Eric Litt, chief information security officer at General Motors Corp., calls it "management by inclusion." Simply put, it's an information security strategy that reduces operational risk by denying network access and services to all people and processes not previously vetted by the company. "If I don't know you're good, I don't talk to you," Litt says. Litt is one of a growing number of security managers who say traditional reactive defenses -- focused on blocking known threats at the edge of the network perimeter -- are no longer enough. What's needed are more-proactive security capabilities that emphasize quicker identification and resolution of both internal and external threats.
"You just cannot sit back any longer and wait for your LAN to go down or for your employees to complain," says Ed Amoroso, CISO at AT&T Corp. "You need to be looking at things before they become a problem."
Several factors are driving this trend toward more-strategic security operations. Laws such as the Sarbanes-Oxley Act have put a greater burden on companies to demonstrate due diligence on matters related to information security. Worms, viruses, spyware and other types of malicious code are getting a lot better at sneaking past firewalls, antivirus defenses and intrusion-detection mechanisms. And growing wireless use, remote workers and the trend toward Web services are giving hackers more avenues for launching attacks.
Another important fact: The time it takes for hackers to exploit software holes has been shrinking dramatically, giving users very little time to react to new threats. The SQL Slammer worm of 2003 took eight months to appear after the flaw it exploited was first publicized. In contrast, last year's MyDoom worm started making the rounds in less than four weeks.
"It's getting so nasty out there, it's frightening," Amoroso says.
To achieve its goal of more-proactive security, GM launched a sweeping overhaul of its processes, including the manner in which it authenticates users and systems, enforces security policies, controls access to network services, patches holes, spots intruders and responds to incidents.
It's a mighty task for a US$186 billion behemoth with global operations, thousands of partners and tens of thousands of users. But it's essential in order for GM to stay one step ahead of the bad guys, Litt says.
"We are in a competitive stalemate with the creators of malware," Litt says. "What we are trying to do is gain back the advantage."
Lane Timmons, security systems analyst at Texas Tech University's medical school in Lubbock, says a key to this is a better understanding of how your company's networks behave normally so you can spot abnormal activity more quickly.
After getting hammered by worms and viruses over the past few years, the school deployed several tools to help it spot and squelch attacks more quickly than the "hundreds of man-years of effort" that it used to take, Timmons says.
Among those tools is the network behavior modeling product QRadar from Q1 Labs Inc. in Waltham, Mass. The software analyzes and models typical network activity over a set period of time and then uses that data as a baseline to identify abnormal activity that might suggest the presence of worms, Trojans, port scans or denial-of-service attacks.
Such behavior modeling has dramatically improved the university's ability to detect and respond to both internal and external intrusions, Timmons says. "Our ability to do a real-time analysis of our networks has made a big difference," he says.
Integrating and correlating information from multiple security technologies is also crucial to enabling a more holistic view of the threats and vulnerabilities facing a corporate network, says Amoroso.
To this end, AT&T is retiring all of its individual Internet-facing firewalls, intrusion-detection systems and antivirus tools and is integrating the functions into its IP backbone layer. The company has built a massive security event management system, called Aurora, that's capable of pulling in and correlating terabytes of network traffic and security data from the IP layer.
The data analysis allows AT&T to spot trends and signs of impending trouble far better than the fragmented view provided by the individual security technologies, Amoroso says.
"It gives us real actionable data, to respond to threats" before they materialize into full-fledged problems, he says.
Being proactive also means ensuring that security is built into your application software and not bolted on later, says Mary Ann Davidson, CISO at Oracle Corp.
Customers should ask vendors questions about their security practices, Davidson says. Questions should include, "How do you write secure code? Do you train your developers for that? Do you do ethical hacking to test your code? How are you making it easier for your customers to secure your code? What is the best practice for locking down your product?" she says.
What's crucial at GM, says Litt, is "making sure the code we get is really secure out of the box and that the vendors are not making us a testbed for their software." That's because a majority of the security problems companies are facing today are the direct result of software bugs that hackers are exploiting. Litt is working with several influential industry and user groups to pressure vendors to pay more attention to security.
"We are trying to use our combined voices to drive the software industry to think about security in a different way," says Litt, who for years has been including strict security terms and conditions in all of GM's software purchasing contracts.
GM is also applying the same concept to the software it develops in-house. The company has instituted "toll gates" for reviewing security at various stages in the product development life cycle "even before the first line of code is written," Litt says.
In the end, however, there's a limit to just how proactive you can be, says Lloyd Hession, CISO at Radianz Inc., a New York-based provider of telecommunications services to financial companies.
