Data Security Challenges: Q&A with Jeff Multz | Dell SecureWorks

Data Security Challenges: Q&A with Jeff Multz

Jeff Multz, Director of North America Midmarket Sales for Dell SecureWorks
Jeff Multz, director, Dell SecureWorks

Jeff Multz talks about how Dell SecureWorks works with organizations to secure their data.

Q: What are the biggest threats to data security for organizations right now?

A: The biggest threats are organizations themselves, because they aren't doing enough to protect themselves. They often think they're secure, but they're not. Public and private organizations need multiple layers of security. Not only do they need security around their network, but also separate layers of security around their most valuable servers and databases.

Organizations need around-the-clock human monitoring in addition to layers of security, but not enough of them have that. Threat actors are after you 24/7/365. They don't stop when you're sleeping. When organizations aren't watching their networks, hackers can enter sight unseen and leave behind malware. The challenge for many organizations is that these threat actors hide the malware, making it difficult for an IT specialist to find it at a later date when a problem has occurred.

Another issue organizations have is that they often aren't compliant with their industry's IT regulations (PCI DSS, GLBA/FFIEC, HIPAA, etc), though they think they are. A lot of those organizations think they are secure just because they are compliant, but that's not necessarily true. What is true is this: When a company does all it can to become secure, compliance easily follows. Industries have regulations and minimum standards that organizations must meet to be compliant. What people should focus on is their security. Our qualified security assessors (QSAs) work with organizations to help ensure they're secure while helping with compliance. Organizations are often caught in the crosshairs of advanced persistent threats (APT) adjacencies. APTs are known for targeting countries and businesses. Sometimes attackers target businesses for monetary reasons, and sometimes they attack to harm governments.

We've seen attackers target the lowest lying fruit - small organizations in business with larger organizations that work with or supply the government. These are what we call adjacencies. The other threat I see is from employees. Attackers count on the gullibility of people at organizations. Office personnel of all ranks, usually with good intentions, click on links in emails or links on Web pages that, unbeknownst to them, will download malware.

One of the biggest threats is a company that doesn't have an Intrusion Detection/Prevention system (IDS/IPS). The IDS/IPS is separate from the firewall, which filters and blocks certain addresses and ports. An IDS/IPS detects and examines traffic in greater detail to prevent attacks that would slip past the firewall. For example, it could better detect violations of rules and protocols, packet designs, and distributed denial-of-service (DDoS) attempts.

Q: What are some of the concerns of businesses with regard to data security?

A: The biggest issue we see is that organizations are concerned with achieving and maintaining compliance. For example, any organization that accepts credit cards must be compliant with the Payment Card Industry Data Security Standards (PCI DSS).

Organizations also have the following concerns:

  1. Liability risk: Organizations are concerned that they could be liable if their customer information is compromised by an attacker. A company could also be liable if an attacker were to access information on one of the company's partners via the company's network. Additional scenarios for liability include:
    • Defending the reputation of an organization suspected of or actually having a data breach. Not only must an organization defend its name if there has been a breach, it must also notify those people and organizations at risk of having their information exposed.
    • Qualifying for a cybersecurity insurance policy, because many organizations that haven't sufficiently mitigated risks are denied cyber security insurance coverage.
  2. Direct loss risk: Organizations are at risk of losing their customer database, personal customer information, trade secrets and their own finances. A breach could allow attackers to steal money from the business and its customers.
  3. Reputation risk: Many organizations are concerned about their reputation. If there is a breach, they have to report it and contact customers. That damages their reputation and costs them money needed to respond and notify customers of the attack. Even if an attack only takes down a company's website, in addition to hurting their reputation, it could prevent the company from generating new business as potential customers search for another company to take care of their needs. 

Q: What is the industry doing to address these concerns?

A: Unfortunately most of the industry is focused on throwing hardware and software solutions into the mix, but I don't see that as the solution. Things like customer relationship management (CRM) software, enterprise resource planning (ERP) or security information management (SIM) technology alone don't fix the security problem. We need more professionals that know what they're looking at with these tools.

Organizations should still use products, though. They need firewalls, SIM technology, an IDS/IPS, logs, etc. But if people don't know how to use these products as they were intended to be used, they become shelfware because they sit on a shelf doing half a job. We have worked with organizations that had plenty of shelfware and still found malware on their systems. We clean it up and discover that it's not that the products aren't working correctly; it's that people aren't using the products properly.

