A seat on the board

"Security is a process, not a product." This is arguably the mantra of today's security professionals. They repeat it with a confidence in its truth that comes from having lived through a multitude of hype cycles, worms of the week and apparently endless systems patching.

It is a statement that is reflected in the fact that information security has for the past few years been steadily creeping out of the IT closet and towards the boardroom, where process is king. Surveys show that more companies than not are planning to spend more on this crucial area of IT over the coming 12 months.

The drivers are many and diverse: regulated industries are feeling pressure to secure their data from a variety of sources, the media coverage (or hype) of the latest Windows vulnerability or email worm means the topic is now mainstream, some Internet-reliant companies feel a compelling business need to reduce losses caused by digital crime, and some have had actual experience of a significant system compromise.

"I think so much is now talked about security and business continuity, what with threats such as terrorism, not just data security but physical security too are becoming more of an issue," says Chris White, IT director at Ashurst, an international law firm headquartered in London. "These days if you have an outage for even a few minutes it can cause business disruptions."

The increasing interest in security has led to the growing popularity of the CSO, or chief security officer, as a distinct role in IT management. Like many CIOs, this person straddles the worlds of bits and business, translating pressing technology needs into convincing business cases. In cases where a CSO is not appointed, the CIO or IT director find themselves taking on these duties.

"In the environment of small or mid-level corporations... we are looked upon as a resource for translating technology threats into business risk," says Chris Hoff, director of enterprise security services at WesCorp, America's largest corporate credit union.

Paul Simmonds, director of global information security at chemical giant ICI, says: "In enlightened companies it [the CSO] is becoming essential. I doubt any majorcorporations could do without one nowadays... Before, security was the black art and the techies managed it. Now it costs big bucks, so there has to be a hard business case behind it."

As ultimate responsibility for security falls into increasingly senior hands, the focus among big companies has shifted away from the 'nuts and bolts' of protecting system A against attack B, and into risk management, analysis and, above all, knowledge.

Security is essentially about knowledge and precautions. To break into your system, a malicious hacker needs to know a way in; a vulnerability. To stop that hacker getting in, you generally need to know about that vulnerability and have the tools to protect it from being exploited, whether those tools are firewall configuration changes, virus definition updates or IDS attack signatures. While pre-emptive protection – protecting against the unknown – is becoming an increasingly common claim from security systems vendors, conventional wisdom has it that this technology is not quite there yet.

Patch work

If any piece of evidence supports this statement, it is the fact that technology users still have to patch, and that patching computers is a major headache for security professionals who manage large installed bases of Microsoft software. These poor souls are responsible for upgrading thousands or tens of thousands of Windows desktops, often across multiple geographies, departments and software versions, with increasingly alarming frequency.

"It's a pain point for everyone," says ICI's Simmonds. "We can't patch fast enough, I don't think anybody can unless they are a small company. Just trying to communicate to all our offices is difficult enough."

Microsoft, which suffers from the most pervasive and frequent vulnerability disclosures, has settled on a once-a-month schedule for patching vulnerabilities that are discovered through relatively safe methods such as in-house research, or findings from trusted security research firms. It sometimes breaks that schedule when a patch is unusually urgent, or it is known that exploit code is in circulation among black-hat hackers.

John Meakin, head of information security at Standard Chartered Bank, says that while he values the speedy disclosure of vulnerability information, applying patches across the enterprise is a challenge: "When Microsoft warns about a new vulnerability that affects every Windows version, it's a huge job to roll out the patch, especially when you consider that a bank like us has in the order of 5,000 servers and 30,000 desktops."

Some smaller companies feel less pain here. Ashurst's White manages some 1,500 desktops across 13 sites in Europe and elsewhere. Automation, using patch management software, has made his team's job much easier, he says.

This is not always the case, however, particularly when a smaller company with a commensurately smaller IT department has mission-critical applications running on large server farms. WesCorp's Hoff has only about 500 desktops to manage, but he also has to secure about 350 servers running crucial transaction systems. When a new patch is released that applies to WesCorp's servers, Hoff says his department must do a careful analysis to see if the risks of the new vulnerability being successfully exploited outweigh the risks of applying an untested patch to production servers. Often, he says, it makes more sense to filter the threat on the network's multiple layers of security devices.

This type of risk analysis is now becoming common among security chiefs at big companies, who find themselves, before making important decisions, having to balance against each of the myriad factors including the perceived severity of the threat, the likelihood of exploitation, the vulnerability of the system, the value of the data or process, and the effectiveness of the countermeasures.

Risk analysis

"We have to ask, how valuable is this system to our business, how is it built and how inherently insecure is it," Standard Chartered's Meakin says. "For example, an application on an Internet link is fundamentally more insecure than one that is not."

In order to aggregate and more easily understand security data, WesCorp's Hoff says this year he is most focused on implementing security event management and correlation software, as well as vulnerability scanning. He's already deployed SEM software from Network Intelligence and scans for vulnerabilities using Qualys, and says the combination provides a much clearer picture of the network's security profile at any given moment, making it easier to mitigate threats and respond to incidents. Of course, this picture is "only as reliable as the last scan."

