When it comes to securing enterprise data, picture an IT leader with one foot on a dock and the other on a boat. Now watch the boat slowly drift away. Mobile, cloud and big data technologies are dragging businesses into uncharted waters, and data endpoints are moving further and further from the IT department’s control.
Meanwhile infrastructure is barely able to handle existing threats — let alone new ones. IT departments are obviously stretched, often without the manpower or skills to handle growing security needs.
A string of enterprise security breaches shows the obvious strain. In 2013, Verizon reported more than 63,000 security incidents and 1,367 confirmed data breaches worldwide in its annual security breach investigations report. In the first half of this year, some 395 data breaches were reported to regulators in the U.S., according to the Identity Theft Resource Center.
“We’ve shattered the perimeters of our businesses,” says Chris Gray, vice president of enterprise security and risk at Accuvant, a Denver-based provider of IT security products and services. “We’re outsourcing, we’re shoving everything to the cloud, we’re enabling mobility and [allowing] alternative means of access at levels that we’ve never done before.” As a result, he adds, “we’ve opened up holes . . . and spread everything out. Instead of watching one spot, we’re now watching 50 — which makes the problem we’re facing all the greater.”
It’s not all gloom and doom. More than 90% of those breaches analyzed by Verizon fit into just nine distinct security patterns. Security experts say there are ways to balance security risks with the opportunities that new technologies provide. Here are five data security technologies worth considering this year.
1. Endpoint detection and response solutions
To regain control, businesses are looking to automated tools that detect, correct and even predict security breaches, says Mike Lloyd, CTO at RedSeal Networks, a Sunnyvale, Calif.-based security vendor. “The need for automation is clear if they’re short-staffed or can’t get the talent,” or if the number of access points to cover is just too great, he says.
Endpoint threat detection and response tools can satisfy the need for continuous protection from advanced threats at endpoints like tablets, phones and laptops. These tools monitor endpoints and networks, and store data in a centralized database. Analytics tools are then used to continually search the database to identify tasks that can improve the security state to deflect common attacks, provide early identification of ongoing attacks (including insider threats) and rapidly respond to those attacks, according to a report presented at the Gartner Security & Risk Management Summit in June. These tools can then help IT security staffers to quickly investigate the scope of attacks and stop them.
Nashville-based insurance provider Cigna-HealthSpring wants to be proactive in the way it monitors the security of its mobile devices. The number of iPads and iPhones that HealthSpring issues to employees is expected to double in the next two years as the company adds more online apps and offers more reporting capabilities in the field, says Anthony Mannarino, IT director, security and compliance.
Anthony Mannarino
HealthSpring uses Absolute Software’s Computrace product to monitor and track employees’ mobile devices. The benefits of using the software include “knowing what’s on the device [and] being able to remotely wipe it,” Mannarino explains. New software capabilities let HealthSpring check on devices in real time. “We can build in zones of where we do business. If a device goes outside of a zone, it will alert us and we can take a proactive approach,” often before the user even realizes it’s missing, he adds.
2. Sandboxing
Inevitably, some malware or hacker will make it through the security perimeter. One of the easiest things that enterprises can do to ensure that their data remains safe when that happens is to add sandboxing capabilities that can automatically isolate suspected malware that’s been detected on a network device, says Pete Lindstrom, an analyst at research firm IDC. Once the malware is isolated and is safely away from active systems, the sandboxing tool will run the application and analyze its potential effect. “This idea of monitoring the outcomes of activity and looking for malicious stuff on the backside after a program is executed is really becoming crucial to success,” he says.
Dedicated sandboxing tools, available from vendors such as FireEye, do the job but can be expensive, Lindstrom says. But other security vendors are adding sandboxing features to existing products. “It’s not uncommon for the antivirus players to have it, and most of the network security players have some sandboxing capabilities,” he says.
Cigna-HealthSpring uses FireEye’s sandboxing application. “They can see a threat and run it in a sandbox environment to see what it does, and we can stop it,” Mannarino says. “If [the tool] is reporting that it’s trying to connect to some site in China, then we can go into our Web filtering technologies and make sure we put blocks on those URLs.” For many companies, the tricky part may be understanding and analyzing the results uncovered by the tool, Lindstrom adds, but there are services that help make sense of the results. Companies offering such services include DataHero in San Francisco and ClearStory Data in Menlo Park, Calif.
Lindstrom predicts that sandboxing functionality will become standard fare in security products in the next two or three years.
