Blogger: Dan Blum
Once upon a time, King Arthur’s Knights of the Round Table gathered to plan the defense of the realm. So it was this summer near Wall Street, where I attended a private roundtable meeting with some leading thinkers from a number of large financial institutions (FIs). Just as England faced innumerable invasions and rebellions, so FIs currently confront a rising tide of attacks in these Dark Ages of cybercrime.
Today’s knights and ladies of information security from leading FIs attending the roundtable have become convinced that our desktop protection and consumer authentication models are broken, and have to change. They favor a paradigm shift towards strong endpoint execution controls and risk based (or contextual) authentication.
Not surprisingly, they have worrisome things to say about the evolution of the threat. One CISO noted that his organization has seen attackers impersonating OTC, IRS, SEC officials in phishing attacks aimed at specific employees; externally he estimates that as many as 25% of consumer workstations are compromised.
Security departments at major FIs generally aren’t lacking for funding or top level support; executive management knows that they and their business model are always under attack. But still, they face serious challenges in confronting the threat. There are issues with deploying defenses and getting internal buy in to follow security policies to the letter. For example: “Data leakage protection products are mostly about detection. They are big, noisy and not very useful. They tell you about the fire after the house has burned down and you don’t have enough people to find the real fires and fight them amidst all the noise.” Meanwhile, attackers are always innovating, forcing FIs to adopt overpriced point solutions that don’t integrate well with their existing control environment. And after they are finally able to integrate, test and deploy point solutions, criminals always seem find a new attack vector.
There was a palpable sense at the roundtable that the cybercrime situation is not under control, and we are not winning the battle. The CISOs and other leaders of information security in attendance feel some urgency about getting the industry to make fundamental changes in endpoint execution control and risk based authentication. I also heard issues on the technical management side that should be addressed. (Historians say the real King Arthur’s success in repelling invasion for a generation came not just from strength and unity of purpose, but also from superior organizational and logistical innovations). The following are some ideas we discussed together at the roundtable about endpoint execution control and risk based authentication, as well as my own thinking on security management frameworks.
The information security industry needs to change the game in three critical areas:
Endpoint execution control: FIs doubt that signature-based anti-malware can keep up, and are not overly hopeful about the behavioral detection algorithms every vendor seems to be touting. One CISO’s company had been hit by targeted attacks which the incumbent anti-malware vendor failed to detect. He favors a whitelisting approach for application control: “You can manage what you can control, you can control what you can describe. But the description has to be provided by the application vendor, and it has to provide enough contextual information for risk management.” At Burton Group, we’ve researched multiple whitelisting schemes for endpoint protection, including host intrusion prevention system (HIPS) vendors,
Risk based authentication should ride to the rescue. One CISO envisions simple authentication evolving into “risk based authorization with NAC [a security assessment of the client] and other contextual data.” We’re far away from that today in the consumer space and authentication tokens alone won’t help: one roundtable participant has already met institutional users who have boxes of tokens for different hedge funds. Could a managed service someday deliver more secure and convenient authentication across multiple FIs? One significant constraint was mentioned at the roundtable: “We are looking for authentication [tools or services] that cost less than a quarter per user.” Many FIs are already using passive risk analytics that don’t directly involve the consumer user and endpoint. Longer term more active risk analytics (such as issuing a real time challenge to the user) should be considered. And at the same time, keep watching the Internet authentication space, where a user-centric identity interop event at Burton Group’s Catalyst conference showed considerable progress.
Security management frameworks: Platform vendors need to stop trying to take over the world by locking customers into proprietary interfaces. Point solution vendors need to build to open platforms if there’s to be any hope of improving the FI’s ability to deploy innovations that confer lasting benefit against attackers. To illustrate the limitations, the roundtable estimated it takes roughly one year to roll out significant new security functionality, but just weeks or months for attackers to make inroads against it or learn how to go around it. Why should every security product have to duplicate console, agent, update mechanisms, workflow, event logging, reporting and more? The first step in getting to better defined security management frameworks is for the vendors and customers to understand security will continue to be a multi-vendor, best of breed endeavor (see our long tail of risk paper for justification of this theory). The most promising near term path to security management frameworks is to fast track common event formats, the Trusted Computing Group’s Statement of Health Protocol and other standards.
In conclusion, it’s clear the industry has hard work ahead. It won’t be easy: As we’ve described in our Malware Predictions 2007 podcast, for example, malware will continue to be a tough enemy. Burton Group will continue exploring these areas and posting its ideas, and we would like your feedback. The roundtable will meet again. I’m confident that, over time, the industry can come up with some game changing approaches.
Picture source: http://users.skynet.be/keltic/edit07.html
Comments