Eric Litt, chief information security officer at General Motors Corp., calls it "management by inclusion."
Simply put, it's an information security strategy that reduces operational risk by denying network access and services to all people and processes not previously vetted by the company. "If I don't know you're good, I don't talk to you," Litt says.
Litt is one of a growing number of security managers who say traditional reactive defenses -- focused on blocking known threats at the edge of the network perimeter -- are no longer enough. What's needed are more-proactive security capabilities that emphasize quicker identification and resolution of both internal and external threats.
"You just cannot sit back any longer and wait for your LAN to go down or for your employees to complain," says Ed Amoroso, CISO at AT&T Corp. "You need to be looking at things before they become a problem."
Several factors are driving this trend toward more-strategic security operations. Laws such as the Sarbanes-Oxley Act have put a greater burden on companies to demonstrate due diligence on matters related to information security. Worms, viruses, spyware and other types of malicious code are getting a lot better at sneaking past firewalls, antivirus defenses and intrusion-detection mechanisms. And growing wireless use, remote workers and the trend toward Web services are giving hackers more avenues for launching attacks.
Another important fact: The time it takes for hackers to exploit software holes has been shrinking dramatically, giving users very little time to react to new threats. The SQL Slammer worm of 2003 took eight months to appear after the flaw it exploited was first publicized. In contrast, last year's MyDoom worm started making the rounds in less than four weeks.
"It's getting so nasty out there, it's frightening," Amoroso says.
To achieve its goal of more-proactive security, GM launched a sweeping overhaul of its processes, including the manner in which it authenticates users and systems, enforces security policies, controls access to network services, patches holes, spots intruders and responds to incidents.
It's a mighty task for a $186 billion behemoth with global operations, thousands of partners and tens of thousands of users. But it's essential in order for GM to stay one step ahead of the bad guys, Litt says.
"We are in a competitive stalemate with the creators of malware," Litt says. "What we are trying to do is gain back the advantage."
Lane Timmons, security systems analyst at Texas Tech University's medical school in Lubbock, says a key to this is a better understanding of how your company's networks behave normally so you can spot abnormal activity more quickly.
After getting hammered by worms and viruses over the past few years, the school deployed several tools to help it spot and squelch attacks more quickly than the "hundreds of man-years of effort" that it used to take, Timmons says.
Among those tools is the network behavior modeling product QRadar from Q1 Labs Inc. in Waltham, Mass. The software analyzes and models typical network activity over a set period of time and then uses that data as a baseline to identify abnormal activity that might suggest the presence of worms, Trojans, port scans or denial-of-service attacks.
Such behavior modeling has dramatically improved the university's ability to detect and respond to both internal and external intrusions, Timmons says. "Our ability to do a real-time analysis of our networks has made a big difference," he says.
Actionable Data
Integrating and correlating information from multiple security technologies is also crucial to enabling a more holistic view of the threats and vulnerabilities facing a corporate network, says Amoroso.
To this end, AT&T is retiring all of its individual Internet-facing firewalls, intrusion-detection systems and antivirus tools and is integrating the functions into its IP backbone layer. The company has built a massive security event management system, called Aurora, that's capable of pulling in and correlating terabytes of network traffic and security data from the IP layer.
The data analysis allows AT&T to spot trends and signs of impending trouble far better than the fragmented view provided by the individual security technologies, Amoroso says.
"It gives us real actionable data, to respond to threats" before they materialize into full-fledged problems, he says.
Prep Work
Being proactive also means ensuring that security is built into your application software and not bolted on later, says Mary Ann Davidson, CISO at Oracle Corp.
Customers should ask vendors questions about their security practices, Davidson says. Questions should include, "How do you write secure code? Do you train your developers for that? Do you do ethical hacking to test your code? How are you making it easier for your customers to secure your code? What is the best practice for locking down your product?" she says.
What's crucial at GM, says Litt, is "making sure the code we get is really secure out of the box and that the vendors are not making us a testbed for their software." That's because a majority of the security problems companies are facing today are the direct result of software bugs that hackers are exploiting. Litt is working with several influential industry and user groups to pressure vendors to pay more attention to security.
"We are trying to use our combined voices to drive the software industry to think about security in a different way," says Litt, who for years has been including strict security terms and conditions in all of GM's software purchasing contracts.
GM is also applying the same concept to the software it develops in-house. The company has instituted "toll gates" for reviewing security at various stages in the product development life cycle "even before the first line of code is written," Litt says.
In the end, however, there's a limit to just how proactive you can be, says Lloyd Hession, CISO at Radianz Inc., a New York-based provider of telecommunications services to financial companies.
"One of the key issues is that we can't really figure out what the next threat scenario is going to be," he says. "A year ago, for example, nobody was up and jumping over spyware. It's kind of suboptimal to want corporate commitment and resources to be deployed today if you don't know what it is being deployed to really stop."
Instead, the goal should be to better prepare yourself for attacks, Hession says. And that means being able to identify threats early, have a good incident-response and backup process in place and ensure that there is no "skills mismatch" between your security team and the attackers when the attacks do come, he says.
"There is no silver-bullet technology or singular process change" for addressing this problem, Litt says. The goal should be to "social-engineer security into your processes versus putting it in as an afterthought," he says.