“Warfare is the way of deception,” said Sun Tzu, the ancient Chinese military strategist. 

Cyber attackers have long embraced deception by deploying tactics, such as social engineering help-desk employees to install trojans or obtain users' credentials. Even the famed hacker, Kevin Mitnick, wrote a book called “The Art of Deception.” If deception can be used to attack, can it also be used in cyber defense?

Today, it's not clear how thoroughly cyber security professionals embrace this well-established military tactic beyond lip service that deception is a good idea. Traditionally, security professionals have been mired in a mindset of fortifying perimeter defenses, creating impervious walls, relying on defensive signatures and valiantly, or vainly, attempting to passively keep attackers from stealing data.

Websites are currently taking a beating from hackers. It's impossible to miss reports in the mainstream media of recent attacks on websites like Zappos, Sony PlayStation Network and the CIA by all classifications of hackers, including hacktivists such as Anonymous, organized crime groups, state-sponsored espionage, and low-skilled script kiddies.

The web application is among the most porous and frequently attacked surfaces in any organization, and there are five reasons why the web layer is so popular with hackers.

• First, the sheer number of websites and the ability to automate and scale up attacks puts the economics of hacking firmly in the perpetrator's favor. Today, millions of sites can be scanned for vulnerabilities very quickly and easily, and attacks are distributed and scaled up using botnets.
• Second, all the code, including any vulnerability, is public on the website. This alone offers the quickest and easiest potential pathway to get information out of a company or infiltrate the network.
• Third, the web layer is largely undefended within many organizations, eliminating the hacker's fear of being detected and caught.
• Fourth, the skill level required to exploit known web vulnerabilities is less because of the numerous public scripts available to download and execute known attacks. Subsequently, there are a large number of unsophisticated script kiddies hitting sites with impunity.
• And finally, the web application is static, so is easy to profile for weaknesses.

The goal of deploying deception to detect hackers is to change the underlying economics of hacking, making it more difficult, time consuming and cost prohibitive for infiltrators to attack a web application. Realistically, there will always be attackers seeking to gain advantage, and the reality is that the hacking problem cannot be solved, but it can be proactively managed.

So what does web intrusion deception look like? By putting a deceptive layer of code all over the web application, invisible to normal users, one creates a variable attack surface that makes the attacker detect themselves through their behavior. Once a hacker touches one of the deceptive "tar traps," they identify themselves and are immediately prevented from attacking the site.

The effect of inserting deceptive tar traps into the web application code means a change in the hacking game. Primarily, there is increased risk to the attacker of being detected and caught. Furthermore, a variable land-mined web application also requires increased skill to attack because the site does not respond in normal and expected ways. If the hacker has to worry where they attack, they also have to be more selective in choosing sites to compromise. In addition, adding the deceptive tar traps increases the size of the site, which then increases the time it takes a hacker to profile and find vulnerabilities.

But the ultimate deception is misinformation. Imagine supplying the hacker with fake successes, responses, files and assets to exploit. This wastes the attackers' time and makes them feel like they have successfully hacked, unknowing that they are instead compromising a virtual world.

 If they don't know what they are seeing, and cannot rely on what they learn, how can they craft an attack?

Intrusion deception is a new approach to cyber security built on classic philosophies from the “Art of War.” Sun Tzu said, “Appear weak when you are strong, and strong when you are weak.” Your website can appear weaker, but actually be stronger. How's that for changing the game on the hacker?

---

Edward Roberts is the director of marketing at Mykonos Software, which was recently acquired by Juniper Networks.

We've recently been witnessing tremendous change in perspective when it comes to IT security. It started in early 2010 when Google announced publicly that it had been the victim of a sophisticated cyber attack. Later, more companies went public: software makers, defense contractors, computer and networking companies, and most recently the security and domain name registrar VeriSign.

I don't believe these incidents are a blip, but rather a flip. A flip in the way organizations view coming forth publicly about significant IT security incidents. The shroud of embarrassment associated with breaches has been lifting. I suspect in the year ahead we will see many more breach announcements. Not only because Google helped make it more acceptable, but because it's required in many cases now as we detailed in “SEC Cybersecurity Guidelines -- What You Should Know.” The SEC is all but making it a mandate for public companies to report significant incidents.

