Deciding What Wares to Buy and from WhomFacing the Big Challenge of Managing IT Product Security
Acquiring information security wares gets more complicated every day - some 1,000 vendors offer 150 categories of products - so it's unreasonable to expect even the most informed chief information security officers to know everything about them.
Still, it's the responsibility of CISOs and others within enterprises to make smart decisions about which providers to choose and products to acquire.
"A lot of these products are getting pretty sophisticated and you have to have a pretty thorough understanding of what you're actually seeing to get the utility out of it," John Muir, managing director of the Security Innovation Network, or SINET, a business that links providers, researchers and users, including the U.S. federal government, says in an interview with Information Security Media Group [see transcript below].
Not every organization has the financial wherewithal to hire individuals with skills in every type of IT security category, but lacking that know-how doesn't mean CISOs can't make intelligent choices. Enterprises that don't have in-house expertise could hire a managed security service provider.
Muir cautions to vet them carefully. "I would want to make sure that their strong points align with the risk profile that the board has established for a given, particular company and that there is a good sense of cooperation," he says.
Retaining a managed security services provider does not get an enterprise's IT security organization off the hook. "Some companies have made a mistake thinking that if they just hire a managed security service provider company that they could sort of abdicate responsibility for what happens on their network and just blame it on them and not really stay involved," Muir says. "It has to be viewed as a partnership where both the company and the service provider work together for an optimum results."
In the interview, Muir also addresses IT security innovation making its way into the marketplace, including offerings that:
- Identify those who hack into IT systems and networks.
- Safeguard documents shared in a variety of forums, including the cloud.
- Encourage security use by making products and services easier to implement.
Muir also serves as the managing partner of Trusted Strategies, which advises companies on IT security acquisition and is an alliance partner with SINET.
According to his biography posted on the SINET website, Muir helped create two security technologies: large-scale user authentication via dynamic passwords and enterprise software for full hard drive encryption. The U.S. Patent Office awarded him a patent for an advanced user authentication device he co-invented.
Muir also has been involved in a project to map the structure of the North American cybersecurity industry, having conducted research on its make up, particularly those involved in authentication, encryption and mobile devices. This research led to an invitation from the Department of Homeland Security to participate in a series of workshops to determine the 5-year national research priorities for IT security.
The University of California at Berkeley granted Muir a BA in international economics; Harvard Business School awarded him an MBA.
ERIC CHABROW Please take a few moments and tell us what is the Security Innovation Network?
JOHN MUIR: Security Innovation Network has the mission of accelerating innovation in the cybersecurity sector to improve our security. The way that we go about that is to foment collaboration between the public and private sector. In so doing, we also bring in other parts of the security ecosystem, such as the research community, the financial sector, the investors, and all those from the government who are equally interested. So it is a broad constituency.
CHABROW: You've been tracking as part of your job for about nine years IT security, and when you started this back in 2003 you identified about 50 categories and about 250 providers and vendors. Today SINET I believe caps about a 150 categories of IT security where as with some one thousand vendors. I'm not surprises by the quadrupling of vendors, but I am a bit perplexed over the three-fold increase in IT security categories. Are there that many more security solutions out there today? Is the market becoming more segmented or is the IT security community getting better at defining IT security problems and solutions?
MUIR: As the general information technology industry has branched out in all kinds of directions that we couldn't have expected nine or 10 years ago, security has had to follow. For example, 10 years ago people weren't too excited about web application security. It wasn't a big deal. Now it's a huge deal. People were not very concerned about mobile device security five or six years ago. Now it is a big deal. So the industry inferably has to follow the technology that people choose to use.
CHABROW: With so many products out there, how can a chief information security officer keep from getting overwhelmed?
MUIR: That is a good question. It's not only an issue of what is out there and what is right for me. It's how much can my organization actually manage? That is a crucial question just because you need some security doesn't mean that necessarily that you have the right people to manage a product for that specific security application. That has given rise to the manage security services provider industry, which I think is a good innovation for some companies.
CHABROW: And why so?
MUIR: A lot of these products are getting pretty sophisticated and you have to have a pretty thorough understanding of what you're actually seeing to get the utility out of it. Just having a green light that says everything is okay just isn't sufficient these days. So there is a certain level of skill that is required to get the full value. Not every company can afford to hire that skill or find that skill, and that can be embedded somewhat and sort of spread around with a manage security service provider.
Aligning with the Risk Profile
CHABROW: Do you have any suggestions on how best to choose one of those?
MUIR: Nothing special, I think just to realize that every one of them has some strong points and weak points. I would want to make sure that their strong points align with the risk profile that the board has established for a given particular company, and that there is a good sense of cooperation. Certainly, I believe some companies have made a mistake thinking that if they just hire a manage security service provider company that they can sort of abdicate responsibility for what happens on their network and just blame it on them, and not really stay involved. I think it has to be viewed as a partnership where both the company and the service provider work together towards an optimum result.
CHABROW: I've been doing some research recently on cloud computing and this sounds a lot like a way organizations go about getting cloud providers?
MUIR: That's similar kind of issue. Again, how much can you manage and if you could rationalize things by making or putting them under a high provider somewhere in the cloud, you can save an awful lot of money. In fact, the savings are really compelling at the first instance, and so it is hard to resist that temptation to go into the cloud. However that does not mean we've got better or less security, it just means different kind of security and of course the industry has spawned a whole new sub segment. We're tracking something like eighty different companies that are now sort of focused on cloud security. Of course you have to be careful, just because they say they are in the cloud doesn't mean they really are. There are lots of companies that simply have one or two of those functions that sort of operate out there in the cloud and they call themselves "cloud security". But then on the other hand, there are some companies that have designed their technology from the ground up to be effective in the cloud, and those could be really good choices.