People in charge of the products can't properly regulate and maintain them, because they don't have the resources to monitor their systems 24/7. Organizations need experienced professionals who can watch these products around the clock, make decisions about false positives, respond to security-relevant issues and update technologies when they issue false alarms. The problem is that there are few experienced security professionals with the expertise to know the difference between security events and noise, so these people tend to ignore a lot of important things.

Q: What are some preventative steps organizations can take to avoid data security incidents?

A: First, educate your employees. Teach them about getting confirmation from a sender before opening attachments and photos. If they don't know the sender personally, they should be suspicious when opening links and attachments.

Secondly, implement intrusion prevention as a layer of protection separate from the firewall.

Finally, employ professionals to conduct 24x7x365 log monitoring. Most organizations keep logs of the activity on their network, but they are not monitored as they should be. These rather cryptic logs keep a record of all activity on a company's network, but they're merely a string of characters that need to be interpreted at a higher level. Once interpreted, the individual logs might not always be of great concern. For instance, a log might indicate that a single computer has remotely connected to a client's network, which on its own is not very interesting. However, if we aggregate multiple related logs, we can see a bigger picture. For instance, if multiple connections can be observed on multiple ports on a client's network, it could indicate that a possible reconnaissance is taking place. This behavior can probably be described as an alarm or a red-flag. It's not always the logs themselves that raise an alarm. Extrapolation and higher-level interpretation of these logs can set off an alarm.

Q: What sort of communication should take place within an organization (between IT, management and other departments) to make sure data is being secured?

A: There should be a top-down approach. Management needs to set the tone and communicate with IT and different department managers. IT should implement policies and procedures that physically forbid people from doing certain activities.

Internal and external education should be ongoing with staff, customers and partners who access your network. They should be made aware of the dangers of activities such as clicking on links, opening email attachments, visiting websites known for hosting malware and leaving passwords around their desks. We see more organizations that require the CIO or CISO, who are often personally liable for data breaches, to report to the board of directors on all things regarding information security.

Q: How can a company prepare its systems for the possibility of disaster (i.e. security breach, system failure or natural disaster)?

A: There are several things organizations can do:

  • Prepare for the worst and do everything you can to prevent such disasters.
  • Employ an experienced security professional to conduct regular vulnerability scans and penetration testing.
  • Implement redundancies and contingencies for systems, so you have a backup ready if one server goes down. Think about what you would do if one or many of your servers or your whole site were taken offline due to a virus, other hacker activity or a natural disaster. Plan for that and create remedies beforehand.
  • Have a prepared incident response plan, rehearse it and update it annually.
  • Monitor your system 24x7x365 to catch anomalous activity on your network.
  • Create plans for disaster recovery and business continuity. Review them annually and update them as needed.

Q: How does Dell SecureWorks work with organizations to secure data?

A: We offer four towers of security services. We sell no products and are vendor-neutral to the technologies organizations have or will employ in the future. Our services include:

  1. Managed Security Services:
    24/7 security services featuring a layered defense with an in-depth approach from outside to inside the organization and full-time monitoring
    • Intrusion prevention and detection systems
    • Firewall monitoring and management
    • Server, router and switch monitoring
    • Vulnerability scanning
  2. Security and risk consulting: Assess the current state of your security (penetration testing, IT audit, risk assessment, web app testing), prepare a recovery plan and employ our services to get back up as quickly as possible after a breach.
  3. Threat intelligence services: Subscribe to information on future threats and get advice on ways you might remediate or prevent them.
  4. Incident response: Help plan for and respond to an incident so organizations can get back up as quickly as possible after a breach.

 

For more information, email info@secureworks.com or phone 877.838.7947 to speak to a Dell SecureWorks Security Specialist.

Availability varies by country. © 2013 Dell Inc. All rights reserved.

Dell and the Dell logo, SecureWorks, Counter Threat Unit (CTU) are either registered trademarks or service marks, or other trademarks or service marks of Dell Inc. in the United States and in other countries. All other products and services mentioned are trademarks of their respective companies. This document is for illustration or marketing purposes only and is not intended to modify or supplement any Dell specifications or warranties relating to these products or services. February 2013

This article first appeared in Food Manufacturing, http://www.foodmanufacturing.com, in January 2013.

Online Tools

  • Print this Page
  • Share This Resource