Full-court press: The defensive approach to security
With the barrage of attacks only growing, today's enterprise must face reality with a variety of defenses, reports James Hale.
Ask the '92 New York Knicks or the '85 Chicago Bears: Playing great defense is seldom sexy. It might take you to the championship – you might even win – but the flashy offensive stars always seem to get priority on the highlight reel.
In the digital realm today, the offense is attracting all the press as well.
“Right now, the malware writers are winning,” says Dave Frymier, CISO of Unisys, a Blue Bell, Pa.-based IT company.
Among security analysts and senior executives at global IT service providers, there is consensus that many organizations are back on their heels, being outmaneuvered by the bad guys. What is needed, they agree, is a return to the fundamentals of sound strategic analysis and risk mitigation that reflects the reality of the source and purpose of malicious data attacks.
“It seems that everyone is looking for a silver bullet,” says Marc Maiffret, CTO at BeyondTrust, a San Diego-based security solution vendor. “It's still the basics that work best.”
Those basics start with understanding what one needs to protect and who might be out to get it. “You have to be able to answer four key questions,” says Frymier. “What do you have to defend? How and where do you store that? Who has access? Who are your ‘enemies'?”
When it comes to answering that first question, a healthy dose of realism is essential, says Steve Martino, acting CISO of Cisco Systems in San Jose, Calif. “Not all customer data and intellectual property is created equal,” he says. “You need to break it down by essential, critical and important, and determine where to put your focus and build your defenses.”
Martino (right) works on what he calls a 95/5 principle, assuming that no organization can protect 100 percent of its assets. “Humans make mistakes,” he says. “Attackers understand that, and they have deep pockets.”
Maiffret agrees that too much energy is wasted worrying about the range of threats that could come one's way, and says more focus is needed on where networks are vulnerable.
“There is an infinite amount of malware,” he says, “but a finite number of ways to get in.”
Plugging every leak might well be impossible, as Martino believes, but a proactive, continuous approach can help ensure most offensive moves are rejected. There's agreement that many organizations are making the error of thinking that putting defensive software in place is sufficient.
“It's not a set-it-and-forget-it situation,” says Maiffret. “In many instances, organizations are not using their technology to the fullest. They may have a lot of data about network traffic, but they're not necessarily analyzing it.”
Vince Berk, CEO of FlowTraq, a network security company based in Lebanon, N.H., says he is constantly confounded by how little attention people pay to who's accessing what, and where their data is flowing. He says that many companies are quick to provide network access, but slow to remove or restrict those users. He recommends compartmentalizing data, encrypting it and maintaining strict controls over who can access it.