|By Dana Gardner||
|October 10, 2012 10:00 AM EDT||
The next edition of the HP Discover Performance podcast series unpacks the concept of intelligent containment of risk as an important approach to overall IT security. We'll examine why rapid and proactive containment of problems and breaches -- in addition to just trying to keep the bad guys out of your systems -- makes sense in today's environment.
Here to share his perceptions on some new ways to better manage security from the vantage of containment is our guest, Kaivan Rahbari, Senior Vice President of Risk Management at FIS Global, based in Jacksonville, Florida. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]
Here are some excerpts:
Gardner: What's different about the overall security landscape today, compared to five years ago?
Rahbari: A lot has changed in the past five years. Two key economic trends have really accelerated our security changes. First, the US recession pushed companies to consolidate and integrate technology footprints and leverage systems. New deployment models, such as software as a service (SaaS) and cloud, help address some of the lack of capital that we've been experiencing and the ability to push cost from fixed to variable.
The second major economic trend that has continued in the past five years is globalization for some of the companies. That means a network topology that's traversing multiple countries and with different laws that we have to deal with.
We always talk about how we're only as strong as our weakest link. When larger and more sophisticated companies acquire smaller ones, which is pretty commonplace now in the market, and they try to quickly integrate to cut cost and improve service, they're usually introducing weaker links in the security chain.
Strong acquirers now are requiring an acquisition to go through an assessment, such as an ISO 27001 certification, before they're allowed to join “that trusted network." So a lot of changes, significant changes, in the past five years.
Gardner: Tell us about FIS Global.
Rahbari: FIS is a Fortune 500 company, a global company with customers in over 100 countries and 33,000 employees. FIS has had a history in the past 10 years of acquiring three to five companies a year. So it has experienced very rapid growth and expansion globally. Security is one of the key focuses in the company, because we're the world's largest wholesaler of IT solutions to banks.
Transaction and core processing is an expertise of ours, and our financial institutions obviously expect their data to be safe and secure within our environments. I'm a Senior Vice President in the Risk Management Group. My current role is oversight over security and risk functions that are being deployed across North America.
Gardner: What is the nature of security threats nowadays?
Rahbari: Attackers are definitely getting smarter and finding new ways to circumvent any security measure. Five years ago, a vast majority of these threats were just hackers and primarily focused on creating a nuisance, or there were criminals with limited technology skills and resources.
Cyber attacks now are a big business, at times involving organized crimes. These are intruders with PhDs. There could be espionage involved, and originate in countries with no extradition agreements with the US, making it very difficult for us to prosecute people even after we identify them.
You've also read some of the headlines in the past six months, things such as Sony estimating a data breach and cleanup of $171 million, or an RSA hack costing EMC $66 million. So this is truly a big business with significant impacted companies.
Another key trend during the past five years that we've seen in this area is that the nature of the threats are changing from very broad, scattered approach to highly focused and targeted. You're now hearing things such as designer malware or stealth bots, things that just didn't exist five or 10 years ago.
Other key trends that you're seeing is that mobility and mobile computing have really taken off, and we now have to protect people and equipment that could be in very hostile environments. When they're open, there's no security.
The third key area is cloud computing, when the data is no longer on your premises and you need to now rely on combined security of your company, as well as vendors and partners.
The last major thing that's impacting us is regulatory environment and compliance. Today, a common part of any security expert terminology are words such as payment card industry (PCI), Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley (SOX), which were not part of our common vocabulary many years ago.
Gardner: So how do we play better defense? Most of the security from five years ago was all about building a better wall around your organization, preventing any entry. You seem to have a concept that accepts the fact that breaches are inevitable, but that focuses on containment of issues, when a breach occurs. Perhaps you could paint a picture here about this concept of containment.
Rahbari: As you said, it's easier to secure the perimeter -- just don't let anything in or out. Of course, that's really not realistic. For a vast majority of the companies, we need to be able to allow legitimate traffic to move in and out of our environments and try to determine what should be blocked.
I'll say that companies with reasonable security still focus on a solid perimeter defense. But companies with great security, not only guard their perimeter well, they assume that it can be breached at any time, as you stated.
Some examples of reasonable security would include intrusion protection, proxies to monitor traffic, and firewalls on the perimeter. You would then do penetration testing. On their PCs you see antivirus, encryption, and tools for asset and patch management. You also see antivirus and patch management on the servers and the databases. These are pretty common tools, defensive tools.
But companies that are evolving and are more advanced in that area have deployed solutions such a comprehensive logging solutions for DNS, DHCP, VPN, and Windows Security events. They have very complex security and password requirements.
