Cybercrime is a massive global threat, and U.S. businesses are the No.1 target. For tips and advice about how best to defend against cyberattacks, Network World asked security pros to name their most valuable security tool.
Many of the experts we interviewed pointed out that there is no silver bullet when it comes to security. Ron Woerner, director of cyberSecurity studies at Bellevue University, put it this way: "There is no 'one and best' security tool. It really depends on the situation, circumstance and personal preference. There are certain things all network, IT and security professionals should have in their toolbag. The most important is knowledge; i.e., where to learn more about a particular topic, technique or tool. It’s impossible to know everything; so focus on where to get quality instruction and information."
Woerner recommends two websites: www.howtogeek.com and blogs.msdn.com/ for reference and two toolkits: SysInternals and Windows GodMode. The former is a grouping of simple Windows tools (beyond the native administrative programs) and the latter is administration applications already available in the Control Panel.
Yier Jin, assistant professor of computer science and electrical engineering at the University of Central Florida, also believes knowledge is the key. "I would say cybersecurity awareness is the one, best tool. Many breaches are caused by internal workers who lack cybersecurity awareness and, therefore, click links from spam email, which often initiates the breach. For tools, I recommend Microsoft Enhanced Mitigation Emergency Toolkit (EMET), an excellent toolkit that every company should have."
+ ALSO ON NETWORK WORLD: Old-school antivirus vendors learn new tricks +
Strategy first, then tools
Heidi Shey, senior security/risk analyst at Forrester Research, recommends that organizations first start with an assessment of their security maturity and the risks to their environment. Otherwise, they're always chasing the latest, greatest, hottest, must-have tool. Strategy must come before tools. There are many different models for self-assessment, including COBIT, ITIL, NIST Cyber Security framework; the SANS Institute Top 20 Critical Security Controls, and ISF's 2013 Standard of Good Practice (SOGP). (Watch a slideshow version of this story.)
"The purpose of assessing security maturity is to help identify where the organization's security program and environment currently stands, where the gaps are, how to articulate responsibilities, and identify steps to improve security maturity. And, as a result, narrow down and prioritize a wish-list for tools that will help maximize results for the organization," says Shey.
"Information security is in crisis and the popular approach to improve this situation is to move to a risk-based model," says Jeff Northrop, CTO at the International Association of Privacy Professionals. "Good plan; however, companies must first perform a proper risk assessment, which cannot be implemented without a sufficient picture of their data landscape. Most large organizations lack this information; therefore, [they] cannot move to a risk-based model, and that's a problem."
Northrop has adopted the term data security intelligence tools to describe the emerging category of tools whose foundation is an understanding of the data landscape within an organization.
"Currently, we have business intelligence tools, data integration tools, data discovery tools, data encryption tools, compliance tools, and SIEM tools. All require that foundation for a data security intelligence tool; that is, an understanding of what data is collected; where it's located; how it's structured, categorized, and used; and who has access to it," Northrop says. "Most vendors operate in one or two of these areas; but a few companies have recognized a need for better information on the data they're responsible for protecting; therefore, taking advantage of their platform to extend their products to meet this need."
Northrop suggests Informatica’s Secure@Source; IBM’s Q-Radar, HP’s ArcSight, and Splunk. He predicts that vendors such as Oracle, SAP, and Tableau Software, as well as database vendors such as Microsoft, Informix, and Teradata will join this club soon.
Tools: Administrative
Mike Papay, vice president and CISO at Northrop Grumman says, "In the context of destructive malware and insider-enabled data loss, businesses should invest in security tools that protect from the inside out. Similar to a broken windows policing strategy, security tools that can baseline, and then detect and alert on anomalies in network and client behavior helps businesses mitigate problem-activity early in the threat cycle.”
"I recommend Privileged Identity Management (PIM) tools that control the administrative password and, in some cases, shared business passwords and credentials," says Andras Cser, vice president and principal security/risk analyst at Forrester. "These tools are absolutely critical to prevent data breaches by making always-on system administrator access to on-premises and cloud workloads a thing of the past. PIM tools check out and change passwords for critical workloads, which makes attackers' snooped administrator and root passwords worthless. Also, PIM (generally) enforces close monitoring and recording of all programmatic and/or human administrative access to machines."
"There are three tools that all companies should have," says Gary Hayslip, deputy director and CISO for the City of San Diego, "patch management, data backup, and full disk encryption. These tools provide the basic cyber-hygiene foundation, which enables companies to continue to grow safely and respond to incidents. Then, as the revenue stream increases, they can add more security controls to the organization. If I had to choose just one, I'd say patch management. Having a patch management solution in place reduces risk exposure to the organization by keeping its IT assets up-to-date, which makes it harder for the bad guys. However, there's no guarantee that any, one solution will resolve all issues."
Tools: Cloud, Mobile
David Giambruno, senior vice president and CIO at TribuneMedia, suggests that enterprises should move toward the concept of a software defined data center. "We're using VMware’s solution stack for its micro-segmentation capabilities—summarized as security at the element layer," he says. "Historically, this was incredibly challenging with hardware but, in the software world—where everything is a file—you can wrap everything with a security posture. Security follows wherever the element goes either internal or external. The audit-ability, operational automation, and visibility changes defensive capabilities."