CHABROW: Listening to you makes me realize how important really is to understand risk, because it's not just technology is going to protect you. It is understanding what is most important to you and your organization. How important do you risk assessment, the responsibilities that organizations have in individuals, in executives both at the IT security and the business level, taking on the responsibility of understanding the risk?
MUIR: I think that's a key point that you are hitting on here. Ultimately, there are lots of risks in any organization and the board of directors and the management doesn't get a free pass on cybersecurity just because it's new or just because it's somewhat different. The goal is to get to an accepted level of risk given the profile of the organization. There is no such thing as perfect security and you couldn't afford it anyway. It is always a trade-off, but certainly a board that says, oh that's the job of the CIO or the chief information security officer, and we won't understand it. We'll just get some money once in while. They are putting themselves in a seriously bad position.
CHABROW: Sounds as if the business itself that has the responsibility for the security of its assets, whether it's digital or real?
MUIR: Oh, absolutely. These days, often times the information systems are as much a part of production as stamping mill was for making cars. The board simply can not tolerate a situation where they could loose communication with their customers or the inability to deliver their product. It needs to be faced. That doesn't mean that it has to be radically different then what they've done in the past. It's just a sober assessment of what could go wrong, where are we most vulnerable, what could we do about that, what is available? And let's stay on top of it because it is going to be different in six months.
CHABROW: Let's talk a little about what innovation you see in the marketplace. Here is a perplexing problem that organizations are facing, attribution or identifying those who infiltrate IT systems uninvited. What's new in the attribution front?
MUIR: A lot of CISOs are tired of always playing defense in the sense of I'm here, I'm stuck, I'm vulnerable, I'm visible, and everyone can take shots at me from any direction. So there has been a move to make it more difficult for the attacker, if not to retaliate directly. Some of the newer techniques are things such as anti-recognizant products that let you know that you are being probed peremptory for an attack. They look at patterns of behavior that says this does not correlate to normal usage. This looks like someone who is looking for weak spots and so you get advanced notice that something is likely to happen. And based on the type of probe that you are getting, you can get a pretty good indication of what type of attack that might be.
Another type of product that I've just seen a couple of these are meant to not only perhaps entrap the attacker like a honey pot, but are really meant to confuse and obfuscate. What would happen is when an attack is detected from the attacker's perspective, all of a sudden the network is re-configured in a way that is different then they thought it was. They now have a moving target. This is kind of an active defense that raises the cost of making an attack and would probably persuade an attacker that there is another more vulnerable target somewhere else.
CHABROW: And I heard about that and that kind of product it's not really actually changing things. It' just giving a message out to those who are entering the system that things are changing, correct?
MUIR: I haven't had a chance to look yet deeply into these, but my understanding is that they actually can present a false picture to an attacker of what he is trying to attack. It is sort of punching in air.
Securely Sharing Information
CHABROW: Another problem organizations face is how to, how employees share information and in an earlier conversation we had, you mentioned a study that showed a large number of companies use cloud services such as Dropbox where documents can be shared. What are the security problems with such online collaboration sites and what kinds of technologies are in the works to help mitigate this problem?
MUIR: Excellent question. In fact, Palmetto Networks did a study not too long ago and found that I think two-thirds of all the customers that they have, the employees of those companies use services like Dropbox, other online storage services fairly frequently gigabytes a month and this in essence poses an interesting question. It is sort of like a rogue network. You don't know what is going there. You can't see what is in there unless you sort of attack it. The problem with Dropbox is they were meant for convenience and visibility as opposed to security. They have only minimal defenses and those who are interested in seeing what is in that shared space in the sky can fairly easily, from what I've seen, find ways to access that data. In response, there is a class of product that is coming out that says look, we really don't know what device the data is going to flow to, but we can say that sharing a high value activity as long as it is with people that we know and trust.
The idea is to wrap each file with encryption and with authorization permissions so that no matter where that file goes, whether it is to someone else's PC, whether it gets on a network share point, sent off to an iPad, ends up on someone's mobile phone, no matter where that is that file still remains under the control of the sender who can dictate what policies will allow someone to see it, copy it, use it, print it, etc. And up to revoking permission to see it if they choose to do so, I think that makes sense because the fundamental accounting unit of information is the file and by understanding and looking at it that way and saying files will flow. That is the nature of our environment and trying to simply accept that as a fact and then enact appropriate security around the flow of that file. I think that is the right approach.
CHABROW: No one ever accused security as being easy, but are some of the innovated products coming out making it easier for people to use them, so they are encouraged to use security?
MUIR: Yeah, I think it is an absolutely true fact that the successful security products are the ones that users will actually use. There is the graveyard of security products. These products were perhaps good in a lab and made sense from a strict security standpoint, but they really forgot to understand how the user would deal with this, and if the security is too difficult to wrestle with, if it provides to high an obstacle to getting the job done, people simply find a way around it, and the security will be worse then if it were not there because now it is covert. The successful products are very much into saying, how do we provide the security without adding to the user burden without extensive training, without making it so that routine procedures such as back-up or auditing or data leakage prevention that those procedures can go forward unhindered. The really successful products are the ones that have mastered that technique.