Contrary thinking on content security
There are network-based attacks, which have been high-profile and widespread in recent years, as well as vulnerability-based exploits hoping to take advantage of the perpetually reactive nature of patch management (though most would point out that this window is gradually slimming over time due to improvements to both vendor solutions and business processes). IT infrastructure ultimately serves to store, transport and securely manage content. Far too often, organizations focus on content management in precisely this order – first figuring out how to store data, then figuring out how it may move over the network to users, and finally taking a stab at security.
Any point at which this content is accessible should be considered a risk and should be noted when planning out a holistic security risk management strategy. Content threats can manifest themselves in a wide variety of ways – through generic malware floating around on web sites or targeted malware or ransomware intended to achieve a specific response from the unfortunate recipient. These days, most content threats propagate over the combination of websites that host malicious content and email messages that contain links or even malcode themselves.
In actuality, the above content threats are really focused around incoming threats. We often speak of the age-old paradigm of “keeping the bad things out.” Countless vendors, products and services have spent the better part of the last two decades solving that issue, initially with the onset and growth of the signature anti-virus market and the growth of firewalls and network gateways to keep unauthorized traffic out. In recent years, this has evolved further into network intrusion detection systems (IDS) and intrusion prevention systems (IPS), unified threat management (UTM) firewalls (which strive to combine multiple gateway protection functions), as well as other point solutions including email security, web filtering and solutions for other highly targeted areas. Many of these markets are highly commoditized and very mature, in other words, vendors have been active in mitigating these point threats for a long time, and many have a very good handle on how to counterbalance IT business risk.
The more recent shift in security risk management focuses on not just keeping on top of vulnerabilities, patches and inbound risks, but also being sure to "keep the good things in.” Everyone has heard about all the high-profile information breaches in both the public and private sectors. The last two years have seen a strong push in application security, network access control and data leakage detection and prevention. All of these technologies share a common theme – understanding that content originates at an endpoint and making sure that the flow of that content is both understood and regulated by acceptable business practices. The endpoint should be afforded the same attention that the perimeter of the network has traditionally received, and security practitioners should require both products and processes to effectively manage and control risk to these endpoint systems, however difficult it may appear to both achieve manageability and scalability in securing these critical endpoint systems and their content.
Stating that content-based threats are targeted ultimately at endpoints, and that content leaks originate at endpoint systems, certainly does not negate the need for a wide variety of products, services and countermeasures to be employed in any security infrastructure at any given time. What this does mean is that organizations need to inverse their traditional thinking of “keeping the bad things out” to be sure they are equally concerned with “keeping the good things in.” This should be done through employing multiple layers of protection. All of these security solutions should be tuned in a way that minimizes the exposure of critical content, and one could argue that these multiple layers are vital in the battle to secure critical data.
Thinking in specifics, IDS and IPS solutions should include signatures that are backed by world-class security research from a trusted source, and not obtained through dubious or unproven methods. Email security solutions should include comprehensive and granular content filtering, to help prevent confidential or inappropriate content from leaving the network through this channel. Firewall and UTM policies should be tracked and managed so network data flow can be tracked and understood. Ultimately, any solutions that inspect and protect an organization's content should be implemented and judged both upon the merit of their understanding of business risk as well as their understanding of security risks.
- Brian Reed, product manager for content security, IBM Internet Security Systems