INNOVATIVE APPROACHES TO MANAGING NETWORK RISK AND THREATS TO INFORMATION

Transcription

1 Safe INNOVATIVE APPROACHES TO House SITUATION MANAGING NETWORK RISK AND THREATS TO INFORMATION PROVISIONING NETWORK security today amidst the ever-present if not mounting threat to information is both a challenge and a conundrum. Given the business-critical personality of corporate data and the plethora of threats to it, the challenge is obvious. The conundrum arises from the fact that if adequate money is spent on a well-planned, endto-end security solution, nothing happens. There are no security breaches, no denials of service, and no unwelcome visitors prowling around data stores. While security is strategic and essential, it is not a core competence in many organizations. Given their druthers, corporate executives would rather see valuable IT staff talent directed at building and enriching systems that contribute directly to the business, increasing revenues, or enabling new ventures. Many, if not most, organizations have not budgeted accurately for security, notes Christopher T. Baumrucker, principal architect with Callisma Inc., an SBC company, and provider of SBC PremierSERV SM Consulting Services. Security spending is viewed widely as a cost period. And often unless there is a clear track record of problems, it is hard to get money for secu- Meeting and Beating the Network Security Threat Deployable Solutions Security requirements factor the needs of business units, regulations & best practices Network design is driven by the demands of the business it must be adaptable & secure Holistic security is integral to the network, not bolted on Network Security Challenges Security Management Users demand a consistent authentication experience Security expertise is scarce & expensive Security & network personnel are not always in sync Prevention/Protection You cannot protect apps & data without securing the network Patchwork security creates vulnerabilities that are difficult to identify Full cycle security is required: assess, detect, respond & prevent ANALYSIS: As CIO, it is your responsibility to articulate to senior management the true business value of investing in an end-to-end information security strategy. After all, you, more than anyone else, are best positioned to appraise the value of the information you need to protect, information that could prove extremely costly if it gets into the wrong hands. But as CIO, you are also acutely aware of today's IT budgetary realities. And those realities mean that very few companies today can meet the information security challenge on their own. Fortunately, there is plenty of help, as this special white paper will show. 1

2 rity staff and other security spending needs. Part of the challenge of getting senior management to spend adequately on security lies in the nature of information itself. As security experts attest, information is perhaps the only corporate asset that has two values: one when you have it and another when someone else like a hacker has it. All too often managers don t pay enough attention to security needs until after some damage is done, says Dustin Dykes, a senior analyst at Callisma. Organizations have got to get out of reactionary mode and into a more proactive state where managed security services come into play. You have to take a good look at the security services providers. They have tremendous knowledge of discrete security challenges. And they have great information on how you can get back up and running when there is a problem. Looking sharp at Astaris Astute, forward-thinking companies seeking to secure vital data while directing valuable IT resources toward strategic projects are heeding the advice of Dykes and others. At St. Louis-based Astaris LLC, a leading supplier of phosphorus chemicals, the mission of the IT organization is to be an integral if not strategic part of the organization, not simply perceived as a cost center. We strive to enable our business efforts by giving managers exactly the data they need, and to help connect with our partners and customers in the most meaningful ways, says Charles Mitchell, IT director of operations and support. So our staff has to know the business processes as well as anyone. To accomplish such a lofty goal, Mitchell s team needs to be free from the shackles of IT routine in order to focus on strategic projects. That means outsourcing the parts of IT operations that, while vital, are not considered integral to the company s core businesses. Continued on page 3 > > > > Outsource This Q&A WITH SECURITY EVANGELIST BRENT HUSTON Brent Huston is CEO and security evangelist of Microsolved Inc. The Columbus, Ohio-based company provides security consulting to organizations that own and operate some of the largest networks in the world, as well as networks with some of the most sensitive data online. Q: What are the important changes/trends in intrusion detection systems (IDS) that have taken place recently? The move to consolidate information such as alerts and trends and filtering that data through software is certainly big. This has led to IDS implementations that have begun to produce action item data instead of the many false positives that plagued IDS for so long. Many organizations are now correlating their IDS alerts with vulnerability assessment data and are able to create prioritization of the output! That makes for a much more usable set of data from the IDS and helps keep security teams focused on the real issues, while minimizing the time and resources they spend chasing ghosts. I believe that such timely and accurate information is the only way that IDS tools achieve any kind of ROI. Their history, as a family of tools, has certainly been shady at best when looked at through the lens of ROI. Q: What are the pros and cons of outsourcing IDS services? This is probably the most common question I get asked about IDS and the answer is pretty complex. IDS outsourcing done properly makes for a wonderfully useful security tool, but on the other hand, IDS outsourcing done wrong can be a painful, costly, frustrating, and maybe even dangerous undertaking. The best advice is to first choose the right vendor. Do the hard work in this regard by checking references, and search the Internet for customer experiences. Then, use good contracts. Make sure the SLA [service-level agreement] establishes the parameters of your expected performance and that the agreement outlines penalties for noncompliance with those terms. The positive aspects of outsourcing IDS include the following: Organizations don t have to build expertise in-house for the management and operation of the IDS deployment Hopefully, the provider is doing the filtering and turning the output into action item data (this is the really Continued on page 3 > > > > 2

