How To Secure An Enterprise From Hackers

Transcription

1 INSIDESSS January 2015 Enterprise Security in Transition Page 2 Securing the Enterprise Today Page 5 Don t Forget the Mainframe Page 8 Enterprise Security Effective Compliance Monitoring and SIEM Page 11 & the Mainframe: A Holistic Approach UBM LLC. All Rights Reserved. SPONSORED BY

2 Enterprise Security in Transition A nyone who follows the news knows that enterprise data breaches have become increasingly massive and commonplace. The late 2014 breach of JPMorgan Chase exposed personally identifiable information (PII) of more than 76 million households and 8 million small businesses. This was a major wakeup call, as banking is a sector known for much more stringent security than other industries, including the large retail institutions, that have been targeted. The list of breached institutions grows every week and includes security-conscious government agencies, military contractors, and even IT security firms. Ten years ago security breaches were mostly widespread nuisances 2 SSS UBM Tech

3 Enterprise Security in Transition perpetrated by young script kiddies out for notoriety. Today, they are targeted, sophisticated, and highly damaging. Most are perpetrated by well-funded elements of organized crime, foreign governments, and terrorist groups out for money and a competitive edge. Newer advanced persistent threats (APTs) can penetrate a single victim s network and secretly remain there for months or years, stealing large volumes of valuable proprietary or private customer information. These attacks are increasingly costly as well. After a major breach, the victim organization often must devote precious resources to monitoring thousands of customers for identity theft and deal with compliance fines and lawsuits, as well as loss of customers and even competitive advantage. The average cost of a data breach to a company is $3.5 million, according to a Ponemon Institute estimate. 1 Protecting organizations from these attacks has also become increasingly problematic. Signature-based anti-malware, firewall, and other security solutions are largely defenseless against the social engineering and sophisticated zero-day attack strategies that hackers use today. The Internet, the cloud, mobile devices, and bring-your-own-device programs have slashed the effectiveness of traditional perimeter solutions such as firewalls and intrusion prevention systems. The perimeter no longer exists. Today, enterprise security is only effective if it focuses on each individual system, network, device, data repository, user, and other points of possible attack. Organizations have scrambled to stay on top of these issues, but, unfortunately, they often neglect one essential enterprise system: the mainframe. While many large securityconscious organizations focus on Internet, server, mobile, and endpoint security, they often fail to notice how much of their missioncritical data is stored on mainframes, especially if mainframe systems have been on the organizational network for decades. A survey $3.5 million The average cost of a data breach to a company Ponemon Institute estimate by Arcati of organizations worldwide with mainframe systems found that 45% had more than half of their data stored on mainframes. 2 Much of this data is likely mission critical. Arcati is a UK-based research and publishing service for the enterprise data center community. The vastly superior scalability and performance of the mainframe has often left it 3 SSS UBM Tech January 2015