The business case is always at the forefront during decision-making. For example, Simmonds says that 62% of ICI's incoming email is spam. It is a clear problem. But in a company of ICI's size, if it started deleting emails with a spam filter that had an accuracy as high as 99.996% "we would delete 600 business emails a week," which is clearly unacceptable.

Once this kind of analysis is done, security bosses then have to take their case for a budget to their superiors, who are, in many companies, becoming more likely to see the value of security purchases. "They want to know how much it's going to cost, what's the return on investment," says ICI's Simmonds. "As long as you can demonstrate a strong business case you can get the budget," says Ashurst's White.

But the problem with cost-benefit analyses of security systems is that you are balancing the tangible up-front and ongoing costs of a technology system with the invisible benefits of not getting hacked or succumbing to a worm. WesCorp's Hoff says he calls it "RROI", for "reduced risk based on investment".

It is a little like buying insurance, says Standard Chartered's Meakin, but with very little hard data to base your decisions on. "With fire insurance, we have 400 years of actual data about how often fires happen," he says. Not so with information security, in which fear of copycat attacks or financial losses due to bad publicity keep most companies very quiet if they have fallen victim.

The risk analysis model has not filtered down fully to all companies yet. Ashurst's White, who has worked extensively in financial services firms in the past, says: "We don't have as much of an analytical approach as they do in the financial services industry... [because] that industry is regulated by the Financial Services Authority, but that's not to say we don't take the work just as seriously."

Tight regulations

In financial services and other regulated industries, as well as with public companies, one of the most pressing factors in opening a dialogue between C-level executives and security professionals have been regulations such as those laid down by the Sarbanes-Oxley Act in the US and Basel II in Europe. These laws oblige companies to keep strict controls over their transactional systems to ensure the accuracy of their accounting.

California has a law, which some say will soon be extended across the US, that obliges companies that have been hacked to disclose this to their customers, if there is the probability that confidential data has been compromised. There have also been talks in the US, stalled at time of writing, about mandating public companies to disclose the results of security audits in regulatory filings.

Ashurst's White knows about operating in a regulated industry. The Law Society places stringent requirements on how law firms handle electronic communications. "We might be required to provide documents or records of communications with clients up to a period of 12 years later," White says. Emails are thus archived. The company has recently also completed a rollout of RSA Security's SecurID tokens, in order to be able to authenticate roaming employees sending email from the road. That said, "whether emails can be accepted as documentary evidence is a bit of a legal grey area at the moment."

It is possible to see CIOs taking a more active role in security through some of the various initiatives that have been established recently. For example, in order to give users a voice in setting vendors development priorities, a number of major European companies, mainly in financial services, are now gathering under the umbrella of the Open Group to pursue the "Jericho Project" which seeks to define and secure the notion of the "de-perimeterised" network.

The idea with Jericho is that over recent years, Internet-connected companies have slowly seen their networks blurring at the edges. Business drivers such as remote access, telecommuting, ecommerce and, lately, business-to-business web services, have created a situation where companies find the shape and security profile of their networks are evolving minute-to-minute. There is no clearly defined entry point they can drop a box or two in front of and expect to be protected.

"The perimeter is a lost war, because we've got email, we've got the web out there, and that's where most exploits are nowadays, so we've got to accept that we've lost the battle," says ICI's Simmonds, who is closely involved with Jericho. "If we accept this, how do we then secure the enterprise?"

The Jericho Forum has some hunches about how to do this, and how to help vendors do it in a standardised way, but it does not appear that the group has any firm contribution to make just yet. It appears that the emphasis will be less on perimeter devices, and more on technologies such as authentication, transport-level encryption and host security.

Intrusion dectection

"Where we need to look is at the applications," says Simmonds. "The only place you can do any decent intrusion prevention is after it comes out the pipe, when it gets to the application. It's a doddle to do it there. Application-based intrusion detection is absolutely the way things are going to go."

But it is not a case of out-with-the-old, in-with-the-new, CIOs agree. A hardened perimeter is the foundation on which more advanced security architectures are built. WesCorp's White says, "That model of the firewall at the ingress/egress point will always stand." And many newer perimeter security systems are dual-use, also instrumental in securing internal network segments from each other.

Matt Eberhart, Lead Network Security Engineer with AGL Resources, a major supplier of natural gas in the US, says: "We've spent the past 18 to 24 months looking at where our network meets other networks." The company has deployed CyberGuard firewalls at its edges and internally. Eberhart says: "We really like the fact that we can have 10 DMZs [demilitarised zones] on two CyberGuard firewalls." Now, he says, the company is focusing on securing the core with a combination of firewalls, IDS, anti-virus and other systems, helping to segment critical transactional systems from everyday users.

CBR Opinion

Security is as much about protecting against the unknown as the known, and as such it is an ongoing process. To use the M&M cliché, building on their crunchy network shells, companies are now looking at hardening the soft interior. And when it comes to that, there are no substitutes for threat visibility and sound analysis based on experience.