Getting ahead on security [ITP.net (United Arab Emirates)]
(ITP.net (United Arab Emirates) Via Acquire Media NewsEdge) Online security threats continue to make international headlines and even the most secure companies can be at risk. Keeping 'safe' has never been more problematic although firms that start by getting the basics right stand the best chance of retaining their security.
This entails establishing, maintaining and enforcing a suitable security policy and equipping IT staff with the necessary tools. Companies should also look at what the best secured organisations are doing and learn from the strengths – and weaknesses — of others in order to make themselves a little more secure against the latest security hazards.
"Successful organisations recognise where they have their strengths," begins Sebastien Pavie, regional sales director, MEA, SafeNet. "If their primary business is not delivering security, they should recognise that giving those controls to another organisation is essential, rather than being satisfied by a minimal standard. There's no such thing as perfect security, but it's becoming a business imperative that organisations move beyond minimal protections," he highlights.
Experts agree that the most secure organisations have broken down their security strategy into four key areas: auditing, preventing, detecting and continuous monitoring. The key is to be proactive rather than reactive. However, for the majority of companies there's still a lot of work to do be done — and a lot of security 'holes' still to be filled.
"I don't get to see what the best are doing; however what I can say is that detection and response times are abysmal right now and they are only getting worse," warns Paul Wright, Technical Director of Cybercrime Consulting. Foundstone Services EMEA, McAfee. "The information security industry is largely comprised of niche tools, each focusing on one small aspect of detection or incident response. In addition, traditional focus for organisations has been on prevention and alerting, and given the fact that well over half of security incidents aren't discovered until months later, it's obvious that our focus needs to shift.
"Traditional security methods such as next generation firewalls and reactive security measures are losing the fight against new breeds of attacks. Today's security strategies need to cover all devices, applications and networks accessed by employees. Security is now less about the supporting network infrastructure and increasingly about the protection of the application, enforcement of encryption and the protection of user identity," continues Diego Arrabal, VP, Southern Europe and Middle East, F5 Networks.
"This means organisations need security strategies that are flexible and comprehensive, with the ability to combine DNS security and DDoS protection, network firewall, access management, and application security with intelligent traffic management."
So are there security technologies that are currently being overlooked or under-used? The vendors very much believe so.
"There are two classes of security technologies where I believe enterprises need to increase their investment," notes Zulfikar Ramzan, CTO of Elastica. "One area relates to enterprise usage of third-party cloud applications and services. As organisations migrate towards greater adoption of services like Box, Google Applications, Office 365, Salesforce, Workday etc, they lose tremendous visibility. Since security is predicated on visibility, these organisations do not have as much of a handle on the cyber risks they face. Technologies that provide visibility and controls for third party SaaS applications are paramount.
"The other area where there has been under investment relates to continuous monitoring, especially as it relates to incident response. The reality is that no matter what defences you put in place, attackers will inevitably breach them. As such, it becomes all the more critical to be able to go back and assess what happened. While these devices do not prevent threats, they make it significantly easier to investigate what happened after the fact. This information can help you understand the ramifications and potentially the root cause - and then this information can be folded back into your overall security strategy."
So we know what solutions are available currently, but how will things change in the future and what security technologies and strategies will we be talking about in a few years time?
According to Nicolai Solling, Director of Technology Services at Help AG, we will begin to move towards the zero-trust model, where we will stop trusting anyone and by default, inspect all business traffic flow.
"It may sound difficult to achieve this level of full visibility but luckily the technology necessary to enable this is available today," he says. "Zero trust will also be seen in how we deal with threats. We will begin to look at the behaviour instead of trusting. An example could be how we deal with malware and viruses. We will see the vendors moving from signatures and trusted processes to always looking at how these processes and files impact our systems."
The rise in the Internet of Things (IoT) could also trigger a change in the security sector. Along with the conveniences of the IoT will come new security challenges in the form of data privacy, safety, governance and trust.
"As technology becomes more entwined with the physical world, the consequences of security failures escalate. We could see more security solutions designed to protect IoT," notes Ravi Patil, Technical Director, MMEA, Trend Micro.
"It's important to know that looking forward the mix of people, processes and tools will all still have an important role in the management of security. I think all three will continue to be central to an effective defence, just as they are at the moment. That's not to say that businesses always get the balance right now," notes David Emm, Senior Regional Researcher, UK, Global Research and Analysis Team, Kaspersky Lab.
"In particular, many businesses overlook the human aspect of security, or don't engage effectively with staff. Given that many of today's attacks – however sophisticated the malware used – start by 'hacking the human', a failure to do this leaves a company exposed to attack. Often companies have a well-designed policy document, and require staff to sign it, but don't follow up after an employee's induction period. Or they fail to tune in to the fact that people have different 'hooks' — some learn through the written word, others through verbal communication, others through visual imagery, etc."
VP and Gartner Fellow Tom Scholtz agrees that all three play a role, but the balance does depend on the solution used.
"Successful security programs will still depend on an appropriate mix of people, process and technology. The nature of the security controls will dictate the balance, e.g., end-point malware is highly automated (technology), while context-based SIEM requires much more investment in ongoing customisation and response capabilities (people and process)," he highlights.
The experts also agree that more companies should consider appointing a chief security officer (CSO or CISO).
"A CISO is required for any mature business to build and maintain an information security program, support defensibility in regulatory actions and balance the need to protect the business against the need to operate the business. As a guideline, an organisation with 150 or more IT employees should have a dedicated information security officer position," says Scholtz.
"Broadly speaking, the relationship between the CISO and the CIO/IT has two dimensions. Firstly, the CISO acts as an advisor to the CIO/IT to help them make the best risk-based security decisions. But the CISO also has an assurance function, meaning that the role will monitor and assess the effectiveness of security controls in the IT domain," he explains.
"I think one of the key things that has led many companies to develop the role of the CISO is a recognition that the IT department needs to engage more effectively with senior management," Emm continues. "In a nutshell, the board is looking at the bottom line, while the IT department sees the detail of security in general and cyber-security in particular. Unless there's someone in the organisation capable of understanding risks and articulating this in terms understandable to the board, the disconnect will continue. However, the CISO can only be effective if the CISO has visibility at board level."
However, Florian Malecki, International Product Marketing Director, Dell - Network Security, highlights that a CISO isn't necessary for every type of business.
"Companies need to invest as much in human resources as they do in technology. In some cases, as in the SMB segment, where cost is a factor, a CISO type role is not necessary and here partners must consider best practices for protecting their smaller clients. It is worth noting that IT security partners have an important role to play to ensure that their systems and data are protected. Without a proper IT security strategy, the business can't move forward," he says.
(c) 2014 ITP Business Publishing Ltd. All Rights Reserved. Provided by SyndiGate Media Inc. (Syndigate.info).
[ Back To TMCnet.com's Homepage ]