
What are the basic components of a risk and security management framework?
The National Institute of Standards and Technology (NIST) defines security risk management in its Special Publication 800-39 and NIST SP 800-137. These publications introduce the concept of contextual risk monitoring at all levels of the organizations and outline the benefits of continuous monitoring and risk-based security. Many organizations view the NIST framework as a blueprint for implementing a risk-based approach to security.
The basic components of security risk management are:
- Data automation
- Continuous monitoring
- Continuous control assessments
- Real-time data analysis, correlation, and risk scoring
- Risk-based prioritization
- Closed-loop and automated remediation
- Streamlined incident responses
- Business intelligence integration
What's the best way for an enterprise to understand their current environment -- that is, which security measures are in place on which servers?
Organizations should use their existing security tools such as SIEM systems, vulnerability scanners, and configuration management databases to collect vulnerability, threat, and attack information. However, because these tools are silo-based and are often unable to assess risk levels they cannot prioritize remediation actions. Security risk management tools are designed to pick up where security point products leave off. They can aggregate security data from multiple sources to provide a unified, holistic, and real-time view into an organization's compliance and risk posture.
What are some of the fundamental lessons we can learn from Utah DTS' breach?
It appears that the Utah DTS followed a compliance-driven approach to security, whereby control assessments and configuration checks were only being conducted occasionally. As a result, the Utah DTS did not have a real-time view into its risk posture. This prevented them from detecting the configuration error that opened up the vulnerability, which was exploited by the attackers. This incident demonstrates the need for contextual risk monitoring at all levels of an organization.
What products or services do you offer to address the issues we've talked about?
Agiliance has developed a purpose-built software platform called Agiliance RiskVision that enables enterprises and government agencies to automate IT security and risk management processes while helping to prioritize incident, threat, and vulnerability remediation. Agiliance RiskVision provides a near-real-time business view of an organization's security posture across large, heterogeneous IT infrastructures. It ranks vulnerabilities, threats, and security events based on business criticality, risk, and compliance information. Agiliance RiskVision is the only solution in the market that combines top-down business controls with bottom-up operational data for real-time, security risk management.