by Chris Cubbage, Executive Editor, Asia Pacific Security Magazine
Over 100 information security professionals gathered in Perth, Western Australia last week to ponder how best to manage security during a period of rapid technology change and the emergence of connectivity, mobility and data sharing. The ever evolving world of IT has meant enterprises need to rethink their corporate boundaries. Enterprise information perimeters have been expanded and in many cases eroded completely with the advent of BYOD (bring your own devices).
For NASDAQ listed Cisco, with net sales of US$46 billion in 2012, the concept of solutions being driven to address specific customer challenges has been with Cisco since its inception in 1984. Glen Welby, Manager Cisco Security ANZ (Australia and New Zealand) shared with APSM, “Some of the clear trends is the integration of enterprise and personal use between what you do privately and what you do at work – it’s now not where you are, it’s what you do. Young people think that connectivity to the web is as fundamental to life as water and oxygen – the way they function in their lives is trending to being constantly online and this is going to have a major impact on influencing how enterprises are functioning and likely to function in the future.
Systems are now mixing between traffic types, corporate data, social media, location and accessing the corporate network and via different devices. The nature of context is increasingly important in terms of providing security – it’s become much more a business enabler because it has to be. Security to a far greater degree maintains a patency of information.
But the nature of security, and IT security, necessarily brings a set of human behaviours and risk management strategies which are not new – it’s been constant over time and the way we’ve mitigated risk over time has been constant – what has changed is the volume of information and the accessibility of information. We just need to be more dynamic in the way we handle information and its value, and we need to focus on securing that information which has value.
We have to learn how to adapt to the environment – the volume of traffic on the internet is growing 10 fold every 3 years – it used to be travelling 30 miles an hour in a car was considered highly dangerous but now we travel far faster daily without a second thought. People with malevolent intent will always find new ways to access the nature of change for new opportunity. We need to collaborate and work better between vendors and end users, with vendors becoming trusted advisors and educators. We have a broader view of things including between different enterprises and from different countries – we need to continually get better at creating a set of trust partnerships and replicate a benevolent community in the same way a malevolent community works together. You’ll never prevent threat and the risk is always going to present – but you can mitigate the risk by using best practice – security is never going to be static and it’s in a constant state of change.”
Listed on the Tokyo Stock Exchange, Trend Micro offers hosted email, mobile security, virtualisation and cloud security, with a range of other enterprise security products on a pay-as-you-use monthly basis. According to Sanjay Mehta, Trend Micro’s Managing Director for ANZ, there are clearly three major trends shaping the IT industry, “What we term the ‘3 C’s’, Consumerisation, Cloud, and Cyber-threats. The problem is that if you don’t have your information classified by sensitivity and criticality then how are you governing what you should protect and what you don’t protect. With the advent of mobile devices such as iPhones and others, means that data might be resident on that device, might be accessed by a cloud service from that device, but we still need to know where that data is. Whether it is in motion, where its living, how its transferring between cloud to cloud and how its protected. The initial knee jerk reaction was to try and control the device but when customers actually think about the problem, they realised they’ve gone from a PC, to a laptop, to an iPad or Android device. At the end of the day, they’re all end points. The fundamental problem is still the exact same thing, protecting the data.”
F5 Networks specialises in Application Delivery Networking (ADN) and partners with Microsoft, Oracle, and SAP to design, deploy, and securely manage integrated, application-specific network infrastructures. According to Adrian Noblett, Asia Pacific Solutions Architect for F5, some of the leading edge and cutting edge technologies and the larger, multi faceted, flood type attacks are causing the traditional firewall approaches and regular security devices to fall over due to the volumes. “Attackers are using that scale of attack to mask what they’re doing – they’re trying to find key application vulnerabilities to gain entry – it also comes down to what the attackers motivation is. It is important that the security approach not have blinkers on – these are multifaceted and multilayered threats.