3 Safe Continued from page 2 Astaris turned to SBC companies for a variety of security and network services, including network security and firewall support, as well as other data services. Cost, as well as the ability to group several services with one provider, were the chief drivers for going with the SBC family of companies. Value greater than pure cost But cost will only go so far in this world, notes Mitchell. What s the value of a low price on network security if you get hacked? We have found SBC companies to be very reliable, very dependable. We are treated like a company 20 times our size. We get our problems resolved very quickly, and by highly qualified individuals. But perhaps the biggest benefit of these managed services is the ability of Mitchell and his staff to focus their resources directly on improving the business of Astaris, cementing the idea that IT at Astaris is truly strategic. We re not focused on fire fighting, concludes Mitchell. We re providing real value to the business. According to Callisma s Dykes, companies such as Astaris have discovered that managed security services can and do provide an improved security posture at a reduced total cost of ownership. The advantages offered by security service providers include: Round-the-clock monitoring, which is often beyond the means of all but the largest of enterprises A holistic view of the client s needs with respect to global security trends A built-in workaround to the fiefdoms and internal politics that can get in the way of adequate security provisioning Economies of scale Invaluable experience gained by working with multiple clients across a variety of business types and vertical markets Freeing up internal IT staff to Huston Continued from page 2 hard part of managing IDS) Organizations don t have to maintain monitoring staff to watch the IDS consoles But the downside of outsourcing IDS can be: Many vendors are not doing IDS right or even well Many vendors miss alerts that may be important to the organization Alerting must be clearly defined, or it often fails to work as desired Q: When might it make sense to outsource firewall management? The best answer is when an organization does not want to build and maintain the expertise to manage the firewall(s) in-house. The other time it makes sense is when firewall management would fall under the same person who manages the network. This specific issue is often viewed as an audit finding waiting to happen. Many auditors want to see firewall and security tool management separated from the network management folks kind of a someone is watching the watchers approach. Firewall monitoring and management has come a long way in the last couple of years. It has stabilized and is becoming more affordable and producing better deliverables for customers. Just like IDS, though, you have to carefully research the vendors involved and use good, clear contracts that establish your expectations and provide penalties for noncompliance. Q: Given the importance of looking at security holistically or as an end-to-end solution rather than a series of spot solutions, how does a selective outsourcing strategy fit in? Outsourcing just makes sense. No one can be good at everything. It makes sense to outsource the time- and resource-heavy pieces to companies that can leverage the same process and expertise across many organizations. Ultimately, the ROI for these outsourcing arrangements is that you don t have to carry the staff and maintain their currency with attack trends and such a very expensive undertaking for a medium-sized staff. Q: With all the changes that have impacted telecom security services providers in recent years, what characteristics should users seek in a vendor when considering a partner to whom they may outsource security services? The most important and compelling thing to remember is that the right vendors are out there. Don t be afraid to ask for sanitized deliverables as examples. Vendors should be able to provide you with detailed methodologies for how they handle security incidents and how their notification processes work. You should also ask them how they have their networks audited and tested for security issues. If a company is storing some of your most sensitive data, they should have a response and detailed explanation of the steps they take to safeguard your information from attackers. So the bottom line is, ask questions, listen to their answers, and verify what they say to be true by talking to their clients as provided by them and by asking online about client experiences. You may just find a great partner, or save yourself from a nightmare. 3