4 Enterprise Security in Transition isolated from distributed computing in many organizations, with little integration of security between the two types of systems. The mainframe is often perceived as an isolated environment protected from the disorder and vulnerabilities of mainstream desktops, tablets, laptops, and servers. However, in many cases, sensitive data stored on the mainframe is readily accessible to employees, partners, and customers over the same Internet connections as other network systems. Mainframe security features protecting content often aren t as granular as those of other systems, and mainframes can be repositories for hundreds or thousands of defunct identities, including privileged system programming IDs that predate initial cleanups and nonhuman identities, such as started task and production batch IDs. p The Grim Data on Data Breaches Take a look at the data on data breaches and it s clear the news is grim. Verizon s 2014 Data Breach Investigations Report highlighted 1,367 breaches for 2013 alone, spanning 95 countries. 3 The financial, public, and retail sectors were the biggest victims by far of data loss from breaches, according to the Verizon report; all three are large mainframe users. According to the Ponemon Institute s 2014 Cost of Data Breach Study: Global Analysis, the average total cost of a data breach increased 15% from the previous year to $3.5 million; in the United States the average total cost of a data breach hit $5.85 million in this year s study. 4 The amount paid globally for each lost or stolen record containing confidential or sensitive information increased more than 6% from $136 to $145 in the past two years. The U.S. had the highest cost per record at $201 and the highest average number of exposed or compromised records per breach at 29,087. Data breaches, according to the Verizon report, were largely perpetrated by external agents, both in numbers and percentages, rather than employees and partners. The most common motive was financial gain, but espionage has risen steadily in the past three years, with hacking the primary methodology. With much of the attention on user device security lately, it s interesting to note that the highest percentage of breaches targeted servers, including mainframes. Similarly, InformationWeek s 2014 Strategic Security Survey revealed that 77% of the 536 respondents who believed their organizations were more vulnerable to attack than a year ago said the sophistication of attacks is increasing. 5 Sixty-six percent of those respondents said there were more ways than ever to attack a corporate network, and 40% had budget constraints holding them back. Cyber criminals represented the top threat, ahead of authorized users and employees and application vulnerabilities, according to the survey. It s clear that attackers are getting better at what they do, and organizations are playing catchup with them. However, an ongoing shift in focus from legacy perimeter security to a comprehensive, in-depth, enterprise-wide focus on identity, access control, big-data analysis, and improved forensics should help stem the tide. 4 SSS UBM Tech October 2014

5 Securing the Enterprise Today For an enterprise to effectively secure its systems, it must have a multilayered, defense-in-depth strategy that includes four key areas: 1 Identity Management With employees, partners, suppliers, and customers accessing sensitive data from multiple devices, identity has become the new perimeter. In order to protect sensitive information from hackers, companies must positively identify every user and device requesting access to their systems and data. For a long time user IDs and passwords were the key to identifying users, but in the past five years passwords alone have proven vulnerable to social engineering and relatively simple hacking techniques, not to mention the careless password 5 SSS UBM Tech

6 Securing the Enterprise Today habits of users. Scores of recent high-profile security breaches have been successful using easily stolen passwords. A successful identity management scheme must be implemented enterprise-wide and include effective management, where users can be easily added and deleted as they come, go, and change roles within the organization. Obsolete and redundant IDs are easy targets for hackers seeking to breach a network. 2 Access Control Hand in hand with identity management is controlling access to content. Access control must be granular, role based, and continually updated to ensure that only the right people have access to each piece of content in the organization. This requires a lot of content awareness on the part of both the enterprise and the applications that control content access. It requires consistent content controls across systems and the organization; inconsistent policies increase risk and invite disaster. 3 Data Loss Prevention (DLP) In addition to controlling access to sensitive content, steps must be taken to ensure that sensitive content doesn t leave the organization in company and personal s, Twitter and other social media postings, and other ways that it could end up in the wrong hands. DLP has become more complex in the past several years, as the amount of both structured and unstructured content has grown exponentially and may appear in many different places, including backups, big-data warehouses, software testing platforms, endpoint devices such as smartphones and tablets, and anywhere in transit. The first task is to identify every possible repository of sensitive information, ideally using a programmatic method of scanning and classifying data based on the content itself. Effective content identification is key, since compliance fines can result if sensitive, personally identifiable information, credit card, health, or other data is exposed, either intentionally or unintentionally. 6 SSS UBM Tech January 2015

7 Securing the Enterprise Today A DLP strategy must work across all systems and end-user devices, and should be intelligent, granular, and content aware. 4 Security and Vulnerability Management Staying secure and compliant with numerous federal, state, internal, and foreign regulations including Sarbanes Oxley, PCI, and HIPAA can take up significant resources in a large organization. A solid, enterprise-wide compliance strategy and set of management tools are essential to ensure an organization remains compliant and can prepare for audits quickly without tremendous budget and resource expenditures. Ideally, security, compliance, and vulnerability management solutions must include fulltime monitoring of, and reporting on, all enterprise systems that hold sensitive data. They should have change detection capabilities and alerts that let organizations catch compliance issues early, as well as advanced real-time analytics that can detect unusual activity that may indicate a breach. Monitoring can ensure that an organization has a forensic record for tracing the root cause of any security breach so it can be addressed. Vulnerability and exposure detection and prevention are essential to detecting data breaches early on or, even better, before they happen. p 7 SSS UBM Tech January 2015