As you know, password-cracking software is pretty common on the Internet nowadays. They also make sure that their systems are fully patched all the time. Proactively, as you know, Microsoft publishes patches every month. So it's no longer sufficient to upgrade a system or patch it once every few years. It's a monthly, sometimes daily, event.
Gardner: How do you go about such containing?
Rahbari: First, as the costs of attacks have skyrocketed, we're now seeing in the market some pretty great solutions that actively try to prevent things from happening or mitigating them when they happen.
A few of the examples that come to mind are on the perimeter. We're seeing a lot of denial-of-service (DoS) attacks in recent years. Basically what that means is you detect a massive attack toward a specific IP address, and it happens with financial institutions a lot.
With some of these great solutions on the market, you would swing all of your traffic another IP address, without bringing down the environment. The attackers still think they're attacking and shutting down an environment, but they really aren't.
Five years ago, the primary objective of a DoS attack like this was just to shut something down for malicious purposes. Now, it's a pretty common vehicle for fraud.
Here's a scenario. In a small business, Joe's Landscaping, their internet banking gets compromised and someone steals their password. Then the hackers authenticate and do a wire transfer out of his account to some bank in the Cayman Islands. That attacker then mounts the DoS attack against the service provider that Joe's Landscaping is using, so that the fraudulent activity is not discovered or it's delayed for a few days. By the time it's discovered, the money is long gone.
Another example of proactive and great security is to have software white-listing on PCs and servers, so that only legitimate software is actually installed. A key method of obtaining credentials nowadays is to install keystroke logger software on a machine. That can easily be blocked by white-listing software.
A third example of strong security posture is not just to detect, but actually actively destroy things. Traditionally, when we were monitoring wireless access into companies, we would just report that there was wireless access that shouldn't have been granted.
Most companies would assign a password to it, but as you know, passwords are shared sometimes, so soon enough, everyone knows the password to the wireless system in the company. One of the things that we’ve started using are solutions that actively jam wireless signals, unless it's their authorized room or a known IP address.
Another great example of a proactive approach we see in the market is when a visitor or employee plugs a non-corporate device into network, either on premise or from home. That creates a significant amount of risk. There are some great solutions out there that provide network access control. If an unknown device plugs into the network, that's immediately rejected at the network level. You can't even authenticate.
Probably the less obvious offensive posture that people don't think about is just around discovery and disclosure. Some of the statistics I’ve read indicate that more than 90 percent of the compromises are actually reported externally, rather than the company discovering it.
It's a PR and regulatory nightmare, when someone comes to us and says, "You've been attacked or breached," versus us discovering something and reporting it. Some of the examples I gave were technology, but some of it is just planning and making sure that we’re proactive and report and disclose, rather than seeing it in the headlines.
Gardner: Are there any particular types of technology that help contain an intruder or some other breach?
Rahbari: Some of it is just process, and some of it is technology. When most companies discover a breach, they take people who are already in a full-time job function related to security and put them on the team to investigate. These people don't have the investigative skills and knowledge to deal with incident management, which is truly a specialized science now.
Companies that have experienced breaches and now know how important this is have implemented best practices by having a dedicated team to plan and handle breaches. It's like assigning a SWAT team to a hostage situation versus a police patrol officer.
A SWAT team is trained to handle hostage situations. They're equipped for that. They have a machine gun and sniper rifle instead of a handgun, and they don't have another full-time job to worry about while they’re trying to deal with the crisis. So, from a process and team perspective, that's the first place I would start.
This is even more critical for targeted attacks, which are pretty common nowadays. You have to have the necessary infrastructure to prepare for an event or an incident ahead of time. During the attack, we usually don't disrupt the attacker, or alert them that we’re about to go remedy something. After the remediation is prepared, then we implement that and, in that process, learn about what the attacker is doing.
Some of the steps I recommend, once you know a breach has occurred, is to first pull the entire network off the internet until remediation is complete, blocking the known attacker, domains, and IP addresses. Other simple things include such things as changing compromised passwords.
The preparation ahead of time is important ... because the architecture is the fundamental way in which we can secure our environments.
Some of the steps that any good company should take is first make sure that their networks are separated and isolated. You need a long term network architecture and strategic plan. You also need to establish security zones to separate high risk domains, and make sure you have standards to govern the level of trust between sites and your networks, based on your business requirements.
As far as domain segregation, make sure you do things such as separating Active Directory domains with credentials for your production environments, versus your quality assurance developments and other employee-access environments.
From a trends perspective, there are a number of things that had really helped. Virtualization is one of them. It's a key technique to create segregation between applications.
Gardner: How can organizations get started on this? It looks like an awful lot to go after it once. Is there a path to this -- a crawl, walk, run approach -- that you would recommend in terms of improving your posture, when it comes to security and containment?