4 Losses by Type of Computer Security Incident Total Losses for 2004 $141,496,560 Sabotage $871,000 System penetration $901,500 Web site defacement $958,100 Misuse of public Web application $2,747,000 Telecom fraud $3,997,500 Unauthorized access $4,278,205 Laptop theft $6,734,500 Financial fraud $7,670,500 Abuse of wireless network $10,159,250 Insider Net abuse $10,601,055 Theft of proprietary info $11,460,000 Denial of service $26,064,050 $55,053,900 Virus 0 10M 20M 30M 40M 50M 60M The actual losses sustained are higher, possibly twice as high, because the CSI/FBI survey also found that nearly 50% of security breaches went unreported, largely out of fear of public reaction. CSI/FBI 2004 Computer Crime and Security Survey Source: Computer Security Institute 2004: 494 respondents focus on strategic projects A time- and experience-tested set of security best practices Security service providers have also proven to be a wellspring of innovation. For example, in the area of intrusion detection systems (IDS), some providers are making significant strides not only to detect intrusions but to actually prevent them before they happen. Let s face it, once the bad guys are in, they can do a lot of damage even before they are detected, says Baumrucker. First Victoria National Bank Three years ago one innovative and venerable bank put its faith and trust in the hands of a service provider, and has never looked back. True to the independent spirit that characterizes Texas, the Victoria-based First Victoria National Bank (FVNB) first opened its doors in 1867, and still operates as an independent bank. With 10 branches in the state, the $825 million bank has essentially the same data security needs as do its big city cousins. What the bank doesn t have is a city-sized IT staff. One key piece of FVNB s security strategy is its IDS to keep the bad guys away from vital bank data. The bank s lone network engineer could not focus solely on security because his duties also included overall network administration and monitoring, as well as building out the network to accommodate growth. And with growth being a key element of FVNB s efforts, the bank couldn t afford to overlook important security elements, such as its IDS. We looked outside for help and found we had plenty of choices for security assistance, says Steve Tarro, senior vice president/data services manager and the person ultimately responsible for virtually any IT matter at the bank. We had a preexisting relationship with SBC companies, including provisioning our data lines and phone lines. We really liked what they proposed for our IDS. For one thing, SBC companies operated throughout all areas where Victoria Bank is likely to expand. For another, Tarro really liked what he saw about the security staff at the SBC family of companies. It s just a very strong staff, and it includes a lot of former military folks with significant experience securing sensitive systems, Tarro recalls. They were all high-level professionals that deal exclusively with the intrusion detection issue. How well has the SBC companies IDS worked out for the bank since its installation? For one thing, the system completely thwarted the intentional intrusion efforts of a vendor the bank hired to try to penetrate the IDS. The IDS shut them down hard, says Tarro. In addition to keeping the data thugs at bay, the SBC companies IDS services also free up Tarro s lean-and-mean IT staff to focus on more strategic work. The staff doesn t have to bother with IDS logs. Instead, they view simple reports on an exception basis, responding to those security items that require action, but not the small stuff, says Tarro. The bank also outsources its firewall services to the SBC family of companies, which the firm got up and running within weeks of being selected for the job, he adds. 4

5 Americas and Worldwide Security Service Spending Forecast ($M) CAGR (%) Americas 20.2 Worldwide ,000 10,000 15,000 20,000 25,000 30,000 Source: IDC, 2004 Convergence ups the ante For user organizations like Victoria National Bank and others, one of today s realities is the impact of convergence on the network. After being talked about for years, convergence or the melding of voice and data networks into a cohesive entity is fast becoming reality. As a result, companies have to scrutinize security strategies more closely than ever because a network failure caused by a major security breach would impact operations to a catastrophic degree, given the pervasiveness of the network. If a worm or hacker takes down the data network, it can take down a lot more, such as the network that controls building operations, for example, notes Callisma s Dykes. This can create real safety issues initially, and possibly significant liability issues down the road. Non-IT executives need to see security in this kind of light today. But before committing to any comprehensive security plan, it is missionessential to first come to some agreement and understanding internally about the value of the data and information an organization is trying to protect. You ve got to arrive at a way of estimating the full value of information assets, then spend accordingly to protect them, advises Baumrucker. One problem, however, is that internal politics and fiefdoms can sometimes cloud this process. For that reason, some companies have begun working with security services providers to assist in this value appraisal process. You need some checks and balances in virtually all aspects of security-related work, says Dykes. Managed service providers don t come in with any political agendas. They just want to get the job done and keep the customer happy. A changed regulatory environment If there is one factor in today s business environment that is forcing business executives to take a closer look at information security, it is the changes in the regulatory climate. Federal information and privacy mandates such as the Patriot Act, Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and others demand that information resources meet certain minimum standards both to protect personal information and to keep businesses fully accountable to the public and to regulators. These kinds of regulations have pushed security into the boardroom, notes Baumrucker. Few organizations have much breadth of experience in dealing with the complexity of these requirements. But service providers have been dealing with them a lot, and their experience can be brought to bear on developing the most cost-efficient means of dealing with these regulations while not imposing heavily on internal IT staff. Ultimately, each organization must set its own security course in what is arguably the most dynamic business environment ever. If nothing else, service providers such as SBC companies can knock off as much as onethird of the cost users would pay if they handled all security matters internally, given the costs of buying hardware, maintaining software, and training and supporting a security staff. But beyond pure expense, users such as Victoria Bank and Astaris have found a silver lining to outsourcing security, and that has been the freeing up of vital staff to focus on advancing the business securely. This document is the property of SBC Communications and/or its affiliates, is confidential, and is intended solely for internal use. Any other use of this document, including retention, dissemination, forwarding, printing, or copying, is strictly prohibited. 5