Intelligent enterprise IT security: Lessons from David vs Goliath
By Prakash Panjwani
Malcolm Gladwell, famous for his New Yorker articles and now iconic book The Tipping Point, released a book last fall titled David and Goliath. The book is primarily about underdogs and why they succeed in business and other walks of life. It is a great read and one I highly recommend. A key lesson from the book, which Gladwell outlines in a TED talk, is how David triumphs over Goliath. He does so because he is a planner and has gleaned a wealth of knowledge from his experiences as a shepherd, which he uses against the brute strength of his giant opponent.
There are several lessons to be learned by looking at the past in the story of David and Goliath when it comes to information security today. Let’s go back in time just a few years and look at the checklist for any enterprise IT security professional. It might have looked something like this:
- Install anti-virus software on all client machines
- For remote access employees, deploy a VPN to provide a secure tunnel for users (in most cases, a username and password was sufficient for identifying the users)
- Install firewalls to protect the company network from intrusions
- Install content and URL filtering software to make sure employees don’t visit websites that could be potentially harmful to the company’s network or machines
- Install disk encryption on client machines because employees can’t always be fully trusted to take care of their laptops
What about data centers? They were physically secured, so no need to worry about them. Plus they are protected by the same security infrastructure as the rest of the enterprise anyway (firewalls, etc.).
This approach made a lot of sense at the time. What else could go wrong?! Heck, even security vendors didn’t help matters by conversing in the lingo above, and industry analysts created a nomenclature to fit nicely with each of the security categories outlined above.
Well, a lot of things have changed since then, and so have the hackers. Blunted by the strength of Goliath-like security measures of corporations, they decided to adopt a David-like approach. They got smart and started targeting the information they wanted rather than worrying about anything else. If the goal is to get a file containing credit card information, then why not go specifically after that file rather than mounting a generic attack? It was the perfect response. And now it’s time for the enterprise IT security manager to take steps not too dissimilar from those of the hackers – apply Intelligent Security.
What does Intelligent Security entail? It requires a thoughtful approach. First, what are people most after? The data. Second, where does most sensitive data sit? Data centers, of course. What should your Intelligent Security be built around? Protecting data in the data centers, whether it is stored on dedicated servers or in a virtualized cloud configuration. Third, who is accessing the data? Employees, contractors, vendors, and partners. The list goes on and on. An Intelligent Security strategy involves quite a few of these things, and they are all interconnected.
Let’s review each aspect of this strategy.
Phishing attacks are now replaced by Advanced Persistent Threats (APTs), where attackers use many techniques, including social engineering, to mount extremely targeted attacks that will simply target the individuals who have access to the sensitive data they are after. Deploying solutions that detect such attacks is an essential part of security strategy, but an Intelligent Security strategy requires very clear actions to be defined based on such detection. If you look now at one of the most famous breaches of all time, the Target breach, the company had systems that detected such attacks but failed to react to it. Threat intelligence is only as good as the actionable intelligence that can be derived from it. Rick Holland of Forrester has a very good blog post on this subject.
This may be the hardest part of the Intelligent Security strategy. It is critical that IT security professionals understand what the enterprise considers to be its most sensitive data, as well as the policies that govern its access, usage, and storage. Threat intelligence can also be used to further help improve data value intelligence. If you are constantly getting attacked regarding certain applications or data within the enterprise, well, chances are it is sensitive and important.
User Access Intelligence:
Once you know what data is important, the next element of an Intelligent Security strategy is deploying solutions that tightly govern its access. This will involve strong, multi-factor authentication techniques, special management of privileged users (such as system admins, executives, etc.), and audit trails to show who accesses data. A great example of intelligent access security is the deployment of context-based authentication, which involves the ability to detect who is accessing information from which systems, when, and under what circumstances. Creating this intelligence would, for example, detect insider threats. If a system admin is accessing financial data from an ERP system on an unauthorized public machine, would your access policy detect that as a threat?
This is at the core of a solid Intelligent Security strategy. You might even call it the last line of defense. Persistent encryption of sensitive data, whether stored or in motion, is important. If threat and user access intelligence solutions fail, and someone unauthorized gets hold of the data, you can mitigate the damage by making sure it’s encrypted. Intelligent encryption, however, requires more than just understanding data encryption solutions. It requires comprehensive Crypto Management, which is a collective term for the policies that govern the keys used in encryption and key generation and distribution, as well as vaulting of root keys. Many encryption solutions fail due to lack of strong Crypto Management. A good example is the recent SSL Heartbleed vulnerability. A code error resulted in exposure of keys used in an encrypted SSL session. While nothing would likely have prevented the exploitation of the vulnerability, the use of strong Crypto Management with hardware security modules (HSMs) for root key generation and storage would have limited the damage to just a single exposed session.
The last and most important aspect of Intelligent Security to remember is that all of the above security measures are interconnected. One feeds the other and one without the other means the entire system is weakened.
You may have noticed that nowhere above in the Intelligent Security strategy do I mention antivirus, VPNs, web filtering, and firewalls. That is not to say that these are not important, despite Symantec announcing the end of antivirus. Those are all needed, but they alone are not sufficient. An Intelligent Security strategy will use them smartly by, for example, using VPNs for file sharing that then also require strong authentication based on the user profile. This is something many enterprises now use to protect access and retrieval of highly sensitive data.
David vs. Goliath ended with intelligence winning over raw strength. In the world of security, hackers have done the same—outsmarting the large behemoth corporations. An Intelligent Security strategy, backed by solid execution, will help the Goliaths stay a step ahead of David.
- » Google Cloud shows it means business with latest announcements
- » Pinpointing productivity and the continued rise of Slack in the enterprise
- » Enterprises using ‘portal’ apps on rise with Android becoming more dominant, study finds
- » Mobility challenges remain – but the ROI for mobile-enabled workers cannot be ignored
- » Majority of IT managers say they work on mobile security without EMM or MMS help