Rahbari: This is a very complicated and difficult thing to learn, and that's where partners and other firms really can be a tremendous help. First, I'd start with an existing organization. Five years ago, it was difficult to sell security to business leaders. Now, those same business leaders are seeing in the paper everyday -- the numbers are astronomical -- Sony, Google, and others who had breaches.
From the inside, good indication of a security culture change is when you have a dedicated chief information security officer (CISO), the company has a security or risk committee, security is a budget line in the item and not just buried within an IT budget, and security is the business issue.
Effects of breaches
With the incredible amount of regulatory burden, scrutiny, and oversight, a breach can really tank a company overnight. You read in the paper two months ago, we had a company that lost half of its stock value overnight, after a breach, after Visa was hinting that they might stop using them.
I'd highly recommend that you hire a reputable company to get started, if your particular firm cannot afford to invest in hiring the experts. There are lots of firms that can come. You can outsource to start with, and then as you feel comfortable, bring it in-house and leverage the expertise of this highly, highly specialized field to protect your company and assets.
You may also be interested in:
- Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show
- Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption
- Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance
- Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments
The BPM world is going through some evolution or changes where traditional business process management solutions really have nowhere to go in terms of development of the road map. In this demo at 15th Cloud Expo, Kyle Hansen, Director of Professional Services at AgilePoint, shows AgilePoint’s unique approach to dealing with this market circumstance by developing a rapid application composition or development framework.
Dec. 22, 2014 11:00 AM EST Reads: 1,483
SYS-CON Events announced today that Windstream, a leading provider of advanced network and cloud communications, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Windstream (Nasdaq: WIN), a FORTUNE 500 and S&P 500 company, is a leading provider of advanced network communications, including cloud computing and managed services, to businesses nationwide. The company also offers broadband, phone and digital TV services to consumers primarily in rural areas.
Dec. 22, 2014 11:00 AM EST Reads: 2,374
The Internet of Things is not new. Historically, smart businesses have used its basic concept of leveraging data to drive better decision making and have capitalized on those insights to realize additional revenue opportunities. So, what has changed to make the Internet of Things one of the hottest topics in tech? In his session at @ThingsExpo, Chris Gray, Director, Embedded and Internet of Things, discussed the underlying factors that are driving the economics of intelligent systems. Discover how hardware commoditization, the ubiquitous nature of connectivity, and the emergence of Big Data a...
Dec. 21, 2014 02:00 PM EST Reads: 2,458
"BSQUARE is in the business of selling software solutions for smart connected devices. It's obvious that IoT has moved from being a technology to being a fundamental part of business, and in the last 18 months people have said let's figure out how to do it and let's put some focus on it, " explained Dave Wagstaff, VP & Chief Architect, at BSQUARE Corporation, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 21, 2014 01:00 PM EST Reads: 2,055
The major cloud platforms defy a simple, side-by-side analysis. Each of the major IaaS public-cloud platforms offers their own unique strengths and functionality. Options for on-site private cloud are diverse as well, and must be designed and deployed while taking existing legacy architecture and infrastructure into account. Then the reality is that most enterprises are embarking on a hybrid cloud strategy and programs. In this Power Panel at 15th Cloud Expo (http://www.CloudComputingExpo.com), moderated by Ashar Baig, Research Director, Cloud, at Gigaom Research, Nate Gordon, Director of T...
Dec. 21, 2014 11:30 AM EST Reads: 2,461
SYS-CON Events announced today that IDenticard will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. IDenticard™ is the security division of Brady Corp (NYSE: BRC), a $1.5 billion manufacturer of identification products. We have small-company values with the strength and stability of a major corporation. IDenticard offers local sales, support and service to our customers across the United States and Canada. Our partner network encompasses some 300 of the world's leading systems integrators and security s...
Dec. 21, 2014 10:00 AM EST Reads: 2,212
ARMONK, N.Y., Nov. 20, 2014 /PRNewswire/ -- IBM (NYSE: IBM) today announced that it is bringing a greater level of control, security and flexibility to cloud-based application development and delivery with a single-tenant version of Bluemix, IBM's platform-as-a-service. The new platform enables developers to build ap...
Dec. 21, 2014 06:15 AM EST Reads: 2,184
“In the past year we've seen a lot of stabilization of WebRTC. You can now use it in production with a far greater degree of certainty. A lot of the real developments in the past year have been in things like the data channel, which will enable a whole new type of application," explained Peter Dunkley, Technical Director at Acision, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 20, 2014 08:00 AM EST Reads: 1,469
DevOps Summit 2015 New York, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that it is now accepting Keynote Proposals. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.