More importantly, what does all of this mean for the IT security industry? Has any of it changed the way enterprises view security? Fortunately, yes. The message is clear: Even the most sophisticated companies can be breached.

This is changing the way many in IT security view their profession. The industry is no longer viewed as just about firewalls, secure sockets layer (SSL), anti-virus, and intrusion detection and prevention systems. While such defenses are vital, no one can architect an impenetrable enterprise-wide defense.

Jon Oltsik, a principal analyst at Enterprise Strategy Group (ESG), gets this. In a recent post he argues that, “Large organizations need best practices for inevitable security events.”

It's absolutely so. When it's finally understood that a certain percentage of attacks will be successful, incident response and forensics become much more important.

For instance, ESG's research found that 20 percent of large enterprises are certain that they've been the target of an advanced attack (often referred to as an advanced persistent threat), while another 39 percent believe that they've likely been targeted. That's roughly 60 percent of organizations who have good reason to believe that they've been targeted by attackers who are skilled at what they do. Personally, I think a good percentage of those who don't think so either have nothing worthwhile to steal, or they're burying their head in the sand.

Something worth noting about the ESG research findings is that organizations seemed to be challenged when it came to actually having the internal technical chops necessary to respond to an incident. They may lack the staff necessary to respond, or the technology, policies, procedures, and even proper internal communications plans.  

Oltsik believes that more CEOs are likely to increase security budgets this year and put the pieces in place necessary for their organizations to more effectively respond to security breaches.

It's not just executive leadership that is taking notice of the need for incident response. The topic is getting increasing media attention after years and years of inattention.

It's a great sign to see more news items tackling the topic. It shows a general maturing of IT security.

One example is an interesting story last month in DarkReading. The piece highlights how organizations can overcome staff shortages, lack of skills and lack of incident preparedness.

While surveys, news stories and opinions are some indicators, when trying to determine the accurate direction of a trend it's always good to gather information from multiple data points.

Anthony DiBello is the product marketing manager for compliance and cybersecurity solutions at Guidance Software. The company will be returning to the RSA Conference this year and will be located at booth 136.

Bring-your-own-device (BYOD) quickly made the jump from industry trend to business imperative, and organizations are now feeling the pressure to open their networks to employee-owned devices. Unlike corporate-issued devices that are well-managed and under IT's control, this new BYOD initiative introduces a unique set of security challenges that require a balance of flexibility, visibility and security. Looking for a turnkey solution to BYOD, many organizations are turning to vendors that don't necessarily offer complete security, leaving sensitive corporate data vulnerable to attack.

In order to ensure holistic network security with a BYOD policy, organizations need to consider all parts of the BYOD ecosystem, including mobile device application development, mobile device management (MDM) and network access control (NAC):

Mobile device application development

Simply put, organizations need to make sure the apps people use on their mobile devices come from a trusted reliable source, such as an app store. While not perfect, app stores and the like are one of the safest places to download apps – you know the apps have been tested, have integrity and are of high quality. Taking this step ensures a strong building block for the rest of the blueprint.

Mobile device management (MDM)

MDM provides IT with the ability to monitor the activity of each device deployed across mobile operators, service providers and enterprises by tracking and managing the data and applications of each individual phone and/or tablet. MDM solutions can provide the following:

• Remote device management, using encryption and passwords
• Remote OS patching and/or upgrades
• Remote install or removal of applications
• Full-disk or folder-level encryption
• Remote locking or wiping of lost/stolen devices

Network access control (NAC)

NAC tracks and secures network access of all endpoint devices that try to access a corporate network. These endpoints include (but are not limited to) PCs, laptops, servers, printers, IP phones, medical devices, POS devices and in a BYOD environment, smartphones and tablets. In a BYOD environment, NAC technology can automatically identify and profile all devices and all users on a network, providing complete visibility and control. NAC can also enable IT departments to automatically differentiate between corporate and personal assets and provision network access accordingly to ensure the correct access policy is applied to each device. In a hospital setting, for example, a doctor's personal iPad may be able to access patient data, but devices used by the administration staff to check patients in and out may have limited access to the network.

