Firewall, Detection, Containment. It does not help that each of these three disciplines is complicated, technical, and protecting from a diverse array of threats. They can also be expensive, many of the threats are relatively new and are designed to circumnavigate security solutions that have been trusted and effective for a generation.
Conundrum. Major network incidents are reported often in the news – and frequently the security analysis that accompanies these reports identify security measures that could have been taken to prevent the incident. So often these measures are well known procedures that should be in place for all financial services companies. What gives?
Human factors. CTP is a consulting company – we present technologies and solutions to many companies – sharing knowledge is education, and we generally find a very receptive audience. It is not unusual that implementation does not make the upcoming budget cycle!
- Companies have typically addressed network security in a serious and disciplined manner, and so in many cases the issue really comes down to keeping up to date with current best practices.
- Fitting the solution – sizing – the (expensive) solution applied to a Fortune 500 company does not fit an SMB company, and yet there is almost always a good solution that fits both the scale and the requirements of the problem.
- It is rare that security incidents are reported publicly. The ones that do make the news often would not be a concern to the SMB. I think many exploits seem arcane and unlikely to be in play for the smaller company – indeed, why would a small company be of interest enough to be a target?
- Purchase of a firewall can be straight forward – pick a manufacturer and get the sizing right. Containment and Detection solutions are more a collection of procedures and technologies directed at a plethora of disparate threats, with a wide range of pricing and impact to internal support staff. And, characteristic of IT, many of these measures can come across as mundane and more effort than they are worth.
Containment. We suggest that it is fair to assume that the network of any company, SMB and even smaller, will be compromised. If this is taken as a given, then two things follow: how can the network be arranged to make it most difficult for an intruder to steal or disrupt, and how to detect that an intrusion has occurred. The problem necessarily becomes a collection of cases – and a collection of remedies. Containment is a topic for another blog. From the technology side, we love to get into the details. On the receiving side, we are practiced at spotting the glazed eye look. Best practices – the technologies we group into containment are well known, widely recommended, and effective. Impact – security measures can impact both IT staff and end-users. These measures do not keep people from doing their job, but can require that people conform to procedures and best practices. That may require learning a new way to do a familiar task.
The ”whole field” game. There is an old saying, ball hogs die! Effectively protecting against modern day attacks requires the whole field of tools. Upon gaining entry to the network, containment measures can limit rights escalation, lateral movement, access to more secure networks that include servers and management devices, and so on. In gaining access, however, the attacker will have installed software to computers at the point of entry, in some cases under control of external computers, and these will need to be cleaned – detection measures will be important in identifying these computers. Web security, including application aware inspection, site reputation, content filtering, data loss prevention – provided by the firewall and / or a web security device or hosted service – are critical in controlling transfer of information out of the company, breaking command and control connections, and much more. And so this comes down to a whole field effort.
Moving forward. Information Technology is a service – a service that supports the business of the company. Technology that does not contribute to the success of the business will seldom get funding. What is the case, then, for implementing detection and containment security measures? A topic for another blog – but a few things to think about and research. i) malware today cannot be expected to be detected by traditional anti-virus methods. Current generation anti-virus systems now go about the problem very differently, beginning to converge with network detection technologies. ii) The business of hacking has matured, with specialists providing discrete services and marketing their product – Crime as a Service. iii) Small business, and especially in the Boston area, is an active target, and is profitable. In short – the tools in place at your company may not be able to detect current threats, you are protecting you company from specialists who collectively can understand the nature and business processes of your company, and it is likely worth their time to target your company.