Do you recall the story of Sisyphus? He was the Greek god whose punishment for a life of indiscretions was to roll a boulder to the top of a hill—and then watch as it rolled to the bottom. Managers in charge of information security can probably relate.
Why? Because information security is not a static problem; you don’t solve it once and then go on to other issues. As long as there are financial rewards for compromising an organization’s systems and information, there are bad actors out there that will take up the challenge. Threats are identified and remediated, new threat vectors appear, and the cycle repeats.
In simpler times, threats appeared, were characterized and were remediated, in a global game of whack-a-mole. The latest trend is around Advanced Persistent Threats—APT’s. The key word here is “persistent.” These threats are designed to breach an organization’s defenses and lie quietly, awaiting further instructions. The code may be discovered and thought to be suspicious, but if it’s not trying to do anything it would be easy to move on to more pressing issues.
As a result, most APT’s are discovered long after they first breached the organization’s defenses. We know of one customer who found out that their network had been compromised more than a year after the initial attack. How did they find out? When the FBI showed up to tell them what had happened.
In response to these new kinds of threats, new approaches are being taken to safeguard systems. We all know about securing systems and information by putting them behind a firewall. That’s still an industry best practice, but organizations who stop there are exposing their information assets to increased risk. With the emergence of new routes for entering the organization’s network, especially phishing and social engineering (“click here!”), security companies have understood that new approaches are needed.
Companies such as FireEye approach the discovery of suspicious code by executing the code in a “sandbox” that isolates the code from other information resources. The threat can be properly understood, its risk evaluated, and appropriate remediation actions can then be taken.
Other companies, such as Damballa, approach the problem by focusing on the behavior of suspicious code. Like E.T. in the movie, these threats typically will need to “call home” to some server in order to report their status and/or receive further instructions. Damballa watches the behavior of suspicious agents and correlates it with its knowledge of threat activity across the global internet.
Addressing APT’s addresses the systems side of information security. However, IT managers must also address two other problem areas: mobile devices and mobile content.
The BYOD (Bring Your Own Device) phenomenon has been well-documented. Yet, many organizations have not fully responded from a security point of view. Despite the existence of many options for Mobile Device Management (MDM), we have seen only spotty uptake by organizations. We feel that organizations would be wise to consider that users’ mobile devices should at least be protected in the event of loss or theft. MDM solutions can typically “wipe” the missing user device of company data, such as files and emails.
Even more concerning is the opportunity for sensitive organizational information to be stored on users’ mobile devices. Traditional methods of information security, such as Remote Desktop Services or virtualization, focused on creating a secure workspace for mobile workers, with applications and data only made available while in such a space. But as online/on-demand services grow in popularity, this approach is being threatened. And as organizations embrace mobility for other a variety of reasons, information security managers are being tasked to solve the problem; the genie is not going back into the bottle.
Solution providers have responded with services that focus on protecting the information itself—Information Rights Management and Data Loss Prevention. Information Rights Management solutions focus on assigning rights to the information based on characteristics of the user and/or device accessing it. A user might be allowed to view a document, but not download or print it, as an example. Data Loss Prevention attempts to recognize and block sensitive information (such as credit card information) from being communicated in email messages or stored in insufficiently protected file locations.
As we said at the outset, information security is a job that’s never done. That said, practitioners can sleep more easily knowing that they are constantly evaluating their defenses and looking for opportunities to strengthen those defenses against existing and emerging threats. The job may never be done, but it will always be satisfying to those who continue to adapt to changes in the threat landscape and defensive capabilities.