[toggle title=”Enterprise Security – Part 1 of 2″]The first of a two-part series discussing enterprise security reviews major tactics employed today, cautions about limitations, and highlights the data that can be collected from each. In Part 2, we’ll lay out strategies for using that data – in new ways – to achieve high-level enterprise security. [/toggle]
“We will bankrupt ourselves in the vain search for absolute security.”
~Dwight D. Eisenhower
A hacked database containing thousands of medical records…cyber espionage…power outages…critical systems knocked out of commission by a new firewall configuration…a laptop containing confidential information left in a taxi cab…disenfranchised employees…poorly trained employees.
With so many real and potential security threats – both internal and external –businesses could theoretically spend infinite amounts of money protecting their assets. But they can’t operate in theory, and the money available is always finite.
Below is an overview of major enterprise security tools and tactics, how they work to safeguard your business, what you need to know about their limitations, and opportunities for data collection. New uses for that data are discussed in detail in Part 2: How Skynet Could Terminate an Enterprise Zombie Apocalypse.
1. Intrusion Prevention System (IPS)
| How it Protects: | An IPS is a network device or appliance that monitors your IT systems for patterns of activities that match a known attack pattern and detects system vulnerabilities. The IPS will warn about any current vulnerability and may take action to reduce the attack surface, such as shutting off firewall access or changing access controls. |
| What You Need to Know: | An IPS can’t predict what type of future attack to expect, and there is no intrusion prevention based on non-IT systems. |
| Data Collection Examples: | Counts and types of intrusions, intrusion patterns, and counteractions taken by the system |
2. Intrusion Detection System (IDS)
| How it Protects: | An IDS is a network software or device that monitors your IT systems for patterns of activities that match a known attack pattern and warns of intruders. If it detects a malicious pattern match in system activities, the IDS will ring the alarm bell, warning of suspicious activity, and set off lockdown protocols to block or stop an attack. |
| What You Need to Know: | Hackers have a “flavor of the week” and are generally focused on one type of business profile, and don’t attack all places all of the time. So even when a business steps up security, hackers will have already moved on, and the risk changes again. |
| Data Collection Examples: | Similar to IPS – except that there are no automatic counteractions, those are done manually. |
3. Endpoint Protection
| How it Protects: | Endpoint protection requires that each computing device (PC, laptop, mobile device, POS terminal, bar code reader, etc.) within a network comply with certain standards before network access is granted. Endpoint protection checks for security patches and unknown software; it checks the virus scanner; and it checks device security software such as drive level encryption.If a device does not match the security policy, connection will be blocked. |
| What You Need to Know: | Every endpoint added to a network, either internally or externally, or through a VPN or guest network, increases the size of the enterprise attack surface, thereby increasing risks and costs to mitigate.In the healthcare industry, connected medical devices, applications and software, such as radiology imaging software, video conferencing systems and digital video systems, represent the largest sources of malicious traffic – and have become a bit of a hacker’s paradise.[1] |
| Data Collection Examples: | Number of devices that fall out of compliance; how much of the enterprise actually has the endpoint protection; events from endpoints such as virus scanner alerts |
4. Federated Identification
| How it Protects: | Provides a standard and centralized mechanism for authenticating users and managing authorizations for users. Provides a one true source for “who is who”, and what they can access. Besides single sign-on for applications, it attempts to provide protection against attacks on the authentication infrastructure – such as a man-in-the-middle attack. |
| What You Need to Know: | Reduces an enterprise attack surface, but also creates the potential of providing a singular (though more complex) focus for an attacker. |
| Data Collection Examples: | Number of users, authentications, failed authentications, changes in authorization |
5. Non-IT Activity Threat Assessment
| How it Protects: | The non-IT circumstances around corporate events can be input into IPS and IDS and new patterns can be detected and monitored. |
| What You Need to Know: | Traditional HR related information, e.g., contractor and employee profile information, employee sentiment, if monitored, could increase capacity to predict the occurrence – or at least the potential – of security events such as the Snowden/NSA leak. |
| Data Collection Examples: | Planned layoffs, planned firing for cause, resignations, disciplinary actions, voluntary separations, new hires, employee and contractor profiles, mergers and acquisitions |
6. Data Security and Encryption
| How it Protects: | Data at Rest Typically stored data is secured and encrypted based on:
Data in Transit – Internal Data in Transit – External |
| What You Need to Know: | The unique nature of the internet means that once data is “in the wild” it is assumed to never be truly erasable. Therefore timeliness is critical in determining how much encryption should be applied to data going external. Most vulnerabilities, however, are exploited internally, and low level security on stored or shared data could present opportunity for theft from within. |
| Data Collection Examples: | How much data is encrypted, how much is in the clear (not encrypted), what type of encryption is used. |
With so many security threats, both known and unknown, and so much data available to collect, how can an enterprise better use its data to protect itself? What information should be collected – that is not part of a traditional security profile – that could provide a sharper edge against future attacks?
Stay tuned for Part 2 in our Enterprise Security series, How Skynet Could Terminate an Enterprise Zombie Apocalypse., where we’ll discuss how Big Data, machine learning, business intelligence, and holistic security profiling help make enterprise security an affordable reality – and of course, help ward off the zombies.