In order to fully embrace BYOD, IT managers need to consider all facets of the BYOD blueprint, as successful BYOD strategies will use a combination of these technologies to enforce the overall policy. With all three technologies, devices are protected and network access is determined by device (and/or by user) based on corporate policy. IT gains a holistic view of devices and users across the network as well as the ability to automatically provision access accordingly – giving control back to IT managers and freedom of choice to employees. 

Complete endpoint security can no longer be ignored and a “good enough” security strategy is no longer good enough. Historically, building a complete and integrated endpoint security program was too often at the bottom of an IT manager's list, or something that was viewed as too costly or “a project for next year.” But in today's world, we are constantly reminded of the criticality of endpoint security as more companies are breached and hacker groups announce their latest ploys on a daily basis.

The nature of threats is changing too. No longer are hackers simply targeting random individuals just for fun with a mischievous attack. Instead, hackers are now part of organized initiatives (or even foreign governments) working to exploit your company's and its customers' data for financial gain and to wreak havoc on your business. In addition, attack vectors are more complex than ever – often employing multiple types/styles of malicious code to attack end-user systems.

In short, today's threat environment is extremely daunting – whether you're a small start-up or a large enterprise. And the myriad of point products and odd security vendor solution mash-ups in the marketplace doesn't make matters any easier. However, there are several pieces of functionality that you should look for in order to arm yourself with a unified threat management strategy. 

1. Know who/what/where. Your security policy should be fluid based on the type of end-user and their environment. The ability to adjust security settings based on users' job functions and environment (i.e., the corporate network, an end-user's office or an airport) is a basic concept every security policy should employ.
2. Couple AV. Contrary to popular opinion, AV is not dead, but if you use it as a standalone defense, your reputation could be. You must couple AV with additional functionality because as your only defense against malware, AV is wholly ineffective. Rather, it must be integrated with additional, more proactive threat protection solutions.
3. Patch, patch, patch. Simple in theory, but you'd be surprised how few IT technicians actually follow the process and use the tools needed to be successful here. Perhaps it's due to the fact that while patching is simple in theory, it can become overwhelming if you're talking about doing it on a machine-by-machine basis. Not to mention the fact that complexity can escalate quickly if you have multiple types of platforms and a wide range of applications. But bringing software into the mix changes everything. With an integrated patch management tool, this process is made exponentially easier with far fewer points of redundancy. You can deploy patches to thousands of machines with more efficiency and significantly higher success rates.
4. Black, White and Grey. Many solutions report to have blacklisting capabilities. But attempting to continuously block every potential threat/application is not realistic in this day in age. You're better off permitting only the good stuff – i.e., pre-approving which applications can run or whitelisting. You then can monitor application behavior. By looking for potentially harmful activity and pre-approving known applications, you'll achieve a grey area. And in this case, that's a good thing. Better yet, tie the approval to trusted deployment systems and make your life even easier.
5. It's all in the HIPS. A host-based intrusion prevention system monitors your systems for sketchy activity. It then logs information about this activity, attempts to prevent it, and records the incident. The capability to not only track malicious activity, but to log it enables you to better secure your network and take a more proactive stance in safeguarding in the future – by identifying types of bugs and patterns.

It's a safe bet that your organization will be the target of a breach at some point. You should prepare for the “when” to reduce the “if,” and focus on eliminating the endpoint as an attack vector. While these five basic steps are by no means comprehensive, they will serve as a proper foundation for any IT security policy – be it big or small – and will help safeguard your organization from today's ever-increasing threatscape.

For many years, complying with government standards and industry regulations was seen as an obligatory check box in the lengthy list of IT security tasks. However, recent changes in the security ecosystem are leading to a rethinking of this approach.

