Security issues are so ubiquitous that many CIOs are tempted to bow to the seemingly inevitable and just buy insurance to blunt the losses. Cyber insurance coverage may be a good idea for some companies but it should never be used as a cop-out on locking the data center doors.
Fortunately, most companies are continuing to fight the good fight and are barricading their enterprise all the more. Unfortunately, they may not be putting the barricades in the right places.
Figuratively speaking, “people are so focused on putting bigger and stronger locks on the doors, metal grating over the windows, and alarm systems ringing the perimeter, they’re paying no attention to the shoplifting right under their noses,” said Andrew Brandt, director of Threat Research for Solera Networks Research Labs, a network security analytics provider. “Even an enterprise-class anti-virus Roomba, sweeping the floors on a schedule and emptying the trash, is going to miss those code snippets just beyond the reach of its heuristics or hashes.”
In other words, existing defense weaponry in the company armory isn’t enough to turn the tide against an onslaught of attackers both from within and without company walls. Still, there’s only so much money to go around so what are companies spending that dough on to get the most bang form their protective arsenal?
Change in tactics
“In the face of more sophisticated attacks and an exploding number of interconnected devices, organizations are now taking a more holistic approach to securing the enterprise, moving away from individual point solutions,” explained IBM’s Jack Danahy, director for Advanced Security.
But that is not to say that enterprises are no longer spending big money on device protection.
“The sheer volume of data and the need to manage the security of all of these many devices is driving endpoint management spending at the device level, while also spurring investment in a new generation of security analytics at the enterprise operations center,” Danahy added.
The goal is to make the device, no matter what kind it might be, an impotent from a security threat point of view.
“Because of tablet OS limitations, sometimes it is not realistic to implement strong security controls on mobile applications,” said Mush Hakhinian, security architect at IntraLinks, a provider of cloud-based solutions for the exchange of critical business information.
“Enterprise IT must have tools to control what class of data can be copied onto the tablets,” he added. “Better yet, the mobile applications should be designed in a way that they do not hold any data on a device’s permanent storage, so potentially sensitive data gets purged when it exits. In an ideal world, the mobile application should have the ability to store only encrypted content anywhere on the device, including the sandbox, and decrypt the content on the fly for rendering.”
Patterns of spend and spin
Current security spend patterns are showing a focused effort on actual security performance and a widening distrust of security vendor claims. In a recent Crossbeam study, complaints against existing security features and products were alarmingly high.
Key findings of that report are:
- Almost 60% surveyed did not trust the performance claims made by security vendors, with Mobile Operators & Education ranking highest.
- 94% of all respondents noted that the performance metrics in data sheets were misleading.
- 81% surveyed had to disable features within the security device to meet their performance goals.
- 90% were forced to make some form of trade-off between security and performance.
- 63% were forced to purchase additional hardware for a security solution because of vendor performance claims that did not match reality.
- When evaluating security equipment, 42% admitted that they do not test the equipment under real-world conditions.
- 51% said they will be purchasing network security equipment in the next two years or less.
- 53% said they were planning on purchasing a next generation firewall — 33% said they already had.
“Many organizations are finding that their network firewalls operating at Layer 3 or 4 in the TCP/IP stack are having problems protecting against application layer attacks because the traffic is encrypted by SSL,” said Jeff Wilson, principal security analyst at Infonetics. “Lacking the visibility and intelligence to inspect the entire protocol stack, traditional firewalls can’t protect against today’s increasingly sophisticated and massively distributed attacks. In addition, many network firewalls have only a fraction of the connection capacity required to handle the millions of requests per second that typify modern DDoS attacks.”
An S.O.S. for SSL
Another top line item in security budgets is website protection to guard against social engineering, malware and malvertising although companies are increasingly confused over how to accomplish website security. SSL-related breaches, such as those in the highly publicized website certificate DigiNotar and Comodo cases, inflamed the public and rattled corporations’ belief in SSL.
“A persistent topic in 2011 was whether high-profile SSL breaches signified the impending demise of SSL technologies, and even online trust itself,” said Fran Rosch, vice president, Identity and Authentication Services at Symantec.
“Data indicates that both claims are overblown for 2011 and 2012,” added Rosch. “SSL technology wasn’t the weak link in DigiNotar and similar hacks; instead, these attacks highlight the need for organizations to harden its security infrastructure and reinforces that certificate authorities (CAs) must implement standards for stronger security around business operations and authentication processes.”
Given the shaken belief in SSL, albeit unfounded, will it be replaced with a different technology? No, says Rosch.
“SSL-based authentication solutions for mobile and cloud deployments will become even more popular as customers want their online transactions protected wherever they or their data are,” he said.
“Along with SSL, businesses and websites should be implementing two-factor authentication and extended validation SSL (EV SSL), which undergoes the strictest vetting standards on the Internet. Both of these offer added security for both businesses and customers,” Rosch added.
Look for enterprises to push U.S. banks to finally adopt EMV chip card transactions in a big way to help offset fraud that leads to higher charge-backs and liability for website owners. Europe and Asia are already heavily uses the technology to thwart online credit and debit card fraud. The U.S., as the last major country to use the weaker magnetic strip cards, is now the country with the highest rate of online credit and debit card fraud. EMV transactions are not fool-proof, however. That technology too is constantly being improved upon with upgrades such as cards with built-in two-factor authentication like those produced by Swiss manufacturer NagraID.
A prolific and versatile writer, Pam Baker’s published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).