Giambruno deployed Cyphort for its capabilities to see east/west traffic in the cloud. The VM-based design provided quick deployment and integrated with the software defined data center.
"One interesting new area is using technology to provide a layer between the user and SaaS solutions, so the enterprise can manage authentication and encryption and hold its keys, while maintaining close-to-full functionality with the software as a service (SaaS) solution," says Dr. John D. Johnson, global security strategist and security architect for John Deere. "There are also new solutions for cloud file storage and sync (like Box) that add encryption, data loss protection, and granular reports. We are seeing the evolution of hold your own keys in the cloud where the hardware security module is in Amazon Web Services instead of your demilitarized zone."
Johnson adds that better ways to manage data on mobile devices beyond mobile device management is another concern. He recommends products that keep corporate data in a container and prevent it from moving or that record it, such as Bluebox, which puts a flexible walled garden around certain data and apps, and applies corporate rules. This could enable using BYOD in a more trustworthy manner without forcing users to comply with a full mobile device solution.
Monitoring: Defense-In-Depth
According to Neil MacDonald, vice president and distinguished analyst at Gartner, the key to information security is defense-in-depth, which consists of firewalls, patching, anti-virus, SIEM, IPS, etc. MacDonald advises clients to first remove administrative rights from Windows users (if they haven’t already). Then invest in an endpoint detection and response (EDR) solution that continuously monitors and analyzes the state of the endpoint for indications of compromise. Always assume that regardless of your prevention systems, attacks will get through to your enterprise systems. At that point you're blind.
"You can’t depend on the technologies that failed to prevent the attack, to detect it after the fact," says MacDonald. "Industry data shows the average attack resides undetected for around 240 days before discovery, and most don’t find it themselves. Usually, an outsider alerts the organization that it has been compromised."
MacDonald emphasizes that EDR solutions provide continuous visibility that, when combined with continuous analytics, can help enterprises shorten the dwell time. Prevention alone is futile and end-users are a soft target that cannot be patched. Your ability to quickly detect and respond to attacks that will inevitably bypass your traditional security protection mechanisms is, at least, as important as your investments to prevent them.
"For server workloads, I’d replace anti-malware scanning with an application-control solution," he says, "to prevent the execution of all unauthorized code, which keeps the vast majority of malware off the system and, also, reinforces good operational and change management hygiene. This should be the primary security control for protecting data center and cloud-based workloads."
Troy Leach, CTO of the PCI Security Standards Council, concurs. "PCI Standards advocate for a defense-in-depth approach to security," he says. "The underlying strategy is simple: deploy a variety of security controls aimed at different risk vectors, so your organization is better equipped to reduce the odds of a breach and keep cardholder data secure. But there’s another fundamental practice that determines the success of this strategy that's often underutilized by organizations, which is the practice of monitoring. Its strategic use provides huge, untapped business benefits."
Leach maintains that monitoring the performance and data provided by security controls enables increased awareness of security posture and the health of technical operations. In particular, continuous monitoring is a key mechanism to keep your hands on the pulse of security in real-time. Organizations should focus analysis of monitoring data on critical areas such as systems controlling access to the cardholder data environment and vulnerable PCs in the back-office running out-of-date software or security signatures. These were typical attack vectors exploited with malware insertions in recent major breaches.
"The data accrued with monitoring also allows you to measure and demonstrate financial benefits of your security program, which provides you with concrete terms for demonstrating the return on investment and getting security buy-in from senior leadership. Effective monitoring keeps your security team nimble and ready to respond to emerging risks, while helping control the costs of investments and compliance. The PCI Council urges you to continuously re-evaluate the effectiveness of your security controls with monitoring and help your security team make timely systematic responses to emerging threats," Leach says.
Monitoring: Continuous
Randy Marchany, IT security lab director and security officer at Virginia Tech, also believes that an overall security strategy is very effective as opposed to the common strategy of perimeter defense. The flaw with static perimeter defense is that most organizations focus on inbound traffic rather than outbound traffic. Continuous Monitoring, also known as Network Security Monitoring or Extrusion Detection, focuses on traffic and log analysis.
"A key CM assumption," says Marchany, "is that our machines have been compromised, so we actively search for those victims. CM provides a way to effectively detect, contain, and eradicate an attack. Three steps for a successful attack; i.e., the hackers' goal, are: gain entry to the machine; once owned, the victim machine must communicate back to the hacker; and, if discovered, delete everything to cover your tracks."
Marchany suggests some CM goals: monitor outbound traffic to suspicious sites; search for compromised machines within a network; and use analytics to determine if sensitive data exfiltration has occurred. Virginia Tech's unique network architecture runs a full production, dual-stack, IPv4 and IPv6 network, so its network defense tools must support IPv6. He recommends the FireEye Malware Detection appliance, Netflow data (which provides invaluable information that determines if internal machines have been compromised), and tools such as ARGUS Software, SiLK , the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team, and/or the Bro network security analyzer.