2011 saw a record number of cyber security attacks and associated breaches with very public disclosures including Citigroup, the International Monetary Fund, RSA (the security division of EMC), Lockheed Martin, Google, Sony, ADP and NASDAQ. These attacks are just the tip of the iceberg. Government networks, critical infrastructure operators and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security – often with discovery after the fact.

Risk-based security

The 2012 Global State of Information Security Survey, which was conducted by PwC surveying more than 9,600 security executives from 138 countries, reveals that only 16 percent of respondents believe their organizations are prepared and have security policies in place that are able to confront an advanced persistent threat (APT). This does not come as a surprise, considering three years of budget constraints that led to degradation in core security capabilities

Considering the current economic climate and impasse in Congress, a dramatic change in prior years' budget limitations across the commercial and public sectors appears unrealistic; however, the increased threat levels will lead to a budget realignment toward security. Security professionals will be asked not to deploy additional security solutions, but instead to find better ways to leverage existing investments in security tools. The revised objective of many organizations today is to develop a risk-based rather than compliance-driven approach to determining the business' investment decisions.

According to a 2011 survey, more organizations are focusing on managing risk, not just security. In fact, 57 percent of survey respondents had already shifted to a risk-based approach, employing a formal enterprise risk management process or methodology. 61 percent of respondents indicated that they will put even more value on a risk-driven strategy going forward.

This data is complemented by independent market research studies, which show that more organizations recognize that instead of looking at governance, risk, and compliance (GRC) from a centralized perspective, it is more efficient to let business operations drive these efforts as that's where the organization's risk knowledge resides. In this context, the market sees the emergence of the role of the business information security officer (BISO) to reflect the fact that regional resources are the real subject matter experts when it comes to risk associated to particular business units.

Making risk visible, measurable, and actionable

The dilemma that organizations are facing is that their current security and vulnerability measures are unable to keep up with evolving threats, including perimeter intrusion detection, signature-based malware and anti-virus solutions. Often, these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the business. Thus, it is often impossible to make risk visible, measurable, and actionable.

However, as mentioned before, using real time risk analysis is essential to optimize business performance and make better investment decisions. Therefore, organizations should explore software tools that are able to aggregate data from existing security tools and information management applications. These tools not only provide advanced reporting capabilities, but interconnectivity to ensure that remediation actions can be triggered and followed through easily. At the same time, the tools are tying compliance and security automation together, thereby extending the traditional GRC capabilities. Leveraging these tools allows organizations to implement a holistic view of security, while pursuing automation of the GRC process. This approach is being labeled “security risk management,” rather than “GRC” and yields the following benefits:

• Reduces risk by making threats and vulnerabilities visible and actionable; enables organizations to prioritize and address high-risk security vulnerabilities before breaches occur
• Reduces cost by streamlining processes to leverage automation and reduce redundant, manual efforts
• Provides reports and metrics to measure effectiveness and efficiency

Patch management can prevent most of the malware currently exploiting software vulnerabilities, so why isn't the technology being used everywhere?

Part of the problem is the misconception that if you run your anti-virus (AV) software regularly and update the operating system, you are covered. Reality begs to differ. While AV software derails a lot of potentially harmful attacks, it is only one component of a comprehensive security solution. Updating the OS is important, but it doesn't cover holes in applications and browsers that hackers, cyber criminals and other assorted IT malefactors are adept at exploiting.

Simply put, a truly comprehensive security strategy includes automated, centralized patch management software designed to handle a multitude of patches issued by multiple vendors at different times; a system to perform the necessary tests before applying patches; and the tools to conduct software audits on a regular basis. The execution of which, for far too long, has been a challenge for many small and midsized businesses, and completely out of reach for your average home user.

This needs to change.

The software patching function could be accomplished much more easily for most home and business users if security hardware and software vendors (including AV, firewall, gateway appliance and PC utility companies) integrated patch management into their solutions. It's hard to think of a better fit between complementary technologies, but even though patch management has been available for the better part of a decade, most security vendors still don't offer it among their growing slate of features.

For their part, service-focused companies such as ISPs (internet service providers), MSPs (managed service providers) and RMM (remote monitoring and management) vendors have been successfully integrating patch management into their offerings, thereby taking pressure off their customers to keep systems safe, while also establishing incremental service revenue opportunities for themselves.