"One of the key issues is that we can't really figure out what the next threat scenario is going to be," he says. "A year ago, for example, nobody was up and jumping over spyware. It's kind of suboptimal to want corporate commitment and resources to be deployed today if you don't know what it is being deployed to really stop."
Instead, the goal should be to better prepare yourself for attacks, Hession says. And that means being able to identify threats early, have a good incident-response and backup process in place and ensure that there is no "skills mismatch" between your security team and the attackers when the attacks do come, he says.
"There is no silver-bullet technology or singular process change" for addressing this problem, Litt says. The goal should be to "social-engineer security into your processes versus putting it in as an afterthought," he says.
Time is of the essence
Advance warning can be useful in preparing and prioritizing defenses, says Lloyd Hession, CISO at New York-based telecommunications provider Radianz. Last May, for example, his company received advance information on a critical protocol vulnerability in its voice-over-IP networks that received little of the broad attention that worms and viruses do but was vital to fix nonetheless, Hession says.
Radianz was notified of the vulnerability by its security intelligence service from Symantec Corp., which it uses to monitor impending threats to its security. Symantec's DeepSight threat management system collects data from firewall and intrusion-detection systems from about 20,000 sensors placed on customer networks around the world and looks for patterns suggesting worm or virus attacks.
Ensuring that all internal and external systems attempting access to a corporate network have the proper security configurations can prevent otherwise secure networks from being compromised by rogue machines. So, too, can timely patching, says Tim Powers, senior network administrator at Southwire Co., a Carrollton, Ga.-based maker of electrical wires and cables.
"This is a game where we used to have a few weeks to prepare. Now, days matter," says Powers, who is using an automated patch management tool from South Jordan, Utah-based LANDesk Software Inc. to test and deploy patches across his network. "It's about doing it better and faster and just lowering the time between getting patches and getting updated."
-- Jaikumar Vijayan
Weapons in the armory
Technology vendors are pitching a variety of tools and approaches to help companies better prepare for attacks. Among them are the following:
Intrusion-prevention systems These products, evolved from network intrusion-detection systems, help companies block both known and unknown attacks. Most products in this class work by looking for known virus signatures and anomalous network behavior that might indicate the presence of a worm or virus.
-- UnityOne IPS, TippingPoint Technologies Inc., Austin (a division of 3Com Corp.)
What it does: In addition to identifying and blocking threats, the tool supports traffic classification and rate-shaping functions for high-priority applications.
-- Attack Mitigator IPS 5500, Top Layer Networks Inc., Westboro, Mass.
What it does: The ASIC-based hardware appliance is designed to deal with content-based attacks, such as worms and Trojan horses, as well as rate-based attacks, such as distributed denial-of-service attacks.
-- Juniper IDP, Juniper Networks Inc., Sunnyvale, Calif.
What it does: It's a rules-based intrusion-detection and -prevention tool.
-- Proventia, Internet Security Systems Inc., Atlanta
What it does: This appliance has more than 225 built-in rules for detecting and blocking hybrid threats.
Endpoint security products These ensure that endpoint devices, such as PCs, notebooks and handhelds, have appropriate protections in place, including active firewalls and updated antivirus software and patches, before letting the devices access a corporate network.
-- Cisco Security Agent, Cisco Systems Inc.
What it does: This software combines host intrusion-prevention functions with spyware/adware protection and host firewall and operating system integrity assurance.
-- Check Point Integrity, Zone Labs LLC, San Francisco (a unit of Check Point Software Technologies Ltd.)
What it does: It combines PC firewall technology with central policy management and policy-based enforcement on endpoint devices.
-- Secure Enterprise, Sygate Inc., Fremont, Calif.
What it does: It combines endpoint agent technology with policy management servers, LAN-based enforcement servers and remediation capabilities.
-- CyberGatekeeper, InfoExpress Inc., Mountain View, Calif.
What it does: This product suite combines functions for monitoring and enforcing security policies on local and remotely connected systems.
Security incident/event management technologies This class of products is used by companies to gather, consolidate and analyze information from multiple-point technologies such as firewalls, antivirus products and intrusion-detection systems. The goal is to enable better identification and response to key security incidents. For more on this topic, go to: QuickLink 52131.
-- Security Manager, NetIQ Corp., San Jose
What it does: It consolidates data from across the enterprise network and combines event correlation, visualization, trending and forensics to help companies get a more holistic picture of their security.
-- Enterprise Security Manager, ArcSight Inc., Cupertino, Calif.
What it does: It correlates events and information from multiple devices, including asset value and vulnerability data. It also supports automated investigation and resolution of problems.
-- nFX Open Security Platform, NetForensics Inc., Edison, N.J.
What it does: It supports event normalization, threat visualization, reporting and analytics, policy compliance monitoring and incident resolution management. -- Computerworld (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.