Security maturity and Security approach model a must

Reported by: |Updated: May 13, 2015

Security systems need a maturity model based approach instead of a product based approach and zero day attacks cannot be thwarted, says Ambarish Deshpande, Managing Director, Bluecoat Systems. The US based security provider released its thoughts on the practice of security based on a Verizon data breach report and coupled it with findings from an internal research on its customer base. Bluecoat identified key loopholes and gaps in the overall security practice. The concluding empirical statement is ‘A maturity model is a must and organizations cannot depend on prescriptive time-bound tools to thwart attacks’.

Preaching SoA in security

It is better to identify a practice than apply products to thwart a particular threat. Ambarish says “We serve 97 of the Fortune 500 companies. Most customers believe good security-technology real estate is essential. The presence of AVs, SIEM, content filtering systems, DLP technologies etc cannot be undermined. What is essential is a service oriented architecture and a systemic approach to thwart attacks.”

The reasons to approach a service based approach are many. In Ambarish’s words “Consumption of mobile devices and cloud services would increase. Secondly there is a strong increase in standardized threats and the rate of growth for advanced threats will skyrocket. Security services should surround and create a 360 degree feel unlike adoption of a prescription based approach. An approach that most CISOs utilize is to detect the known and contain the unknown.”

He further continues “Having said that, we communicated this with our customers and the results are resonating quite well. Security is a lifecycle and it changes with product lifecycle. But one still need to block known threats. These could be through the perimeter and endpoints. There are threats that are unknown. Unknown passes through regular channels including firewalls, AVs, etc. The second stage is to contain the unknown threats to a level where if you are unable to catch it, one should at least contain it.”

Beyond APTs

The focus in BFSI has moved from APTs to threats that are unseen and unknown. Until a couple of year ago CISOs were focusing on Advanced Persistent threats, however most have found solutions and approaches. The risk now transcends to unknown areas and challenges. Ambarish opines about APTs by stating “Organizations today are finding APTs scary and challenging. The reason is that APTs can be targeted to a specific entity or an organization. Ironically most APTs are using the simplest of technologies and codes.”

Organizations must gear to block known threats and contain the unknown threats. This can be realized in two stages, according to Ambarish. He says, “Infection can occur within seconds, if not in minutes, the actual challenge is realizing the infection. In such cases an ideal solution is to block the known, and contain the unknown. Zero Day attacks cannot be thwarted. It’s a marketing misnomer that organizations can find something that is not found and have a solution to thwart it. Suitable solution is limit the impact. This is a lifecycle that organizations would have to deal with. Block the Known, Contain what is unknown is an ideal solution. In case you are impacted, resolve it in the shortest span of time, resolve it using the product lifecycle of AVs. Once updated a detailed log must be generated and the same threat must not occur again. This approach ideally sets the maturity model higher.”

Customer led security endeavors-

New age threats are constantly emanating and becoming intelligent. A web surf is enough to initiate infection. Ambarish offers an example, “A file downloaded on an internet search, can lead to a message saying that your computer has been infected and further a ransom may being asked. This may lead to a data loss. This is a new way of extorting organizations to cough up resources. This is essentially what a ransom-ware is.”

In today’s environment, Banks need to offer their customers comfort to transact, at the same time ensure applications and banking channels are threat-proof. Banks offering Internet Banking and applications to transact are finding it difficult to manage threats that their customers receive. Ambarish says, “That ideally is the pain. There are solutions available though. Instead of an inside-out approach, banks could incorporate an outside-in approach. The bigger questions is if bank led communications are being driven from the App, how does one ensure that the application in itself is secure? And there are no other applications that interfere with the data of the app. Banks have started offering secure tunnel mechanisms to their customer to communicate with. Banks could also use a reverse proxy mechanism.”

CISO and Board room deliberations

Board Room discussions on security can become intense. A security breach can lead to colossal loss in reputation. Ambarish feels that “Banks have to keep up on the brand promise and underlying faith.” He further opines, “Security is no more of a CISO priority, it has well permeated within the management and board room. There is however a divide here on operational and technological fronts. The name security can be changed to Business Assurance Technology and Operational Technology Assurance.”

This is not the case with BFSI alone, the security challenges can be seen in Manufacturing and other verticals too. There are security challenges with managing SCADA systems.  Such systems have delivered for a long time in the industry, diligently performing tasks. In 2010 the first attack took place on a SCADA system. “Hence” he says while continuing “That this is an operational issue. Today it is extremely difficult to avert an attack on an operational technology. Both Operational and Business technology are coming close that is why some management decisions pertaining to IP technology for SCADA systems have been taken.”

The other new challenge that most CISOs and board rooms are taking cognizance of is ShadowIT. Ambarish offers an example “Lets say, I have to transfer a 30 MB file. The corporate mail policy says- I cannot transmit beyond 10 MB. To get this task accomplished, the employee can go to DropBox, and share a link.” He further continues, “Shadow IT is a big challenge and especially in India where technology knowledge is high. There are rich examples of micro-sites, intranet portals, communication on third party websites, etc that sees a constant standoff between IT and the other departments. This is happening in most organizations. And unfortunately IT has no control on it.”

He avidly mentions talks in the board-room that include BYOD, socially engineered attacks, multiple OS and platform related security and risks. “Board talks have become aware that most threats impact the human psychology”, he says.

RBI and Compliance-

It might be incorrect to expect a regulation to govern security-led activities. Having said that a clinical roadmap however is absent. The universal statement with security and compliance leads to a standoff, opines Ambarish.  He makes his point by stating, “If you are secure, you are compliant, does not necessarily mean that if you are compliant you are secure. Organizations instead of looking at compliances should look at the maturity of technology models such as CMM maturity models for security. There are Indian organizations, in fact Indian-MNCs that adhere to International standards while making sure they are compliant with Indian security systems and compliances.”

He concludes by stating, “Security creates a lot of hype, however it is the approach that sets the tone, and organizations hence must look to deploying a twin stage approach. The first stage to thwart the known, and the second to contain the unknown Bluecoat with its strategic acquisitions such as Netronome, Norman Shark, Solera Networks, and Crossbeam can identify and offer organizations a 360 degree view in their security practice.”