8 Don t Forget the Mainframe The enterprise tools being used to address security needs tend to be geared for distributed systems and endpoint devices running Windows, Linux, Apple Macintosh and ios, and Google Android, but not so much for legacy mainframe systems. Organizations that rely on IBM mainframes running z/os, z/vm, and perhaps even z/vse, as well as other operating systems, should not assume these systems are so isolated, robust, and protected that they don t have to be secured as well. Mainframe systems are just as vulnerable to attack from the Internet and mobile devices as their distributed brethren and must be protected with all of the security functions and concerns mentioned above. 8 SSS UBM Tech October 2014

9 Don t Forget the Mainframe To minimize complexity, cost, and the probability of errors and security vulnerabilities, mainframe identity management, access control, compliance, DLP, and other security functions must be integrated and up to par with those of distributed systems and endpoint devices. This is particularly important at a time when many of the IT folks who have worked with mainframes for years are retiring. Only a single enterprise-wide strategy that touches all systems equivalently, including the mainframe, will ensure that enterprises don t miss any vulnerabilities or develop new security gaps. It s the Content, Stupid Instead of starting from the edge, content security should start with powerful tools and strategies at the core, which includes the mainframe in many organizations. Unfortunately, the granular content awareness that distributed DLP and access control tools use are particularly lacking for mainframes, which tend to use legacy systems and content strategies based on object names rather than actual content. Companies must recognize that the objectbased protection model for mainframes is obsolete. Mainframe content, not object names, must be identified and granularly protected just as it is on distributed systems. That means that an enterprise must use tools that can analyze and categorize all enterprise data including information stored and addressed on the mainframe with the same types of classification, policies, and reporting. This approach includes identifying all customer, personally identifiable, proprietary, health, and any other data that requires regulation and access control. It also means using not just access control but the same types of granular DLP tools available for distributed systems, as authorized users can easily FTP information from the mainframe to another location. Identity Management and Access Control Effective mainframe identity management and access control are essential for addressing advanced persistent threats and other types of advanced data security breaches. Unfortunately, mainframes have been used in many organizations for decades without effective ID management techniques and cleanup strategies. The result is that many still have hundreds or thousands of obsolete user IDs just waiting 9 SSS UBM Tech January 2015

10 10 SSS UBM Tech Don t Forget the Mainframe to be exploited by clever hackers and sophisticated ID exploitation techniques. The key to mainframe ID management and access control is integration with robust and standardized enterprise-wide identity management strategies and systems. This means LDAP integration in particular, so any identity and role changes can be deployed enterprise-wide. Integration must apply across all mainframe systems and tools as well, and take advantage of all operating system releases and their functions and features. To be truly effective, identity monitoring and cleanup must be intelligent, automated, and continuous and include cleanup of process IDs and non-employees, such as vendors, partners, contractors, and consultants. Tools for onboarding new users must be tightly integrated across mainframe and distributed systems. Users that are not authorized to access sensitive data such as PCI data shouldn t be able to access it, regardless of which file it resides in. Access control should integrate tightly with that of distributed systems, using a consistent set of policies and permissions based on actual distributed and mainframe content and data type, not files and object names. p Mainframe Security Checklist Identity management Integration with enterprise identity management systems via LDAP Effective, continuous on-boarding and off-boarding Ongoing monitoring of identities to detect and eliminate obsolete ones early Include IDs of vendors, partners, suppliers, and consultants Data access control Content, not object, aware Content categorization Role based Integrated with rest of enterprise content access policies Data loss prevention Content, not object, aware Content categorization Integrated with enterprise DLP policies Aimed at FTP and other avenues through which content can leave mainframes Compliance monitoring and reporting Continuous, automated monitoring of changes, access, and failed access User identification for each event Service stops and starts Reporting and forensics integrated with rest of enterprise systems Flexible configuration of alerts to questionable events Granular separation of administrative duties Ongoing vulnerability and exposure monitoring and detection Intuitive Web-based management interfaces Ease of use, installation, and configuration

