Comment: Raising the security standard

Bryant says, to avoid throwing money down a drain, first assess the security requirements unique to your organization
Bryant says, to avoid throwing money down a drain, first assess the security requirements unique to your organization

The challenge facing IT security professionals today is the demand to increase security against a backdrop of ever diminishing budgets.

Research from Tufin Technologies claims that one in 10 IT professionals have admitted to cheating on their IT audits, while a third of respondents also confessed to only auditing their systems once every five years. Nearly 40% stated that their security is “a mess”. The primary reason for this: lack of time and resources.

A deficit of skilled operatives leading to the need for external help that is not budgeted also adds to this dangerous situation. NSS Labs recently reported that the security equipment it tested identified between 10% and 80% of threats. If 80% is the best that can be done, then IT security is in trouble!

When the problems surface – from an external audit or, in a worst-case scenario, a successful malicious attack – the reaction is to spend huge sums of money on new equipment, consultants, and considerably more resource allocation than a continual validation and maintenance program would have cost in the first place. Unfortunately, this often results in looking for someone to blame, with security staff as the scapegoats and their jobs on the line.

Security equipment vendors supply equipment with security rules and configurations set at a particular handover date. You then need to pay large fees to receive regular updates to those rules. Configurations change and new threats appear each day.

It’s a leap of faith, so how do you know that the rules in your configuration will stop the known threats? Is it because the vendor says it does? How would they know? Do they validate each day? No, that’s your responsibility.

Idappcom recently tested its traffic files against a popular (free) IPS solution and found that nearly 800 threats were not recognized and, with simple evasion techniques, even slightly competent hackers could render the security as good as useless.

Idappcom issues well in excess of 50 traffic files each month; the security vendor in question issues between 5 and 15 security rules each month. The math is simple: far more threats than rules are being issued. Many old, but still very dangerous, threats are continually being dropped from security devices in an effort to maintain throughput. These two factors alone mean that exposure is increasing exponentially as each month passes.

The problem is threefold – lack of time, money and skill. Overcoming these problems requires the following steps:

First priority is to prove the effectiveness of your current security solutions, including compliance, due diligence and threat protection capabilities.

Then move on to enhancing your existing security solution by understanding where the strengths and weaknesses are in your defenses and what changes need to be introduced to meet all necessary requirements.

The final stage is to reassess your security effectiveness to check whether these improved levels and abilities have addressed the weaknesses discovered in the earlier stages. From this secure position, ongoing assessments should be undertaken as an integral part of your IT security processes. This needs to happen not just once every five years, not once a year, but continually, month by month, and ideally day by day. To make this more manageable, detection of threats can be limited to the ones that are relevant to your organization rather than the world at large.

It is this final and crucial stage where companies are falling down. Organizations think they are doing the right thing by using their IT budget to invest in new security devices that work faster but actually offer the same level of protection, or even chains of devices that offer ineffective rules. The result: the IT department is left to hope for the best, waiting for a problem to rear its ugly head.

Instead organizations should be looking to integrate applications into their infrastructure that automatically validate against as many relevant threats as possible, are updated to detect new threats, and check known evasion techniques. Ideally the applications will also supply rules for these new threats that can be copied in to your security applications and devices. This will ensure you are well on your way to creating as water-tight an infrastructure as is possible in these malware-ridden times.

The cost is miniscule when compared with purchasing unnecessary new equipment, the high update fees to get new rules, the cost of internal or external expertise, and, of course, the resulting costs should an attack be successful.

Additional cost savings can be realized in time saved on long and ineffective audits. With software integrated in to your infrastructure you will have the means to carry out quickly and regularly what would otherwise take days.

The end result is that you will be able to fulfil the holy grail of effective IT security – tighter control, reduced costs, painless compliance processes and a better night’s sleep for the harassed IT professionals that had to resort to cheating to pass their audit.

Ray Bryant is the chairman and CEO of Idappcom. Bryant started his working life in a firm of London Chartered accountants, qualified as Chartered Company Secretary in 1979. His career in IT started in the very early days at Control Data Corporation, in finance, production and logistics. He spent 15 years with Ciba Geigy on finance and ERP software implementations in the UK, US, Saudi Arabia, Greece, Turkey and the Philippines.

Bryant then moved on to SSA Global technologies as a financial systems consultant, culminating with the creation of an independent compliance company, SLA Management Services (Barham Group), which he headed as chairman and managing director. The Barham Group grew in six years to service many IT companies, including one of the largest IBM mid range (and UNIX), ERP and CRM software providers in the world. Ray took the company from start up to successful sale in 2008. Since then Ray has been strengthening the security offerings of Idappcom.

What’s hot on Infosecurity Magazine?