Dec. 18, 2014 09:45 PM EST Reads: 1,317
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 18, 2014 09:00 AM EST Reads: 1,429
Nigeria has the largest economy in Africa, at more than US$500 billion, and ranks 23rd in the world. A recent re-evaluation of Nigeria's true economic size doubled the previous estimate, and brought it well ahead of South Africa, which is a member (unlike Nigeria) of the G20 club for political as well as economic reasons. Nigeria's economy can be said to be quite diverse from one point of view, but heavily dependent on oil and gas at the same time. Oil and natural gas account for about 15% of Nigera's overall economy, but traditionally represent more than 90% of the country's exports and as...
Dec. 18, 2014 06:00 AM EST Reads: 986
The Internet of Things is a misnomer. That implies that everything is on the Internet, and that simply should not be - especially for things that are blurring the line between medical devices that stimulate like a pacemaker and quantified self-sensors like a pedometer or pulse tracker. The mesh of things that we manage must be segmented into zones of trust for sensing data, transmitting data, receiving command and control administrative changes, and peer-to-peer mesh messaging. In his session at @ThingsExpo, Ryan Bagnulo, Solution Architect / Software Engineer at SOA Software, focused on desi...
Dec. 17, 2014 11:15 PM EST Reads: 1,472
"At our booth we are showing how to provide trust in the Internet of Things. Trust is where everything starts to become secure and trustworthy. Now with the scaling of the Internet of Things it becomes an interesting question – I've heard numbers from 200 billion devices next year up to a trillion in the next 10 to 15 years," explained Johannes Lintzen, Vice President of Sales at Utimaco, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 17, 2014 11:00 PM EST Reads: 1,522
"For over 25 years we have been working with a lot of enterprise customers and we have seen how companies create applications. And now that we have moved to cloud computing, mobile, social and the Internet of Things, we see that the market needs a new way of creating applications," stated Jesse Shiah, CEO, President and Co-Founder of AgilePoint Inc., in this SYS-CON.tv interview at 15th Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 17, 2014 08:00 PM EST Reads: 1,485
SYS-CON Events announced today that Gridstore™, the leader in hyper-converged infrastructure purpose-built to optimize Microsoft workloads, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Gridstore™ is the leader in hyper-converged infrastructure purpose-built for Microsoft workloads and designed to accelerate applications in virtualized environments. Gridstore’s hyper-converged infrastructure is the industry’s first all flash version of HyperConverged Appliances that include both compute and storag...
Dec. 17, 2014 06:30 PM EST Reads: 1,456
Today’s enterprise is being driven by disruptive competitive and human capital requirements to provide enterprise application access through not only desktops, but also mobile devices. To retrofit existing programs across all these devices using traditional programming methods is very costly and time consuming – often prohibitively so. In his session at @ThingsExpo, Jesse Shiah, CEO, President, and Co-Founder of AgilePoint Inc., discussed how you can create applications that run on all mobile devices as well as laptops and desktops using a visual drag-and-drop application – and eForms-buildi...
Dec. 17, 2014 11:45 AM EST Reads: 1,595
We certainly live in interesting technological times. And no more interesting than the current competing IoT standards for connectivity. Various standards bodies, approaches, and ecosystems are vying for mindshare and positioning for a competitive edge. It is clear that when the dust settles, we will have new protocols, evolved protocols, that will change the way we interact with devices and infrastructure. We will also have evolved web protocols, like HTTP/2, that will be changing the very core of our infrastructures. At the same time, we have old approaches made new again like micro-services...
Dec. 16, 2014 11:45 PM EST Reads: 1,451
Code Halos - aka "digital fingerprints" - are the key organizing principle to understand a) how dumb things become smart and b) how to monetize this dynamic. In his session at @ThingsExpo, Robert Brown, AVP, Center for the Future of Work at Cognizant Technology Solutions, outlined research, analysis and recommendations from his recently published book on this phenomena on the way leading edge organizations like GE and Disney are unlocking the Internet of Things opportunity and what steps your organization should be taking to position itself for the next platform of digital competition.
Dec. 15, 2014 11:45 PM EST Reads: 1,803
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
Dec. 15, 2014 10:30 AM EST Reads: 6,952
As the Internet of Things unfolds, mobile and wearable devices are blurring the line between physical and digital, integrating ever more closely with our interests, our routines, our daily lives. Contextual computing and smart, sensor-equipped spaces bring the potential to walk through a world that recognizes us and responds accordingly. We become continuous transmitters and receivers of data. In his session at @ThingsExpo, Andrew Bolwell, Director of Innovation for HP's Printing and Personal Systems Group, discussed how key attributes of mobile technology – touch input, sensors, social, and ...
Dec. 15, 2014 10:00 AM EST Reads: 2,006