It used to be the case that only the most technical members of the IT department understood IT security. Viruses, Trojans and worms were not terms used outside the IT room, management did not yet worry about hackers or ‘zombie’ machines, and the board had absolutely no idea what a zero-day attack was, let alone how much damage it could cause. Now however, with computers (and their attendant threats) a ubiquitous part of virtually every organisation, IT security has slowly but surely risen through the ranks to become the business-wide issue it deserves to be.
Familiar, traditional IT security solutions usually include as a minimum the ubiquitous firewall, plus anti-virus software and scanning, intrusion detection and identity management. But the range and scope of products available covers all different aspects of security from the very specific to broad, network-wide prevention measures. In addition, most businesses using standard applications and software, for instance Windows, will also implement a programme of patch management. This ensures that the latest ‘patches’ – the IT equivalent of sticking-plasters – are applied to the server or users’ computers to fix any vulnerabilities inherent in the software.
While these security solutions are without a doubt better than nothing, and are often sufficient to protect the IT infrastructure in the main, they can also become a major headache for a business, its employees, and more specifically its IT department. Installing, implementing and maintaining the myriad solutions is usually an expensive and very time-consuming process. IT staff spend time updating patches or reconfiguring firewalls when they could more usefully be focusing their attention on profit – driving activities. Security needs are unlikely to be prioritised, leading to resources being wasted on inessential measures – and particularly in the case of patches, this lack of understanding can lead to ‘vulnerabilities’ being fixed unnecessarily. The alternative however is worse – that measures are not taken and the network is left vulnerable. Add to this the fact that virus warnings, patch updates and other security problems are being constantly issued at an often incredible rate, and it is not surprising that businesses, and their IT departments in particular, are having trouble keeping up – with potentially disastrous consequences.
So what is the solution for businesses that want to protect their networks and machines in an effective and cost-efficient way? The answer is automation. Many of the solutions mentioned above can be, and frequently are automated – patches are automatically installed onto machines; anti-virus software scans for known signatures of viruses and worms – and the IT manager simply has to sit back and let the whole process carry on without them. Unfortunately however this is never as straightforward as it may seem. Certain types of security require frequent updates which have to be manually inputted, while others are incompatible with particular systems and so need more careful monitoring. Security programmes too are often not intelligent enough to be relied on to deal with unusual or unexpected situations in the same way that a human could. A rush of traffic to a website may be mistaken for a zero-day attack, or the legitimate addition of new software may be mistaken for a malicious intrusion.
To avoid these kind of issues, what’s needed is a more holistic approach that aligns security with business goals and more efficiently manages risk. Security Risk Management (SRM) is emerging as this missing link, helping translate the black art of security into compliance risk terms that can be easily digested and documented. According to Forrester, “IT organisations have always scrambled to align IT with the business, but now there’s a new scramble going on — in the area of risk and compliance management.”
Security Risk Management is defined by leading industry analysts as the complete process of understanding threats, prioritising vulnerabilities, limiting damage from potential attacks, and understanding the impact of proposed changes or patches on the target systems. SRM solutions integrate and automate multiple information sources and technologies required to implement an effective vulnerability management process – and add the analytics required to make more intelligent decisions to protect critical business assets before an attack ever occurs, while continuously proving and improving risk postures.
There are three key steps in the SRM process:
Risk Assessment. Risk assessment is the identification and evaluation of risk and its business impacts. An integrated security approach is required: Define the origins and profiles of various threats; Collect and normalise vulnerability scanning data; Collect routing and access information from firewalls and routers; Define asset classification in business and compliance terms.
Risk Mitigation. Risk mitigation involves prioritising, evaluating and implementing the appropriate risk-reduction measures recommended from the risk assessment process. A business impact analysis approach is required: Model vulnerabilities in context with network routing; Perform attack simulation to uncover the weaknesses that pose the greatest potential harm to the business; Calculate risk exposure metrics and establish benchmarks; Analyse mitigation alternatives.
Risk Measurement. Risk measurement determines effectiveness of the action and continues reassessment and mitigation cycle to minimise threats and vulnerabilities. A measured ROI approach is required: Perform ‘what if’ access and risk analysis; Evaluate the cost benefits of countermeasures before deployment; Issue workflow tickets to the change management systems; Issue appropriate reports to security, IT operations, CICO, CIO, business owners, auditors; Repeat and automate the data collection and analysis process to keep up with constant network infrastructure changes and the introduction of new threats.
This approach ensures that security systems are kept continuously up-to-date, as well as providing a clear audit trail for the IT department to monitor and demonstrate the different security processes in place. It gives businesses a comprehensive overview of their vulnerabilities and allows them to accurately assess the risks they face, and determine their priorities for remediation. Time isn’t spent by the IT department on unnecessary measures so time can instead be spent on improving efficiencies elsewhere. Perhaps most importantly the window of vulnerability, from the time that a threat is identified to the time that it is remediated, is decreased, leaving businesses far less likely to suffer damage.
With Security Risk Management as a best practice, corporations can dramatically reduce their risk, reduce the time and effort taken to conduct and document an audit and improve the accuracy of their information. Automation means that security teams and auditors can have a continuously accurate snapshot of the security situation at any one time, and quickly see and correct lapses in internal controls to make sure they are always fully compliant. The IT department, security teams, business teams and executives can talk about security in the same terms and work collaboratively to ensure continuous improvement.
SRM is quickly becoming the by-word for intelligent security, and with threats increasing daily in both frequency and severity, it’s a term that businesses will soon find themselves familiar with. To have and maintain the competitive edge when it comes to security now takes more than just a firewall – it takes a smart, efficient approach to managing risk.
Skybox Security is exhibiting at Infosecurity Europe 2006