Managing a stream of patches

Keeping up with the stream of patches in the course of year is a daunting task for any IT administrator, let alone your average home user. Vendors follow their own schedules, issuing patches monthly, quarterly or as needed. Microsoft alone issued close to 100 updates last year.

Most software applications and systems nowadays do come with auto-update mechanisms for downloadable patches. However, updaters operate independently of each other, taking up resources and bogging down systems, and require users to run them manually. They are time-consuming, requiring application shutdowns and system restarts, so it's easy to see why many users put them off.

“Automated patch management...prevents upward of 90 percent of software attacks.”

Automated patch management solves this problem, and in so doing, prevents upward of 90 percent of software attacks, mostly affecting home computers. Consider that most bots – responsible for untold spam, DDOS and phishing attacks targeting corporate networks – are essentially thousands of infected home PCs, and it becomes clear how increasingly intertwined corporate security is to the security of the average home user.

There's not only an industry imperative to address here, but there's also a tremendous market opportunity for security vendors to seize.

Six pack of trouble

Think of patch management as a flu shot. Like the flu, computer viruses and malware evolve constantly. Just as your body has to adapt to fight off infection, so does your IT environment. A vaccine helps your body adjust, and that is what a patch management system does for your network.

A recent Center for Strategic and International Studies (CSIS) study made a strong case for patch management. The study, conducted over a three-month period, found that simply applying the most recent patches to six software packages on Windows machines could prevent 99.8 percent of malware infections. The six packages are Java JRE (responsible for 37 percent), Adobe Reader/Acrobat (32 percent), Adobe Flash (16 percent), Microsoft internet Explorer (10 percent), Windows HCP (three percent) and Apple Quicktime (two percent).

For anybody using a computer or managing an entire network, automated patch management is clearly a tremendous benefit, protecting their systems and data while saving them money. A network free of viruses is, of course, more cost-effective than one requiring remediation after an infection.

Patch management should be a fundamental component of any comprehensive security solution. It's something ISPs, MSPs and RMM vendors understand, though we can't yet say the same for a broad array of other security vendors, who should proactively strengthen their products with integrated patch management to better protect their business and consumer customers.

If they don't, users and service providers should pressure them to do so. If they succeed, it would be a win for everyone.

---

Scott Hagenus is vice president of strategic relationships at GFI Software. Learn more at www.gfi.com or by sending email to atg@gfi.com.

In the past two years, two rogue traders, Jerome Kerviel at Société Générale, and then just recently, Kweku Adoboli at UBS, cost their respective financial institutions more than $9B by making unauthorized trades.

And let's not forget Julian Assange. WikiLeaks gave new meaning to the concept of insider threat by providing a convenient vehicle to empower staff at government agencies and public/private corporations to quickly and instantly hand over their privileged information to the world.

Insider threats are becoming a global phenomenon. Every company in every part of the world is subject to some level of insider threat. And guess what? Insider villains are just as unidentifiable in the U.K. as they are in the United States. They appear just as innocuous in Poughkeepsie as they do in Perth.

Yet despite these costly, high-profile breaches, hacker attacks are far more publicized than insider attacks. Last summer Anonymous and LulzSec attacks splashed news headlines, and undoubtedly more people could name Anonymous than they could Kweku Adoboli.

As I meet with executives of large corporations, they have one request of our company: Keep us out of the Wall Street Journal. Don't let me be the CEO who lost all of my customer's credit card data.

The richness and sensitivity of this information, much of it personal to the consumer, has led to a series of legislative efforts to ensure it is secured. The enactments of Sarbanes –Oxley, PCI-DSS, Basel II and a host of standards throughout the world have emphasized the importance, and indeed require us to secure the assets of our customers.

Billions of dollars have been spent over the last few decades on corporate information technology security in order to “keep the bad guys out,” but it turns out the bigger threat was and always has been, found within the network perimeter. The so-called “insider threat,” the trusted employee, contractor or partner, that can cost an organization more on a daily and/or per-incident basis than any outside hacker could hope for.

