Jeff Multz talks about how Dell SecureWorks works with organizations to secure their data.
A: The biggest threats are organizations themselves, because they aren't doing enough to protect themselves. They often think they're secure, but they're not. Public and private organizations need multiple layers of security. Not only do they need security around their network, but also separate layers of security around their most valuable servers and databases.
Organizations need around-the-clock human monitoring in addition to layers of security, but not enough of them have that. Threat actors are after you 24/7/365. They don't stop when you're sleeping. When organizations aren't watching their networks, hackers can enter sight unseen and leave behind malware. The challenge for many organizations is that these threat actors hide the malware, making it difficult for an IT specialist to find it at a later date when a problem has occurred.
Another issue organizations have is that they often aren't compliant with their industry's IT regulations (PCI DSS, GLBA/FFIEC, HIPAA, etc), though they think they are. A lot of those organizations think they are secure just because they are compliant, but that's not necessarily true. What is true is this: When a company does all it can to become secure, compliance easily follows. Industries have regulations and minimum standards that organizations must meet to be compliant. What people should focus on is their security. Our qualified security assessors (QSAs) work with organizations to help ensure they're secure while helping with compliance. Organizations are often caught in the crosshairs of advanced persistent threats (APT) adjacencies. APTs are known for targeting countries and businesses. Sometimes attackers target businesses for monetary reasons, and sometimes they attack to harm governments.
We've seen attackers target the lowest lying fruit - small organizations in business with larger organizations that work with or supply the government. These are what we call adjacencies. The other threat I see is from employees. Attackers count on the gullibility of people at organizations. Office personnel of all ranks, usually with good intentions, click on links in emails or links on Web pages that, unbeknownst to them, will download malware.
One of the biggest threats is a company that doesn't have an Intrusion Detection/Prevention system (IDS/IPS). The IDS/IPS is separate from the firewall, which filters and blocks certain addresses and ports. An IDS/IPS detects and examines traffic in greater detail to prevent attacks that would slip past the firewall. For example, it could better detect violations of rules and protocols, packet designs, and distributed denial-of-service (DDoS) attempts.
A: The biggest issue we see is that organizations are concerned with achieving and maintaining compliance. For example, any organization that accepts credit cards must be compliant with the Payment Card Industry Data Security Standards (PCI DSS).
Organizations also have the following concerns:
A: Unfortunately most of the industry is focused on throwing hardware and software solutions into the mix, but I don't see that as the solution. Things like customer relationship management (CRM) software, enterprise resource planning (ERP) or security information management (SIM) technology alone don't fix the security problem. We need more professionals that know what they're looking at with these tools.
Organizations should still use products, though. They need firewalls, SIM technology, an IDS/IPS, logs, etc. But if people don't know how to use these products as they were intended to be used, they become shelfware because they sit on a shelf doing half a job. We have worked with organizations that had plenty of shelfware and still found malware on their systems. We clean it up and discover that it's not that the products aren't working correctly; it's that people aren't using the products properly.
People in charge of the products can't properly regulate and maintain them, because they don't have the resources to monitor their systems 24/7. Organizations need experienced professionals who can watch these products around the clock, make decisions about false positives, respond to security-relevant issues and update technologies when they issue false alarms. The problem is that there are few experienced security professionals with the expertise to know the difference between security events and noise, so these people tend to ignore a lot of important things.
A: First, educate your employees. Teach them about getting confirmation from a sender before opening attachments and photos. If they don't know the sender personally, they should be suspicious when opening links and attachments.
Secondly, implement intrusion prevention as a layer of protection separate from the firewall.
Finally, employ professionals to conduct 24x7x365 log monitoring. Most organizations keep logs of the activity on their network, but they are not monitored as they should be. These rather cryptic logs keep a record of all activity on a company's network, but they're merely a string of characters that need to be interpreted at a higher level. Once interpreted, the individual logs might not always be of great concern. For instance, a log might indicate that a single computer has remotely connected to a client's network, which on its own is not very interesting. However, if we aggregate multiple related logs, we can see a bigger picture. For instance, if multiple connections can be observed on multiple ports on a client's network, it could indicate that a possible reconnaissance is taking place. This behavior can probably be described as an alarm or a red-flag. It's not always the logs themselves that raise an alarm. Extrapolation and higher-level interpretation of these logs can set off an alarm.
A: There should be a top-down approach. Management needs to set the tone and communicate with IT and different department managers. IT should implement policies and procedures that physically forbid people from doing certain activities.
Internal and external education should be ongoing with staff, customers and partners who access your network. They should be made aware of the dangers of activities such as clicking on links, opening email attachments, visiting websites known for hosting malware and leaving passwords around their desks. We see more organizations that require the CIO or CISO, who are often personally liable for data breaches, to report to the board of directors on all things regarding information security.
A: There are several things organizations can do:
A: We offer four towers of security services. We sell no products and are vendor-neutral to the technologies organizations have or will employ in the future. Our services include:
Availability varies by country. © 2013 Dell Inc. All rights reserved.
Dell and the Dell logo, SecureWorks, Counter Threat Unit (CTU) are either registered trademarks or service marks, or other trademarks or service marks of Dell Inc. in the United States and in other countries. All other products and services mentioned are trademarks of their respective companies. This document is for illustration or marketing purposes only and is not intended to modify or supplement any Dell specifications or warranties relating to these products or services. February 2013
This article first appeared in Food Manufacturing, http://www.foodmanufacturing.com, in January 2013.