by: Tony Kontzer
Today’s IT security teams face a constant and evolving barrage of threats that force them to assess their security policies and procedures on an ongoing basis.
Last April, Charles Schwab Co. was hit by its first significant security breach when a distributed denial-of-service (DDoS) attack flooded the investment firm’s network with data, rendering its Websites temporarily inoperable.
“It got the attention of the executives,” recalls Jason Lish, vice president of security technology and operations. “They actually saw the impact, and it was a wakeup call. As a result, there was quite a bit of investment made in areas we otherwise wouldn’t have. And we definitely rethought our security strategy.”
A few months later, the Shellshock security bug swept through nearly 2,000 Web domains, executing arbitrary commands and gaining access to secure systems. That was followed by high-profile breaches at JP Morgan Chase and Morgan Stanley in which hackers made off with large hauls of customer information.
Each time, Lish had to reassure Schwab’s board that the company was adequately protected, even though Schwab faced no immediate threat. “Every time there’s a breach anywhere in our industry, I have to react to it,” Lish says.
Welcome to security in the 21st Century. No longer do companies assess their security postures only after they’re hit by a breach. Now they must do so whenever a breach occurs anywhere. In fact, conventional wisdom now dictates that they should be assessing their security strategies on a continual basis because a damaging breach is probably around the corner, if not right next door.
“Companies should be starting from the premise that they’ve already been compromised,” Eric Hanselman, chief analyst at 451 Research, advised via email. “Waiting for a call from the FBI or Visa is a career-limiting strategy.”
The problem, admits Schwab’s Lish, is that without a specific event to deal with, it can be difficult to know where to start. That’s why he cites prioritization as the company’s most persistent security challenge. He and his team have to balance the demands of federal regulators, customers and company executives, all of who have different concerns.
“We get on the bike, and we’re in first gear,” says Lish. “We’re all peddling, but we’re not getting anywhere fast.”
Proactive, Holistic Security
Jim Routh, chief information security officer at health insurance provider Aetna, says today’s breach-heavy landscape dictates that companies approach security proactively and holistically. For example, during a panel discussion at last year’s RSA Security Conference, he said he wanted to act on internal research that indicated that 70 percent of Aetna’s business processes that accessed social security numbers had no need to do so.
A year later, the company now has a formal program in place to correct that issue. “We’re changing our processes to reduce the attack surface by eliminating the use of social security numbers whenever we can,” Routh says.
And that’s just the tip of the iceberg.
Although Aetna hasn’t been hit by a significant breach since 2009, Routh is leaving no stone unturned in an ongoing effort to make sure that trend continues. His team is looking closer at vendor relationships to reduce the chances of an insider threat; he’s monitoring key-performance indicators across the company’s constantly changing security controls on a daily, weekly and monthly basis; and he’s assigning a daily risk score for the enterprise based on anomalies and patterns the company receives from thousands of internal and external security intelligence sources.
That risk score, Routh says, “helps us allocate resources as the threat landscape evolves.”
And when it comes to the constant threat of phishing attacks—the most common method hackers use to obtain credentialed access to systems—Routh no longer relies on binary controls. Instead, he’s using behavioral analytics to map online behaviors against previous patterns. If the analytics engine identifies potential fraud, it then triggers an interruption to the affected business processes.
Routh says the security philosophies of yesteryear—when the focus was on keeping malicious actors out of the enterprise—have become obsolete. Security today is about round-the-clock fine-tuning.
“There’s a constant reinvestment in controls that fit the landscape,” Routh says. “Ten years ago, policies and control standards didn’t change that much. They were published annually, and there were a few new wrinkles, but they were relatively static. Today we’re introducing new control standards almost every week.”
As a result, Schwab’s Lish adds that the posture has evolved from incident response to gaining a better understanding of the threat landscape. For example, he says his company is watching indicators such as how often it is targeted by threats, whether those campaigns are focused on certain individuals, and from what countries it detects scans originating.
“As part of our threat intelligence capabilities, we’re constantly, taking that information and putting it into our environment so we can monitor, get alerted and take action,” says Lish.
Monitoring Isn’t Enough
However,451 Research’s Hanselman states that monitoring isn’t enough. He says organizations must constantly review their security plans and adds that doing so requires combining expertise and insight with practical preparation—not unlike the importance of practice for professional sports teams.
“A good place to start is with scenario exercises,” Hanselman says. “Put plans in place and, most importantly, practice them so that the organization understands that the plans are there.”
Along those lines, both Schwab and Aetna send out fake phishing emails to see who clicks on malicious links. They then use that information to target their awareness and education efforts.
Routh says Aetna’s users have scored better on such tests than the employees at any company he’s worked for, and yet, “I’m still not convinced that’s enough.”
He’s also taken steps to prevent phishing emails from reaching customers, who can unwittingly trigger breaches by granting hackers access when clicking on malicious links. Aetna authenticates its outbound emails with its Internet service provider, and any email that’s not authenticated is dropped before reaching a customer’s inbox.
The need to go so far in protecting customers—who have grown more savvy than ever about the security of their data—is another layer of complexity piled on the ever-changing world of information security, where nothing less than the health of the business is at stake.
“More and more of our clients are caring about this to the point where they’re saying, ‘Hey, if you don’t do the right thing, I don’t want to do business with you,'” says Schwab’s Lish.
It’s an ominous message that should provide high motivation for companies and their IT security teams to keep their security strategy top of mind and up to date at all times.
About the Author
Powered by Facebook Comments