Managed Security Services

Transcription

1 Managed Security Services Are You Ready? BT White Paper

2 02

3 Contents Overview 04 State of play 04 Examining the issues 05 Risk 05 Threats 06 Constant vigilance 06 Regulation 06 Justifying security spend 07 Why organisations are moving to managed services 07 Choosing a partner 07 03

4 Responding to market, governance, and cost issues Driven by regulatory and geopolitical pressures, institutions are prioritising investment in managed security services to manage their risk profile. Overview The issue of whether to insource or outsource security management is now very much on the agenda of boardrooms on both sides of the Atlantic. For companies that have invested significant time and resource in maintaining their security infrastructure, the decision to share responsibility with a third party, let alone hand it over, may have been unthinkable until recently. However the recent economic downturn, coupled with the continued sophistication and easy availability of hacking exploit tools, has forced companies to re-evaluate their ability to cope effectively without expert help. State of play The optimism of the late 1990s in addressing key security issues has been replaced by hard pragmatism. Important new technologies such as Intrusion Detection Systems (IDS), Identity Management, and Public Key Infrastructure (PKI), have not yet become mainstream. Whilst individual product solutions do exist, significant integration and operational service wrap is required to realise their full benefit; and it goes without saying that there is no magic bullet. This is only partly down to technology immaturity and lack of interoperability standards. A more significant factor is the growing appreciation of the complexity of the challenge and if anything that challenge is increasing. We are currently witnessing an arms race between the hacker community and the guardians of corporate infrastructure. The only certainty about this race is that it will continue for some time yet. The fact is that there are problems in security that large numbers of enterprises have failed to acknowledge or confront head on. In computer science speak, we could say the the problem space is much bigger than we anticipated. These problems manifest themselves especially where technology interacts with people and where degrees of risk need to be considered (which we will cover shortly). As we will also discuss, key issues in security are also down to our inability to maintain consistently high standards with repetitive, laborious processes (such as patch and configuration management). The result is that, to be effective, today s security management solution must be carefully crafted, integrated, and underpinned by rigorous procedures and first class security staff, as well as leading products and technologies. (see Figure 1 below). Failure to have all of these elements in place will compromise security, with potentially disastrous effects for a business. Figure 1 Security Expertise Service Design Integration Technology Technology Technology People Process Product Over time, as the technology matures, there will be a gradual shift from reliance on people to increasing levels of automation. However we are some way off from automating security management. 04

5 Examining the issues Some of the key security issues affecting business today are: Inability to effectively patch vulnerable systems, as well as poor configuration management practises Inability to monitor for and cope with daily threats such as virus and denial of service (DoS) attacks, spam, and information theft Lack of, or inability to retain, skilled security staff Increasing complexity and increasingly mobile workforce. The shortage of security skills continues to be a problem, amplified by the recent economic downturn and lack of investment. Good security analysts are very hard to find and are slow in the making. This problem shows no sign of abating. Security is a relentless and unforgiving discipline, and basic configuration management problems continue to be a major issue. Patching is perhaps the best intrusion prevention technique available, but still causes major headaches for all kinds of organisations. Many vulnerabilities are publicised before there is an exploit, and patches are often available weeks or even months before the exploit is available or widely publicised. So why do companies continually fail to patch effectively? A recent Gartner report concluded that 30% of attacks exploit vulnerabilities where a patch is available, and 65% of attacks exploit mis-configured systems. Only 5% of attacks exploit things in areas that were previously not known to be a problem. The answer is that patching vulnerable systems in a large enterprise with many different platforms, locations, and legacy applications, can be non-trivial and extremely time consuming. Security technologies are still maturing. Intrusion Detection Systems require careful deployment and tuning to avoid the management headaches of excessive False Positives and False Alarms. Identity Management, biometrics and PKI require expertise and skilled resources to ensure proper integration, ongoing management, and return on investment (ROI). Security management and event correlation is also undergoing a revolution, evidenced by the fact that this is an active area of research. One of the key areas of debate is currently between traditional static signature based techniques and statistical/behavioural techniques. The former is employed widely on much of the current IDS, AntiVirus and Correlation technology. It is predictable and easily understood, but is vulnerable to sophisticated attacks (such as polymorphic worms and viruses, where attacks can change form over time). Conversely, statistical/behavioural systems are promising, but much harder for customers to comprehend, and there is still some way to go before they prove reliable, especially where there is the potential to stop a transaction erroneously (i.e a False Negative). Considerable research and experimentation is still required in these areas. Risk All organisations today are faced with some level of security risk. You should never assume that your organisation is 100% protected at all times. In fact, the deployment of technologies such as Intrusion Detection and monitoring acknowledges that a certain level of suspicious or malicious activity is likely to get through. It also acknowledges that there are internal threats (maybe from disgruntled employees, or simply human error) which have to be countered with skill and imagination. The detection and monitoring systems we refer to are the equivalent of movement detectors inside premises, behind the locked front door. Security risk is also heavily influenced by time. For example, if a new virus is released, for which no patch is available, then the rate of infection is critical. Some organisations will clearly be affected, and it is then a matter of how long it takes for an Anti-Virus fix to be released before this exploit spreads to your network. In such events it is vital that you, or your service provider, have early access to vulnerability data and patches. If you do become affected then it is absolutely critical that you have procedures and people in place to contain the spread and minimise damage as soon as the problem is detected. Real time security monitoring can greatly help in this respect, acting as an early warning system. It is important to recognise that all organisations (at least those with finite budgets) accept some level of risk. Risk is, after all, a trade off between the amount of money you wish to spend on countermeasures, against the perceived level of threat and vulnerability, to protect the estimated value of your assets. The important thing is that risk is identified, and either a) mitigated, b) transferred, c) insured, or d) clearly documented as a risk acceptance. 05