Whether we like it or not, “good people can do bad things” intentionally, accidentally, or indirectly.

If you have employees with excessive privileges or access to sensitive data, then they are at risk of intentionally, accidentally or indirectly misusing that privilege and potentially stealing, deleting or modifying the data. There is a very fine line between intent and action, especially when excessive privileges on IT resources are involved.

In April 2011, a former network security engineer at Gucci America was indicted on charges that he illegally accessed the company's network and deleted documents shortly after he was fired, costing Gucci nearly $200,000 in damages. Using an account he secretly created while working at the company, the former employee allegedly later accessed Gucci's network and deleted virtual servers, shut down storage areas and wiped corporate mailboxes.

Employee terminations are, unfortunately, a necessary evil for corporations. The Gucci America case, and many others like it, calls attention to the importance of having policies and procedures in place to ensure terminated employees no longer have access to company information and resources. Email, network and application accounts must be swiftly deactivated. Employees granted administrative privileges while at the company could also pose an even greater threat. 

Human nature is the weakest link when it comes to the intersection of people, processes and technology. And, all too often it's the tendency of almost the entire IT industry – vendors, analysts and press – to ignore this.

You can't rely on everyone being a saint or competent all of the time. It's not just malicious malcontents intent on destroying the system who can cause havoc, but also the negligent, misinformed and downright nosey who can compromise sensitive data. In most situations it's more often than not the case that such people have way too much privilege access – admin rights on the desktop, root password on server – for the role they are required to play.

It would be nice if every villain inside your organization walked around wearing a big sign that broadcasts "bad guy looking to do bad things," but alas it is only in cartoons and movies where you can always find the stereotypical bad guy.

In real-life enterprises, insiders look like you and me – just regular employees doing their job and collecting their paycheck. That's why securing the perimeter within is so important.

---

Brian Anderson is CMO at BeyondTrust. Brian co-authored the first definitive book on insider threat mitigation with BeyondTrust CEO John Mutch, called Preventing Good People from Doing Bad Things.

Mobile devices have infiltrated nearly every aspect of people's lives. The amount of personal and corporate data stored on these devices makes securing the information on the tool a priority.

A survey conducted in January 2012 by Dimensional Research explored the impact of mobile devices on information security in corporate environments, noting that 94 percent of companies have seen an increased number of personal mobile devices, such as smartphones or tablets, connecting to corporate networks. Increased employee productivity and mobility are the main benefits for organizations that allow these devices in the workplace, but those benefits come with their own set of risks.

The threats associated with mobile devices can come in many forms, including:

• Mobile operating system – Every OS, including Android, iOS, BlackBerry and Windows, comes with its own set of security challenges. Threats can originate from mobile apps, the mobile browser, as well as insecure Bluetooth and Wi-Fi hotspot usage.
• Employees – The lack of security awareness among employees is often the leading factor impacting the security of mobile data. Many employees simply aren't aware of the mobile security risks and corporate policies associated with mobile devices, such as storing corporate data, customer information or access to business applications.
• Personal mobile devices – The consumerization of IT brings another layer of complexity as more employees want to leverage their personal mobile device for business purposes. While companies begin to accept the “BYOD” (bring your own device) trend, there are significant concerns about the privacy of sensitive data stored on the devices that IT must handle.

The first step businesses should consider when safeguarding against these security challenges is to develop and enforce best practices and corporate policies for the mobile enterprise. This should include a list of approved devices that can access corporate data, the types of data that can be stored on mobile devices and taken out of a corporate environment, which types of mobile apps can be downloaded onto devices, procedure for theft or loss of a device, a routine for updating operating systems patches, requiring mobile passwords, as well as having the capability to wipe a lost or stolen device.

Mobile device usage in the workplace is a trend that has staying power because it un-tethers employees from their offices, allowing them to work more efficiently while on the go. As with any emerging trend, organizations will need to be careful about striking the right balance between mobility that empowers employees and the new security concerns that arise from it.

