Businesses must shore up security processes
ArcSight CTO says companies must implement five key processes to ensure tighter security
Businesses across the world are facing an ever-increasing battle to keep their IT systems from being broken into by cyber-criminals and, according to Dr Prescott B Winter, CTO Public Sector for cybersecurity and compliance company ArcSight, no enterprise can ever be fully secure from cyber-attacks, particularly when human error is thrown into the information security mix.
"Nobody is ever going to be 100% secure in this domain, especially if you want to be open, exchange information with customers, do all the things that every company and government enterprise around the world is trying to do. Human error is inevitably part of the picture, that is why you have to be so diligent, you have to go back to inspecting to identify the departures from policy rather that just expecting people to do it right," Winter told ITP.net.
Winter identified five key processes that must be undertaken by corporations to render their security systems almost watertight.
The first of the key processes is understanding what the principal business risk issues are and why the enterprise exists.
Corporate security decision makers must know what information assets are most important for that mission, whether it is in a business sense, to sell goods and services, or whether it is in a government sense to execute some kind of government mission as a service.
"So the first question is to get the business risk management issues out on the table and to identify those and identify what has to be protected," said Winter.
The second key security process is to have a reasonably good understanding of the current attack structures and the nature of the threats so businesses can understand how that set of attack vectors is likely to manifest itself when going after key business assets.
The third key point is that companies must have the right security sensors and instrumentation in the network to detect attack vectors.
"As these attack vectors come in, can I actually see them? Can I see them reliably and confidently and be virtually assured of picking them up when they come inside. These attacks do take time, they are not instantaneous and it takes a long time to introduce this stuff, to get it properly deployed. In most cases you have weeks to months to stop it," said Winter.
The fourth key process, according to Winter is absolutely essential, and that is to correlate all the security information from a business or enterprise and get a holistic picture of the security landscape within the corporation.
"As I see it that is the most important thing after you get your business risk management issues straightened out. How do you actually see what is happening. You cannot protect what you can't see and the only way to see it is to bring it all together, all this tremendous welter of information, millions of logs a day. Bring it into a coherent picture," said Winter.
The fifth process essential to securing any business or corporation is quick response and remediation of any security issues that may arise.
"This is where you begin to merge your security operation centre and your network operation centre which gives you an ideal insight into configurations and status and operation of your IT and from your security operation centre, side information on what is attacking all those systems and what is a priority and how you have to fix it," said Winter.
Only a very small number, in the single digits in terms of percentage, have implemented these vital security steps, according to ArcSight.
Winter said that sharing information about threats or attacks between companies is essential to help create a shared knowledge and understanding of potential and actual cyber-threats.
"Last fall there was a break in in three of the big New York banks and it was essentially the same kind of attack and on a little bit of inspection, it turned out that a fourth bank had seen an earlier version of that same attack. Not quite as well developed, not quite as powerful, not quite as effective. The first bank had managed to get it stopped before it caused any serious damage, but nobody in the other three banks heard about this so when they got hit by a better version of the attack about three weeks later, it succeeded on all three of them and did a lot of damage," said Winter.
This is a very clear example of what this kind of threat exchange process would help to deal with. Winter said that the information that should be shared between companies should not be operational information or any sensitive proprietary information, but useful information about the attacks such as the approaches that the attackers use, the way that the sensors have picked up the data.
Winter said that he cannot answer whether corporations and governments are in a cyber-war against cyber-criminals stealing data, but that information has become a highly valuable commodity.
"I think what is important here is that information is now a commodity that really determines the fate of enterprises and the fate of nations. We talk abut war and disease and so forth, there is an awful lot happening that determines the rise and fall of organisations of all kinds. It is the loss of information of all these different types; financial data, sensitive government and strategic data, national sovereignty data of various kinds, intellectual property data that is really damaging things," Winter said.
Enterprises have to be able to pursue the missions of their organisation, whether they are companies or government agencies and protect their sensitive data from outside attack.
"It is the stuff that we know that your adversary does not know you have; your ability to enter a market that he is not prepared to go to yet, it is the ability of a military commander to exercise strategic surprise. All of that is gone if the information that sustains that advantage in compromised and so we are clearly under sustained assault by adversaries," said Winter. "The clock is ticking and it is up to us in the security industry to deal with this."