At the recent IT Security Analyst and CISO Forum
in London, one could be forgiven for confusing the dozen vendors on hand. Their high-level taglines all sounded pretty similar: “We secure your business’ data.
” “Our product is the next generation of data-theft prevention.
” “Your data is safer with us.
None of these statements were untrue, but they are too abstracted from the nuts and bolts to describe what the vendors actually do.
This forum attracts smaller vendors whose products help mitigate specific threats or protect data at certain stages in its life cycle. All the products being showcased had a part to play in mitigating aspects of the growing threat of targeted attacks, which, as Quocirca reported in its recent research report, are a growing concern to most businesses.
Before I continue, we should consider the keys stages of targeted attacks: gaining access to systems, installing and running malware, and compromising and exfiltrating the data.
There was consensus that the primary means for gaining access is to dupe employees into giving access details or downloading malware. A key way to prevent this is to educate users in the dangers of phishing and social engineering. One attendee, PhishMe, claims to be the market leader in launching spoof phishing attacks on its customers with the aim of singling out the most vulnerable employees for special training. Another, Exonar, provides consultancy services with a similar aim.
Attackers will probe web-facing applications and databases. Imperva has a long pedigree of providing web application/database firewalls to detect and block such attacks. It also monitors the use of privilege, since attackers often need privileged access to achieve their gaols. Another vendor, zScaler, focuses specifically on tying down web-based risks, blocking dodgy URLs and keeping users focussed on their day jobs!
Tripwire specializes in change management, checking that updates being made to systems are as expected. More recently, through the acquisition of nCircle, Tripwire has also moved into vulnerability scanning—making sure any known problems within infrastructure and application software are found and fixed. Meanwhile, the Israeli vendor Portnox’s product is in the resurgent area of network-access control, ensuring devices requesting network access are compliant, are behaving within the rules and are in the hands of known users.
Or course, some malware will always find its way through. When it does, Bit9 can stop it. It is best known for white-listing applications—that is, restricting what can run to an approved list. However, this also means it has a big role to play in forensics and compliance reporting, as it claims to be able to keep a record of everything that has ever happened on managed endpoints over a given period of time.
When it comes to the exfiltration of data, it helps to know what is important in the first place. Mimecast is expanding its capabilities beyond email management to other repositories including cloud-based data-storage services. It can run queries across all managed data, applying consistent security policies. It also provides reports on who has been accessing what data for forensic and compliance purposes. Exonar’s Document Overshare product also finds and classifies data, while its In-Flight module looks at what is being done with data.
When it comes to storing and transmitting data, Voltage was at the forum to remind us all of the importance of encryption. Voltage uses identity-based encryption (typically based on an email address), which eliminates the need to issue certificates and keys. It also does data masking (which can protect data in use) and is a powerful capability as attackers try to skirt encryption through the use of memory scrapping.
On day two of the forum we met the chief information security officers (CISOs), who voiced concerns about “big-data management”, protecting open supply chains (especially with lots of SMBs involved), the fallibility of passwords, identity management (users, devices and applications) and skills shortages. The vendors present all had stories to tell that could help the CISOs counter these issues at some level.
At one point the CISOs were asked to cite situations where security had added value, rather than merely mitigated risk. One answered, “Every time we trade online, we achieve a security success.” ISACA had reminded us all the day before about this; its COBIT 5 framework, which has a focus on both risk (incorporating the former Risk IT) and value (incorporating the former Val IT).
No one is going to put the Internet genie back in the bottle, so all security vendors have the potential to share in the opportunity to make a highly connected world safer. However, they should not forget about ensuring the value of IT while they focus on mitigating risks. They could also hone their marketing messages to be less generic and more concise.
*The opinions expressed in this post are those of the author. ISACA does not endorse any referenced goods or services.
Continue the conversation…engage with your peers in the Security Tools topic within ISACA’s Knowledge Center.