As an information security professional, there are two security issues that I continually hear about when talking to IT organizations today: protecting against malware and advanced persistent threats (APTs), and securing data in virtual and cloud environments.

Advanced persistent threats

Hackers and computer criminals have shown an ongoing ability to stay one step ahead of the security professional. This is occurring in large part because security is often not treated as a sustained effort, and too many organizations take a check-box approach to implementing security or meeting compliance objectives.

As a result, long-term coordinated attacks can often exploit inadequate defenses over a period of time. In many cases, these attacks are well disguised and designed to undermine typical security controls deployed within many organizations. Often these attackers are well-funded, financially motivated and in some cases nationally sponsored (by China, in particular).

These entities have changed the game by leveraging new types of attacks that traditional systems can't easily detect. With APT, we require a fundamental change in mindset by IT professionals to a state of sustained vigilance. There are no “quick fixes” for APTs and no single product is a cure-all.

Organizations need skills and tools to find patterns, correlate activities across applications and infrastructure, and conduct forensic analysis to find the clues that you may be compromised or that you are about to be compromised. They need to be able to do this in real time, and most organizations do not have the visibility, solutions or skill sets to best protect themselves against these kinds of sophisticated attackers. The information needed to detect attacks exists within the enterprise regardless of whether the attack is by an external party or an insider. Organizations that are not proactively collecting and analyzing this information lack the visibility needed to detect and respond to threats.

Virtual and cloud computing

Securing data, both personal and corporate, within virtual and cloud environments without the ability to implement and monitor controls presents a significant challenge for IT security personnel. As virtualization and cloud technologies continue to expand – due largely to the need to lower costs in IT – this trend has required us to grow, and in some cases, change our approach to security monitoring.

Not all virtual and cloud environments offer customers the ability to implement and manage effective security controls, and this can pose tremendous risk, particularly as many service providers do not guarantee the security of data stored within their environment, and the owner of the data generally retains liability if a breach does occur.

Organizations must understand that outsourcing IT does not transfer responsibility for data or liability associated with its security. Companies can mitigate the risks somewhat here through carefully structured contracts with clear SLAs, but that is not a failsafe by any means.

It may be difficult to implement parallel security controls so that confidential data accessed on the network is treated in the same fashion outside of your organization. End-users cannot be expected to know the location of an application or how to avoid placing sensitive data in a virtual or outsourced repository that may not have adequate controls in place. So, while there is no question about the ease and convenience of virtualization, these services may prevent IT from applying needed security controls, allow end-users to unintentionally expose confidential personal and corporate data, and ultimately put the business at risk of liability.

IT cannot stop this trend of business users contracting discreet services to support their objectives. IT needs to enforce protection at the data level, regardless of where it is located. Whether this is infrastructure or platform as a service and the organization maintains control of the systems, this can be addressed as an extension to current enterprise monitoring. Where the organization gives up control of the infrastructure for the benefits of SaaS, the risks must be addressed through a carefully structured contractual agreement, which includes terms for auditing and reporting. Without such protection, the organization is exposed as employees move critical information to cloud services.

Considerations for any security program

As new threats and deployment models increasingly impact organizations' security strategies, it is important to formulate a security model that accounts for these changes.

Ultimately we need to change our view of “trusted” users and focus on the behavior rather than the user. For that reason, a “zero trust” model is the most appropriate approach if organizations are to fully protect data and systems. In this context, no user is blindly trusted. Activity must be continuously monitored and identity continuously verified. The approach of controlling rights through an overall identity/role lifecycle, and the monitoring of those rights through continuous monitoring will ultimately help better ensure that corporate data is protected against new threats that routinely impact organizations worldwide.

Verdasys believes global enterprises will most probably face the following data security challenges in 2012, listed in the order of most difficulty to manage:

1. Targeted cyber attacks
2. Insider threats
3. Intellectual property containment

As this list refers to data threats with a proven potential to severely impact a business's bottom line if left unaddressed, the relatively benign “threat” of failing a compliance audit did not make the cut.