Trends in IT with BYOD and consumerism of IT is ultimately starting to see the evaporation of the enterprise perimeter. Data now is the commodity and it has value – IT builds infrastructure to house data and deliver that data to the end user – at the end of the day there is only two elements – the data and the end user – the elements in the middle is all about delivery, integrity and reliability. It’s about building a platform to ensure how the consumer accesses the data and from where.
In some instances security can be ahead of the game but in other cases we won’t -it’s always going to be a cat and mouse game. Security needs to use a flexible tool set that covers the entire OSI (Open Systems Interconnection) stack from the physical and virtual environments, as well as through to the network, application and packet layers. This also now involves third party cloud providers.
Is technology moving too fast? I think there already are catastrophic vulnerabilities in many systems and comes down to the capabilities of the IT groups to defend those systems – there are many systems that have succumbed to data leakage and major breaches – currently all the US Banks are continually subject to DDoS (distributed denial of service) attacks and some are better at responding than others. It’s how we identify and mitigate. There is never going to be a day when there is not a vulnerability in a system – you need to have technology, people and process to respond and mitigate.
A lot of the vulnerabilities we see is that they’re mainly all the same type of thing, while there is thousands of malware being created they all ultimately use the same techniques to gain access – where they gain access is often the thing that changes all the time.”
For Chris Wood, Sourcefire’s Regional Director for ANZ, he understands security venders cannot come out and say they can fix everything. “People are finally realising there is no silver bullet. In a physical security sense there is no one barrier and likewise in IT security – but like in the physical world, now security is helped with visibility of the IT environment. How do you know when you’ve been compromised? How do you know what has been compromised? How do you know the impact of what’s been compromised? Sourcefire has been able to give continual information about what’s happening across the network, who’s doing what and when are they doing it. Visibility must relate to the network levels and at the end points, for a real time view point, as well as a historical view point. This then provides the information for an enterprise to select across a tool set about how it can go about defending and responding to cyber incidents.
As systems become more critical and interdependent, there is an educational aspect that needs to be enhanced. Education in terms of conferences like those held by the Australian Information Security Association (AISA). Industry and security professionals telling each other how they’re working and how they’re getting better. How they’re achieving success in raising the security competencies and standards. This should then feed into the greater community at large.
Shellie Meagher, Enterprise Territory Manager for Websense, a NASDAQ listed company best known for its TRITON content security solutions, confirmed the importance of visibility. “Spear phishing is certainly one of the key trends right now. Criminals are resourcing themselves to make targeted attacks and they’re getting through the door. Websense is investing in helping our customers look at their cultural awareness around security and knowing more about even simple things, like not picking up an unknown USB stick or accidental information misuse. We’ve had cases where the Websense system identified malicious code on a page and quarantined it. Even though the system alerted the staff member they still clicked on the link and the Wensense live monitoring again quarantined the page. In the end the staff member, intent on getting through to the link sent the email to their home PC and naturally got attacked – they then expected the workplace to help them fix their home PC – so despite the best systems, like Websense, there is still education and awareness needed for staff, and more so now with mobile devices.”
According to the AISA Perth Branch Executive, Steve Simpson, an IT security specialist with Amcom, “The last twelve months has seen our strongest year in memberships and the number of security professionals collaborating and sharing means the industry is in great shape. We’re set to grow sharply again in the coming years. Security is clearly a business enabler and less so seen as a cost centre for enterprises in a digital age.”
The takeaways from AISA’s Perth conference were clear. The critical challenges facing enterprises and end users include continued consumerisation (of IT) which has seen a shift in ‘end user’ demands at work that reflects their increasingly mobile, social and collaborative lifestyles at home. This trend is facilitated by an increased use of cloud and virtualization that is making it more challenging for security providers to protect servers, applications and data. With this challenge comes an increase in targeted attacks and advanced persistent threats (APTs) that are more social, sophisticated and stealthy than ever.
As headlines continue to lead with DDoS attacks, the reality is organisations are being compromised by sophisticated attacks which blend techniques with automated tools to cause delay or disruption to web-application services. With each news story, IT executives need to continue to ask: Are we prepared?