11 Effective Compliance Monitoring and SIEM As with distributed systems, mainframe Security Information and Event Management (SIEM) and compliance monitoring must be ongoing, automated, repeatable, comprehensive, and provide proof that controls are not just in place but work the way they are meant to. SIEM solutions must keep a record of all interactions and data access events, including the identity of each user accessing information, as well as service stops and starts, failed accesses, and user roles and changes. To provide adequate forensic information for data breach root-cause analysis, all events should be logged and subjected to extensive analysis and reporting. With its massive scalability and processing power, the January SSS UBM Tech

12 Effective Compliance Monitoring and SIEM mainframe makes an ideal platform for enterprise-wide SIEM and security analytics. Since root-cause analysis is likely to span many different types of systems, mainframe compliance solutions must integrate easily with compliance tools monitoring distributed systems. Tools should also let administrators configure useful, flexible, real-time alerts to any changes or suspicious activity and allow granular separation of administrative duties so functions such as setting up user accounts are separated from pure security configuration functions. Hackers are always looking to take advantage of vulnerabilities from installation, configuration, customization, system, and application errors, so any mainframe security strategy should include tools that provide ongoing detection of security vulnerabilities and exposures. Finally, Web-based, intuitive interfaces, rather than the arcane command lines of the past, will help ease the transition to a new generation of administrators who were not raised on mainframe administration, and lower administrative costs and resource requirements. Such interfaces also provide secure remote access from PCs, laptops, and even tablets. Tools used should employ features that simplify installation, deployment, and maintenance. They should be designed to secure the mainframe environment in the context of the rest of the enterprise while remaining flexible and empowering necessary collaboration among employees, partners, suppliers, and customers. Tools that are integrated and consolidated will conserve resources and IT budgets, providing more time for business innovation. Organizations looking to prevent advanced threats and data breaches need a comprehensive, in-depth security strategy and toolset to defend against Mainframe Security in the Enterprise: The CA Technologies Approach For organizations seeking a comprehensive, integrated approach to mainframe security, CA Technologies is a natural choice. Long known as one of the few seasoned players in both mainframe and distributed systems management and security, CA Technologies has spent years honing its solutions in both realms to address today s sophisticated advanced persistent threats, as well as perfecting integration among its mainframe and distributed security tools. The company offers integrated solutions in all mainframe security categories, including identity management and cleanup, content-based access control, and monitoring and compliance. To understand how CA Technologies can help you protect your mainframe and enterprise, check out CA s Securecenter. 12 SSS UBM Tech December 2014

13 Effective Compliance Monitoring and SIEM today s attack strategies. They must address not only the distributed systems and devices that enterprises and users know and love but also the mainframes at the core of sensitive data storage systems. In order to be effective, mainframe security must have the same goals and capabilities as the distributed systems with which they interact, and the security tools must integrate and work together across the enterprise. With a solid set of integrated mainframe security tools, businesses will be better positioned to prevent and address the massive data breaches that have brought large retailers and, more recently, global banking institutions to their knees. p Click To Tweet 1. Ponemon Institute, LLC, 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, May Arcati Limited, Arcati Mainframe Yearbook 2014, The 2014 Mainframe User Survey, Verizon, 2014 Data Breach Investigations Report, Ponemon Institute, LLC. 5. Michael A. Davis, 2014 Strategic Security Survey, InformationWeek, May 2014 About CA CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA Technologies is working with companies worldwide to change the way we live, transact, and communicate. CA Technologies software and solutions help our customers drive enterprise-wide productivity, offer differentiated user experiences, and open new growth opportunities. And, we are able to deliver this value across multiple environments mobile, private and public cloud, distributed, and mainframe. Our goal is to be recognized by our customers as their critical partner in the new application economy. For more information, please visit 13 SSS UBM Tech January 2015