Six Ways that Most Companies Shortchange Their Enterprise Security

Linda Musthaler
By | January 14, 2014

Posted in: Network Security Trends

I recently had a conversation with Michael Sutton, vice president of security research for Zscaler and head of Zscaler ThreatLabZ. We talked about where many organizations are falling short today in defending against current threats and especially the more dangerous advanced persistent threats. I’ve singled out six common shortcomings that Sutton sees among most companies today.

 1.     Failing to stay current with modern technologies and techniques.

Many companies continue to do what they have always done to protect their IT systems, but that isn’t enough for today’s security landscape. “When we look at the average company, they are really doing today what they did five and even 10 years ago. They haven’t really advanced their security protections,” says Sutton. “There are two staples that have become the norm and have pretty much 100% penetration and that would be host-based anti-virus and appliance-based URL filtering. That’s certainly going to catch a lot of low hanging fruit but it is absolutely not going to catch the more advanced threats.”

Sutton says the IT security landscape has changed so much in the past few years that companies that continue to rely only on anti-virus and URL filtering are at risk because modern-day threats can skirt those defenses too easily.

2.     Not having a comprehensive approach to defending the mobile and “off network” world.

Workforce mobility has changed dramatically in recent years. The typical employee today works off-premises and uses mobile devices to check email and access applications. Mobile is a very different ecosystem than the traditional network-connected devices and can’t be defended in the same way. “Now I have this always-on device,” says Sutton. “Because of the smaller screen real estate, I don’t have access to some of the controls that I have leveraged before. For example, phishing attacks can be easier because I don’t see the URL bar or I am looking at web content within an app that doesn’t have the same level of controls that the browser might. And we have this totally different way of distributing software through app stores. In theory this should make things more secure because there is a gatekeeper that blesses apps before they go out. We don’t see a lot of malware in the official app stores but we see plenty of malicious content in unofficial app stores. Even in the official app stores, we see a lot of poorly coded apps that are vulnerable or have privacy issues. Mobile is still pretty immature and it has a long way to go to secure itself.”

Sutton says that global visibility is becoming much harder due to mobility. When he talks to companies and asks how they track the traffic and the patterns from the users who are on their smart phones and tablets and working at a Starbucks on their laptop, the answer is almost universally that they can’t capture that traffic yet. That’s a huge weak link.

3.     Using disparate security technologies and not correlating the details from them.

Visibility in detecting events is a huge weakness for most enterprises. The security industry is really a bunch of disparate technologies. Companies buy best-of-breed solutions from different vendors and then don’t have the means to correlate and analyze information from across those solutions. Sutton says the SIEM industry was created to pull all these log files back into one location. “In most enterprises I don’t think that has ever really been completely achieved. They will consolidate certain offices and not others or they have some data from one vendor that just isn’t compatible with another. There’s no perfect solution there,” says Sutton. He adds, “It’s really important that we don’t just look at reports individually by location or by technology because when we are dealing with targeted attacks and advanced persistent threats in particular, this is not the attacker firing with a shotgun. The attacker is a sniper. So I might have a little bit of traffic hitting my Atlanta office and a little bit of traffic hitting my Shanghai office and a little bit hitting Johannesburg. It’s only when I am able to look at that full global picture that I can see it is starting to be concerning because all three of the people who were targeted are executives and they were all targeted with a similar thing and it was a social engineering attack. If I don’t have that global visibility I am never going to see that.”

4.     Putting most of the enterprise’s resources into prevention and ignoring detection and remediation.

Sutton says that a comprehensive approach to IT security includes prevention, detection and remediation. Most companies spend 90% of their budget on prevention in the belief that they should focus on stopping or preventing attacks in the first place. From his position with Zscaler’s labs, Sutton can see that most companies are already infected to some degree. “Of course we want to protect and defend against attacks before they affect us if at all possible, but we absolutely can’t ignore the detection side or the remediation side,” says Sutton. “We know we’re going to get some infections and we need to limit that damage as quickly as possible and isolate the problem and do the appropriate remediation steps. Enterprises need to adopt that focus.”

Sutton points to big breaches as proof that prevention isn’t everything. “We have seen the biggest tech companies like Google and Apple have to step forward and say they were infected, had a targeted attack and had data stolen. These are companies that have the best and the brightest minds in the security industry working for them internally. Most companies can’t even begin to consider having that kind of a budget. If those sorts of companies are dealing with infections, then all companies need to be cognizant to the fact that they need to pay attention to the detection side as well,” advises Sutton.

5.     Not analyzing outbound traffic.

On the detection side of security, we need to be inspecting outbound traffic and Sutton says a lot of companies don’t do that. “We have to accept the fact that we are going to be having infected machines, so instead of just trying to block employees from trying to go download a piece of malware, we also have to have solutions in place that are looking for outbound traffic that suggests an infection, such as an outbound request to a command and control server. And that can’t just be checking it against a black list of known sites because they change all the time. We need to be inspecting every part of that request to say, ‘I don’t know where this request is going to because I’ve never seen that destination but this has all of the characteristics of a botnet. I am going to flag it as such and block that traffic.’”

6.     Failing to do forensics after a breach.

Let’s face it: breaches do happen. According to Sutton, when a breach occurs, it’s important to figure out how and why it happened in order to prevent it from happening again, as well as to figure out how extensive the breach may be. He doesn’t believe that most companies have those capabilities. Obviously for a large breach like Target’s recent exposure, a company would bring in the big guns like Mandiant or Verizon to do the forensics. Smaller breaches may not warrant that kind of response but it is still important to try and figure out precisely what happened. If the company doesn’t have the expertise in-house to do the forensics analysis, it’s worthwhile to look for outside help.

You May Also Be Interested In: