With the advent of the BYOD phenomenon, the amount of threats businesses face have multiplied on an unprecedented scale. Ben Rossi looks at how these trends have rapidly changed the enterprise security landscape and what can be done to stay protected.
Times have changed. People now want everything virtual, they want it in the cloud and they want to be able to access it from any of their multiple work and personal devices.
Not only that, but the internet has been around for a long time now and subsequently the hackers are smarter. They are constantly finding new and more complex ways of breaching a company’s virtual security.
They’ve even been given a suitable scary name – ‘cyber criminals’ – and now that they’ve have claimed a few high-profile victims they are seen as a force to be reckoned with and a serious threat to company data.
David Emm, malware expert for the global research and analysis team at Kaspersky Lab, says companies need to now prepare for all possible scenarios in order to stay protected against new breeds of threats.
“They should conduct a thorough risk assessment that looks at all the risks the company faces, how their security might be compromised, the cost to the business of a breach and how effective their mitigation strategy is,” Emm says.
“They need to look at how the business functions, including factors such as where staff operate, what devices they use to conduct business and where corporate data is stored. They should look at security incidents during the last quarter, six months, or year and evaluate the cost to the business of each breach or blocked threat,” he adds.
Maher Jadallah, regional manager at Sourcefire MEA, agrees that today’s IT environment changes unpredictably and threats are mostly unknowable.
“It goes without saying that IT deployments are complex and chaotic. About the only thing that can be predicted is things are going to change. As Sourcefire has seen, traditional, static security solutions are heavy and incapable of responding to these changes,” Jadallah says.
“Consequently, they are no longer capable of delivering end-to-end protection from attacks. It’s clear that security must evolve to better detect, prevent and intelligently analyse these dynamic attacks. Organisations cannot always adequately prepare for uncertainty. However, they can be agile,” he adds.
The traditional “detect-and-block” tactic born from antivirus software is no longer sufficient against this new breed of threats, according to John Metzger, senior product marketing manager at Sophos.
“Organisations need to reduce their attack surface to best protect the network. The majority of successful attacks target known vulnerabilities and thus unpatched applications are the most at risk. Using a product that not only blocks malware but also indentifies missing patches will reduce the chance of an attack getting through,” he says.
With many legitimate sites now infected with malware, Metzger adds that a simple URL categoriser to block illegitimate sites is also no longer enough.
“More than 85% of infections occur on websites and the old theory that staying away from or blocking ‘bad’ sites will protect you from malware is no longer true. Organisations should look for solutions that are able to identify malware on legitimate sites and block this content,” Metzger says.
Furthermore, organisations should educate employees on common attacks and the methods used by cyber criminals so that they can be vigilant and protect the organisation, he adds.
It appears clear what is no longer protecting enterprises from new threats, but the burning question remains – what kind of endpoint security protection is required?
“A good endpoint solution needs to cover the normal bases such as an AV scanner, personal firewall and anomaly detection. Depending on the industry the company is in it may also be applicable to look at capabilities such as endpoint and port control, disk encryption and data loss prevention,” says Nicolai Solling, director of technology services at help AG Middle East.
“Customer requirements may be very different depending on industry, audit requirements and capabilities within the security operations team and budget available. This is why help AG always focuses on identifying the correct requirements to a solution before advising on the specific vendor,” he adds.
A good tip is to look at the capabilities and extension possibilities of a solution as it is advisable to limit the number of endpoint controls, Solling says.
“Each endpoint control system takes up processing and memory resources from the endpoint and running multiple endpoints will just end up slowing down the operating system and impact user productivity in worst case,” he adds.
Nima Saraf, team leader for technical advanced networking and information security at FVC MEA, says endpoint security software should give both visibility and control to admin.
“We have been implementing cloud-based advanced malware endpoint protection and IPS/IDS inside LAN to eliminate any internal and external generated threats and attacks. On top of that we implement our next generation network access control which provides visibility and control over network access,” Saraf says.
“This level of control is based on user credentials, operating systems, network segment and device type. To keep a close eye we wrap all this by implementing real time network performance monitoring solution which communicates with a firewall, IPS/IDS, switches, end point hosts for any suspicion or misbehaviour of data, application or user,” he adds.
Most industry experts quizzed agree that companies need to tightly integrate endpoint security with other network-based safeguards.
“If the customer already has or is planning to roll out technologies such as network access control or user based firewalling it is of course interesting to see how solutions can integrate together. Luckily the endpoint security industry has seen the need of being compliant and the ability to integrate with existing solutions,” Solling says.
