How to Build a Strategic Defense with IT Integration
The security industry’s defenses against cyber attacks have not evolved much over the last decade, but threat actors’ methods expand daily.
Right now, the bad guys are winning.”
It’s a bleak statement from Dave Frymier, the CISO for Unisys Corp., but one that many enterprise security executives need to hear.
“The industry is realizing that the tools we’ve had for the past 10 years or so (signature-based intrusion detection, basic firewalls, etc.) just aren’t working,” he says. While security’s defensive cyber tools might have worked against a static foe, malicious actors’ methods continue to evolve.
“A lot of current malware is too sophisticated for current tools to detect,” Frymier adds.
Take a Windows software update, for example. Over the past three years, Windows has continued to grow as a brand and a target, Frymier says. Every update on an employee’s computer comes with new vulnerabilities, and nimble hackers can reach a million targets immediately. The rate of updates and the range of goals have led to a jump in attacker sophistication. Why does this matter in the physical arena? For starters – how many of your security systems run on a Web-based interface, and how many Windows computers have access to them? Having an integrated and alert IT system monitoring those interactions and the flow of data can mitigate the risk of enterprises’ information assets from suffering from a bad patch or update.
In addition, certain tools that we take for granted are not as secure as we might think: “We forget how young the Internet is, and it’s built on multiple vulnerabilities: open source auto-responders (such as automatic reply systems for DNS) can be used to create Denial of Service (DoS) attacks, anonymity prevents us from tracking certain attacks, domain names are vulnerable, and it’s very easy to spoof things,” he says. “This is an issue that needs global cooperation to address,” and it’s slow in coming, Frymier continues.
IT integration can help in myriad ways, the main two being to aggregate as much data as possible (determine what might be happening at any given time) and to compartmentalize infrastructure, Frymier says.
While compartmentalizing might seem like the absolute antithesis of integration, the goal is to identify the most critical information and wall it off from people who don’t need to see or use it.
“It’s an ancient technique,” Frymier says, laughing, “of identifying your diamonds versus your paperclips and protecting them accordingly.”
Such diamonds in today’s enterprises could include financial systems, personally identifiable information (PII) and intellectual property.
It’s a focus on active defense, he says – enterprises taking measures to prevent incidents from happening in the first place. But how does this tie in with integration?
Imagine a small or medium sized Midwestern U.S. bank. One day, data starts moving out of the bank to an unknown IP address in Azerbaijan – a typical fraud alert system might detect the change and send an alert, but an integrated, or connected security system would provide a complete, actionable report. This allows systems to gather, share and analyze information, and then take action, such as stopping the flow of data to Azerbaijan automatically until the report is reviewed, says John McClurg, Vice President and Chief Security Officer for Dell, Inc.
McClurg started down the road to a converged or IT-integrated model when he was working for the FBI, tracking down a hacker by the pseudonym “Dark Dante.” Dark Dante combined physical and cyber hacking, or phreaking, to attack phone lines – including taking over all of the telephone lines for a Los Angeles radio station, ensuring he would be the 102nd caller in order to win a Porsche.
“He would pick the 30-year-old rusty lock to the central office of the phone company – a physical vulnerability – gain access to passwords, manuals, anything else he could gather; take it all home; study it until the wee hours of the morning; and then with that knowledge in hand, advance a much more sophisticated cyber attack than he ever could have done without that physical vulnerability,” McClurg says. “So that was the beginning of this converged model in my mind. And, soon, the opposite became equally apparent: that you could have cyber vulnerabilities (as the Iranians can recently attest) that can undermine your physical world interests.”
McClurg’s career trajectory – developed along the path from the FBI to Honeywell to Dell – toward a connected security program is a step further than mere integration: As more and more physical security systems (surveillance, access control, etc) rely on IT components, enterprise security executives should be aware of the dangers that could befall those components.
CSOs need alerts on the key elements of their security systems, McClurg says. “If someone cuts a camera feed, your IT system should be able to notify you.”
A key tool in connected security is the use of cyber innovations, such as next generation firewalls. Unlike the firewalls of the past decade, these include features built for the threats and needs of 2013, including application control. According to McClurg, this includes only allowing safe access to certain applications – such as text posting to Facebook, but no file sharing. These can also manage integrated intrusion and extrusion detection.
“They can also look for innocuous, apparently benign behavior that, under the right conditions, can be dangerous,” he adds.
But on the integration side, these firewalls can add more business value than merely protecting intellectual property and safeguarding IT systems. By using these tools to identify and discriminate against certain applications or features (Netflix, cat videos on YouTube), more bandwidth can be reserved on the network for surveillance camera feeds, access control logs and other mission-critical data.
However, many security executives might see “firewall” and immediately think “It’s all Greek to me.” Frymier says that this is a common, but not impossible hurdle to overcome.
“The best way to learn about information security is to already know a lot about IT,” he says. “You can’t defend a fort until you know how it’s put together.” There are multiple online resources to help educate security professionals, including some through the U.S. government (http://csrc.nist.gov/publications/PubsSPs.html).
Another resource enterprise security executives shouldn’t ignore is the integrator partnership.
According to Frymier, end users should ask their integrators three key questions when building an integrated information security program:
How do you handle account management? (“You want to hear ‘I support SAML [Security Assertion Markup Language] integration,’” Frymier says. “This links HR with the active profile directory, which is linked to SAML systems. Through this, at the point of an employee’s termination, his or her access to IT resources is cut off automatically within minutes,” reducing the former employee’s window of opportunity to do harm.)
Do you have sufficient log capabilities, and is it compatible with my log analysis system? (“Yes.”)
Do you have monitoring support? (“Yes.”)
Dell’s connected model involves even more partner resources – building the IT security department around a “minimally essential core,” McClurg says, and then adding trusted, vetted partners as needed to reinforce our understanding of cyber vulnerabilities and how malware families are evolving.
“These could be 700 cyber warriors,” he says. “You can surge with your partner resources as needed to extend the reach of your team.” Using partners to combine detection, protection and response for every aspect of the enterprise leads to a more connected, unified security program.
“We’re always in a long game against refined criminals,” McClurg says. But, with some out-of-the-box, connected thinking, security is catching up.