3. Security analytics
Most security teams have a wealth of data coming from myriad endpoints and security products. “The problem is they lack actionable, decision-making indicators,” Lloyd says. Analytics is becoming a cornerstone of security capabilities. Going forward, Gartner predicts that all effective security protection platforms will include domain-specific embedded analytics as a core capability. By 2020, 40% of enterprises will have “security data warehouses” for storing and monitoring data to support post-event analysis, according to Gartner. Over time, this data, combined with other intelligence, will create a baseline for normal activity and make any deviations noticeable.
Florida-based Broward Health, the third-largest healthcare system in the U.S., deploys an arsenal of security technologies to protect its patient and company data, but Ronaldo Montmann, vice president of IT, still doesn’t have the big picture. “We have next-generation firewalls, the best intrusion-prevention systems, data loss prevention systems in place, identity management solutions in place — but they operate in silos,” he explains. In addition to a comprehensive system, he wants the ability to predict future vulnerabilities.
“We’re trying to see if we can [take] the big analytics software that we bought for the financial and clinical system and leverage that for infrastructure to look at events and correlate those events in a meaningful way so we can predict or understand how they relate.”
But that also requires a team of senior-level staffers who understand all the nuances of the technology that the hospital system supports and can work collaboratively and proactively to maintain the network.
A protocol algorithm looks at event logs at the server, switch and workstation levels and gathers information “that typically a human being wouldn’t be able to process,” Montmann says. That data is analyzed to correlate issues on the network. “We’re trying to design an environment where we can learn more about what’s going on in the network and perhaps those different odd behaviors can lead us to understand whether it’s malware [or] a hacker.” Montmann says he expects to have the analytics team in place by the first quarter of 2015.
4. Cloud security gateways
The state of Wyoming in August announced plans to discontinue most of its data center operations and move its physical equipment to commercial colocation facilities. It will continue to manage its own physical servers at the colocation centers, but this outsourcing step is part of a broader plan to move the state’s computing resources to cloud services. No doubt, security will be a top-of-mind issue when it comes to protecting data in the cloud.
Enterprises that use the cloud should consider cloud security gateways. These on-premises or cloud-based security policy enforcement points are placed between cloud services consumers and cloud services providers to interject enterprise security policies as the cloud-based resources are accessed.
“This is really the wave of the future for how IT folks are going to get visibility and control into cloud architectures,” Lindstrom says. Operating like unified threat managers in the cloud, cloud security gateways provide access security or policy enforcement, but they monitor activity using analytics, handle data loss prevention functionality on the back end, and apply communication encryption, as well as encryption of structured and unstructured data. Cloud security gateways can be deployed entirely in the cloud or as edge-based appliances. “It’s a very useful way to address the problems of loss of visibility and control that you typically get in the cloud, and it’s not particularly expensive,” Lindstrom adds.
5. Adaptive access control
Despite the need to lock down data, IT departments also need to support business operations by allowing a wide range of mobile devices to access corporate systems. To keep data safe, Gartner suggests using adaptive access control, a form of context-aware access control that acts to balance the level of trust against risk at the moment of access using a combination of trust elevation and other dynamic risk mitigation techniques. Context awareness means that decisions about who is and isn’t granted access reflect current conditions, according to Gartner, and dynamic risk mitigation means that access can be safely allowed where otherwise it would have been blocked. This type of access management architecture allows companies to provide access from any device in any location, and makes it possible to set up different levels of access to a range of corporate systems depending on users’ risk profiles.
Gartner recommends other security technologies and techniques, including the use of machine-readable threat intelligence services provided by third parties and adopting containment and isolation as a fundamental security strategy — an approach in which everything that is unknown is treated as untrusted. Other technologies that the research firm advises security professionals to consider include software-defined security, in which security functionality is embedded in all new applications, and interactive application security testing, which combines static and dynamic testing techniques in a single solution.
Choosing security technologies
Deciding if and when to deploy one of these up-and-coming security technologies depends on the structure of the organization and the amount and types of data that are considered to be valuable, says David Brown, director of Accuvant’s technology solutions practice. “How is your data used, who needs access to it and what is your budget,” not just for the technology but the staff to support it, he says. For instance, “security analytics has some good solutions out there, but it also takes multiple smart people to manage it,” says Brown.
At the end of the day, it’s all about balancing risks and opportunities to grow the business, security leaders say.
“There’s always an acceptable level of risk, so finding and agreeing on that line usually takes multiple parties — legal, leadership, human resources and people in the business — to decide what is best,” Mannarino says. Lindstrom agrees that the amount of risk in IT is indeed increasing, “but that’s the result of a thriving economy,” he says.
“If you take an economics approach to technology risk management, you have trade-offs,” he notes. “Most folks are doing it successfully. Embrace the nature of risk, manage it, and don’t let it manage you.”