6 Threats All organisations are subject to security threats, which expose their vulnerabilities, and this increases significantly with factors such as their need to do business over the Internet, the profile of the organisation, and the value of their assets. High profile corporations are under constant threat because of the possible infamy associated with security breaches. Even so, it should be understood that any organisation that connects to the Internet is placing it s business at risk if it is not adequately protected by at least firewall and Anti Virus. Key threats to organisations include: Virus, Trojans and Worms SPAM Web Site Defacements Denial of Service Attacks (DoS) Theft of information (e.g. credit card details, source code, biotechnology secrets). A significant proportion of attacks are through viruses and worms, and more insidious planting of Trojan Horses on target systems. These allow hackers to gain remote access to vulnerable systems and recover passwords or confidential information. Spam has become a major problem, not only because it can significantly reduce productivity (with some recent reports showing Spam as up to 40% of traffic), but because Spam can also be used to carry offensive materials and viruses. Anti-Spam techniques are becoming increasingly sophisticated to meet the rising complexity of Spam obfuscation techniques. One of the primary effects of these threats is to compromise availability. The need to communicate and be online 100% of the time is becoming the norm for many companies, and it can be business-critical for organisations such as investment banks, hospitals, and utilities (such as power companies). With downtime for investment banking estimated to cost approximately $6.4m per hour (the US Contingency Planning Association), resilient communications infrastructure is essential. For organisations such as hospitals and utilities it may even be life threatening Virus, worm, denial of service attacks, and web site defacements can all seriously impact availability. These require a considered, integrated, and managed suite of countermeasures, including a defence-in-depth protection strategy, and real-time security monitoring. Constant vigilance If you cannot manage and monitor your network 24x7x365 then you are leaving yourself exposed to significant risk. Security attacks are now becoming so aggressive that real and near real time response is required to avoid serious damage. Up to 30,000 systems were being affected per hour by the BLASTER worm at it s peak during August 2003 (Vnunet). By monitoring in real-time you can potentially identify the prelude of an attack and proactively take defensive actions. Without full-time vigilance your countermeasures could be rendered ineffective should an attack breach your main defences delays of several hours typically mean that the damage is already widespread. To date the damage caused by the code red is estimated at $2.6B. (Computer Economics). Regulation One of the major drivers for security management and risk governance, especially in industries such as global finance and healthcare, is the increasing spectre of regulation. In the finance community for example, regulations already impose significant demands for corporate governance and data protection standards; from bodies such as the Securities and Exchange Commission (SEC) in the US, and the Financial Services Authority (FSA) in the UK. In the UK, the Turnbull Report places company continuity and risk governance firmly on the boardroom table of all companies listed on the London Stock Exchange. And the FSA now expects all listed businesses to demonstrate rigour in their business continuity planning processes and to place a much greater emphasis on testing their effectiveness. On a global level, a great deal of investment in business assurance is linked to the increasing need for financial institutions to control and measure their operational risk. This is important because banks need to meet the requirements of the Basel II accord from the Bank of International Settlements. Basel II is due to come into force as a mandatory requirement at the end of Most financial institutions are not currently compliant with Basel II requirements, though operational risk levels won t have an impact on required capital adequacy ratios until the beginning of But to take advantage of the most favourable calculation methods, banks need to be able to show three years worth of auditable data that demonstrates their commitment to reducing all forms of risk. This includes credit risk, market risk and operational risk. This is driving organisations to put in place effective security and risk monitoring frameworks right now. 06

