Managed Security Service Providers are expected to lead their customers’ thinking on what areas are important and to highlight important trends, avoid hype, and generally know the future — all for a fixed price per month. Our best source of feedback is our customers – we rely on their guidance far more than feedback from product vendors or analysts – because the customers tell us what their auditors said yesterday, how it was different from last year, and whether any pending regulation is going to impact their business and reporting requirements.
If anything, what last year’s events have revealed is how sophisticated botnets have become. Whether you’re talking about Zeus, Aurora, or Stuxnet, the information we’ve uncovered has revealed that there are significant investments going into highly advanced botnets. The possibilities of such tools are almost limitless, particularly when their embedded keyloggers and RAM scrapers result in the next round of high-profile, embarrassing and expensive disclosures. We therefore predict that corporate policy will ratchet down on how much flexibility workers have in configuring their laptops or desktops with software outside the standard corporate images.
In turn, this will highlight that the whole nature of these sophisticated bots – using zero-day exploits which are undetected by most security tools – is to subvert the classic reactive paradigm of increased policing after a threat has been observed. The objective of policy tools shifts from actual prevention (which is accepted as impossible to achieve 100%) to risk mitigation via demonstrated – and quantifiable – due diligence. Auditors routinely comment on both the outcome and the testing methodologies in place to measure any given control. As a result, if the goal is to pass the audit, you will see investments shift towards those metrics.
Longer term, the auditing standards themselves will come under increased scrutiny because bad things will keep happening, even when people pass their most recent audit. We expect this will force senior executives to become more familiar with the realities of IT security threats, the technologies available to respond to them, and how those technologies really work in large distributed enterprises. Sarbanes-Oxley forced everyone to become an accountant, at least a little, and it’s only a matter of time before the CISO gets a genuine equal seat at the table and can have informed conversations with colleagues which doesn’t strip out the extenuating circumstances in order to ease comprehension.
Finally, we expect 2011 to be the year of convergence. The Host IDS/IPS product category is a great example of this. Originally, these products monitored kernel activities only and told you when an action tried to perform an invalid instruction, or one that wasn’t allowed by policy. This was fine but ignored the application layer, the hardware layer and the network layer of monitored hosts. Now, HIDS/HIPS integrate whole-endpoint enforcement techniques, with everything from firewalls to USB port protection to application white listing, all combined in a single agent. The management tools allow policies to be pushed out to classes of devices with arbitrarily large numbers of members, and the product vendors are quick to release updates in response to new threats.
What we need is similar convergence in other categories. “Next Generation” firewalls are now combining deep inspection with simple traffic policies and have the performance to do wire-speed interrogation of packets on fat pipes. Proxy servers act as web app firewalls; database security products can validate SQL queries; and load balancers know how to prioritize QoS vs. app-layer policies. There is not yet a common policy layer which links all this together, however, to define a flexible metrics framework which provides centralized summary reporting. The vendors focus on technical capabilities and allow the customers to build all the glue to stick everything together, and as a result, every solution looks totally different.
We say, start with the workflows — what does your company need its staff to do, every day, in order to enforce policy? And how do you review your policy to make sure it’s coherent? From there, identify what information your current tools can provide, and where the gaps are. Measure the work required to fill the gaps, add that to the solution cost, and juxtapose it against the mitigated exposure. Build out a converged solution that leads with your staff expertise and prioritizes improving that before buying product — because the product vendors are still a long way from doing this for you.
2011, tragically, won’t be easier than 2010, and we know there will be plenty of surprises along the way. We hope, should you find yourself on the receiving end of a nasty attack, that you can spend your time using tools you already have and implement processes you’ve already defined, rather than scrambling to figure out what to do next.
Good luck — and we encourage you to share your successes in the comments!
By Toby Weir-Jones, Vice President of Product Development, BT Counterpane