These potentially existential threats are not only prioritized by how hard they are to solve, but are also in order of their urgency to be solved. This is based on the “top down” theory of data security that says the most difficult threat requires a solution that will, by definition, mitigate all other risks of lesser complexity. For instance, to prevent insider threats one must have found a practical solution for auditing and controlling enterprise uses of intellectual property (presuming that is the primary data target of a malicious insider). Likewise, to protect intellectual property, one must have found a practical solution to audit and control all data types, and so on. A “bottom up” model does little good if it requires implementing layers of disparate technology to solve progressively harder problems, as this simply incurs greater costs without making you any safer.

If you agree with the logic of top-down defense, then you must defeat the apex predator of corporate data. In 2012, this is undoubtedly targeted cyber threats – aka the advanced persistent threat (APT).

It used to be that stopping a malicious insider from stealing trade secrets was the hardest data security challenge to solve, but APT trumps that threat by being, in effect, an invisible malicious insider. So, if you haven't found a way to identify and track how IP is used, then you wouldn't be able to monitor or enforce how a trusted employee uses that IP, which means you wouldn't be able to detect when a trusted “user” account controlled by APT is stealing it, and so on.

What are APT threats and why are they so dangerous to companies? To start, if your organization has intellectual property (IP) that can be exploited by a global competitor, there's a good chance a purpose-built APT mission to steal it is already under way. Perpetrators of APT attacks are hackers and programmers with world-class skills that are backed by “investors” with essentially unlimited resources (i.e., nation-states) which will not stop until they gain an economic or political edge with your proprietary data.

But what makes APT so challenging to solve is that a successful attack requires it to operate freely within a network forever, so it must be highly customized (at great expense) to be undetectable by typical signature-based security technologies. Unfortunately, this means that virtually all traditional signature-based anti-virus and firewall products, along with most web/email security, intrusion prevention and disk encryption technologies that companies have implemented over the last 20 years are effectively useless to stop an APT attack. Companies targeted by APT will need to upgrade their defenses strategy to include multiple, integrated layers of extremely sensitive anomaly detection and mitigation.

How do you stop an APT attack? First, you must be able to continuously track any intellectual property over its entire lifecycle. This means tagging files in such a way that it cannot be tampered with or lost, no matter how the content may be manipulated, shared or transformed. Then, you must be able to identify your privileged users and categorize them by their right to handle data of certain sensitivity (e.g., IT administrator). This means having a policy management system enforced independently of a user's other network privileges. Next, your data protection technology must be able to recognize IP by policy, and control it based on each user's data handling privileges.

At that point, you can be assured of mitigating two key APT risks, even if the attack has not been previously detected. The first one ensures that tagged IP will remain protected if APT attempts to access it with a hijacked account (regardless of system privileges) with insufficient data usage rights. The second is that even IP accessed by an account with sufficient rights could still be contained by policy (e.g., encryption or blocking) if an attempt is made to export the data to an unauthorized destination. In either case, a reporting system which continuously audits all user account activities allows you to know exactly when and how anyone – or anything – attempts to handle IP, and could be an effective tripwire if your network has been compromised.

Finally, you must be able to merge enterprise anomaly detection on workstations, servers and network traffic using policy rules created to identify specific and subtle APT tactics. This trove of enterprise event telemetry should ideally conform within an integrated policy management/data mining system that can sift through legitimate “noise” to isolate and manage multiple anomalous or threatening events (either connected or separate) simultaneously. They key to an APT security strategy is that you only need to stop one stage of an APT attack to thwart the entire mission. If a particular security layer fails to detect something, you'll still be OK as long as the another layer sees it.  

Nobody said tackling these issues was going to be easy, but the threats are only getting worse (search “cyber attack” to see why). The good news is that the technical pieces exist from which to create a security mesh woven tightly enough to trap APT before it can complete its mission, and thus also solve insider threats and IP protection challenges without affecting the business process. Will the best defense be 100 percent effective? No, but it prevents you from being a constant victim. Besides, it is 100 percent certain that doing nothing will cause one or more of these security challenges to inflict serious – maybe permanent – harm to your business.