7 Justifying security spend Return on investment criteria rightly govern most IT investment decisions in large organisations. Security spending has traditionally been viewed as a cost of doing business, but in fact it is an important investment in the on going success of any business we are after all dealing here with the major issues of customer service, customer trust and confidence, and the overall integrity of a business. A recent study by Deloitte, Touch and Tohmatsu of the top 300 global financial institutions, stated that these organisations now regularly spent on average 6% of the IT budgets on security. Having an effective framework for security monitoring, reporting and capturing audit data is a powerful mechanism for justifying security spend. Such a framework will emerge out of a thorough business and risk assessment review, which itself will determine the policies, processes and countermeasures your business needs to deploy in such a way, we can link our security investments to clearly defined business needs. Capturing the audit data is crucial, as it will help us to show the effectiveness and potential weaknesses with existing security countermeasures. Why organisations are moving to managed services There are a number of key reasons why organisations are now moving to, or considering, managed security services: Security is simply not a core function for many organisations, and security spend is often disproportionately high for smaller organisations. Activities such as patch management are tying organisations up in knots Security technology is changing rapidly just keeping up and making the right choices is highly taxing, and making the wrong choice can prove expensive The nature of security threats is becoming a real concern. Attacks are becoming highly sophisticated, whilst at the same time easy-to-use toolkits are being made available for any novice hacker ( script kiddie ) on the Internet Security is not just about technology, you need first class design and operational support in place, all day, and every day. Rigorous processes need to be adopted and consistency and attention to detail are paramount Security management and monitoring is no longer optional, it demands 24x7x365 attention, and this realisation is now forcing companies to rethink their security strategy. Choosing a partner Security is now a mission and business critical function for many organisations. The decision to choose a managed service partner will rest initially on the benefits of outsourcing all or part of your operational and technology risk to a trusted third party provider. Policy and strategy issues can rarely be outsourced, and will invariably remain within the domain of the client. This is nevertheless a strategic decision, so partnerships need to be considered for the long haul (typically 3-5 years). You should select a partner using the following criteria: Experience: choose a partner who can demonstrate a solid track record with blue chip corporations. A provider who can cope with a leading financial institution for example is likely to cope with the most demanding of customers. A provider with a wide client portfolio is also likely to have in depth hands on experience of dealing with tough security problems on a regular basis. In security, experience counts Stability: choose a partner that has a stable financial history and is in business for the long haul. The last thing you need is to be scrambling around for a new partner when you least expect it Independence: choose a partner that itself has global partnerships with best-of-breed technology vendors. Whilst integration is an issue in security it is critical that best-of-breed products are deployed, and currently no single vendor has all the answers. Security is a dynamic field and you need to be sure that you can get rapid access to the best industry solutions available Credibility: choose a partner that has mature security operations centres (SOCs), and has staff that are well qualified. Security is not just about technology, it is about the service behind it Proactive: choose a partner connected to and international body such as FIRST (Forum of Incident Response Teams), and who has strong relationships with technology vendors. You will ultimately benefit from early access to critical security information and patches. By choosing a managed service provider you get access to first class resources, and the burden of technology change is no longer your concern. This leaves organisations free to concentrate on their core business, leaving security in the hands of the experts. 07

8 Conclusions Managed Security Services are now mature, and their providers have built upon more than a decade of experience dealing with security problems at the enterprise level. The main problems in managing security today are predominantly in dealing with complexity, integration, and being able to scale to address the sheer size of the task. Patch management, change control, signature updates, and policy enforcement changes all need to be carried out rigorously, day in day out. Security Monitoring requires 24x7x365 attention, and rigorous incident handling procedures to back this up. Underpinning this is the need for experienced, high quality, security personnel to address the shortfall between the expectations and realities of today s security technology. Managing security is clearly not the core business of most organisations. At the SME level the economies of scale make it untenable, and at the enterprise level the challenges now faced on a day to day basis, make security management challenging for any reasonable duration. Bill Rann BT Global Services About BT BT has an established pedigree in managing complex security problems. Here are some facts about our achievements: The scale and critical nature of BT s operations demand a world-class approach to security: BT serves 10,000 multi-site corporate customers worldwide, of which more than 3,400 are multinational companies operating in two or more countries BT carries 80 per cent of all credit card transactions in the UK as part of an estimated 70bn of funds transferred each day BT manages the data networks for 90 per cent of the major UK financial institutions, payment organisations and credit card companies BT provides the networks that transport other high value financial transactions, such as SettleNET, in The City BT blocks 14 million attempted security incursion attempts every month BT has one of the largest dedicated security practices anywhere in the world. Bill Rann heads BT s security practice, a team of world class specialists providing security and business continuity solutions to customers worldwide. We re here to help create complete business communications. Freefone Offices worldwide The telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc s respective standard terms of contract. Nothing in this publication forms any part of any contract. BT is a trademark of British Telecommunications plc. All third party trademarks and logos are duly acknowledged. British Telecommunications plc Registered office: 81 Newgate Street, London EC1A 7AJ. Registered in England No Designed by Unigraph Ltd D PHME 45890/05/04