“There are certain frameworks for how endpoint security can integrate with, for instance, a network access solution. Understanding compatibility and even more important incompatibility is key for making sure that no vendor-lock-in occurs when selecting the endpoint solution,” he adds.
Continuity is also of high importance, according to Mahir Nayfeh, VP at management and technology consultancy firm Booz Allen Hamilton.
“To achieve continuity the risk management team must begin by taking a pulse of the current state of the security ecosystem. Look at how the most productive employees are using smart devices and determine what information they access to maximise productivity. Prioritise mobile applications and users, and tackle the most important issues first,” Nayfeh says.
Nick Black, senior technical manager at Trend Micro, says defending against APT-like attacks is difficult, but not impossible.
“Customers must invest in threat detection solutions that examine network behavior across a multitude of devices looking for anomalous traffic patterns, connections, and flows within the corporate network and at network ingress/egress points,” he says.
“When suspicious content or network activities are detected, it can automatically take immediate preventative actions such as quarantining malicious files and executables, blocking command-and-control traffic, or automatically “cleaning” infected endpoints,” he adds.
The biggest trend affecting enterprise security this year is the rise of mobile in the work place.
Kaspersky Lab says it analyses the same number of mobile malware programs in 2011 than the whole period between 2004 and 2005.
In March 2012 alone it analysed 2,560 threats and as of April 2012 there were more than 12,700 mobile malware modifications, including SMS Trojans that silently send SMS messages to premium-rate or international numbers.
However, Emm says the problems goes beyond just mobile malware.
“The growing use of mobile devices must also be seen within the wider context of mobile working. The task of securing data has become harder for businesses as employees increasingly conduct business outside the traditional work place. There’s also now a heterogeneous mix of endpoint devices – and a mix of personal and business activities on them,” he says.
“They are also harder to manage because they’re geographically distributed. So businesses not only face the growing threat from mobile malware, but also the risk of data leakage. The key problem for businesses lies in managing security on smartphones. That is, implementing a ‘follow-me security’ policy for all devices in the enterprise, wherever they are and however they are being used,” he adds.
Metzger also draws to the issue of BYOD as having a big influence on the enterprise security landscape.
“IT teams are being asked to allow personal iPads, Androids and other devices to have access to corporate data and they can no longer turn down these requests – nor should they. Often the requests are made out of necessity and to help improve productivity,” he says.
“IT needs and wants to enable employees to be as productive as possible and not be seen as a roadblock. The challenge lies in granting these devices access to the network while ensuring they are secure,” he adds.
Sebastien Pavie, regional sales director MEA at Safenet, emphasises the importance of securely providing employees access to network applications and online services.
“As businesses are increasingly embracing mobility, information has to be available anywhere and on any device. To achieve this, enterprises need to ensure that data are secured at every stage – from the moment of generation, to securing each point of access, to protecting the process of communication exchange,” Pavie says.
Black warns that as smartphone usage continues to grow worldwide, mobile platforms will become even more tempting to cyber criminals.
“The Android platform in particular has become a favourite attack target due to its app distribution model, which makes it completely open to all parties. We believe this will continue in 2012 although other platforms will also come under fire. To date, mobile platform threats come in the form of malicious apps,” Black says.
“Moving forward, we expect cyber criminals to go after legitimate apps as well. They will likely find either vulnerabilities or coding errors that can lead to user data theft or exposure. Compounding this further is the fact that very few app developers have a mature vulnerability handling and remediation process, which means the window of exposure for these flaws may be longer,” he adds.
Over the last year Sourcefire has spoken with hundreds of enterprises in relation to their security solutions and found one of the fundamental challenges they face is the task of identifying what needs to be protected and the threats to consider when structuring their defenses.
“These enterprises have the latest endpoint security products with the latest DAT files, but they are still heavily infected. In fact, our data shows that in many organisations up to 10 percent of all computers are infected. Many of the enterprises we spoke to don’t know how these threats got in, how they are spreading when inside or which computers have them,” Jadallah says.
“We believe that to protect today’s rapidly changing IT environments against modern threats, effective security approaches must deliver comprehensive visibility to preempt attacks and identify security risks before they can act,” he adds.
Looking forward, the resounding prediction is that the influence of mobile and BYOD will evolve endpoint security in a user-centric design model.
“What this means is that endpoint security will be fixed by; 1) The role of the user, 2) The devices employed by the user, and 3) Security policies around access, entitlements, monitoring and enforcement on a per device basis,” Saraf says.
“Since mobile device security software is not nearly as prolific as it is with PCs, policy enforcement and malware detection and prevention will likely reside on the network. This is achieved by implementing NAC, endpoint malware and antivirus protection, VA and with real time network and security performance monitoring,” he adds.