The security threat landscape has been changing quite drastically in the past few years. In an exclusive interaction Michael Sentonas, VP, Chief Technology Officer - Asia Pacific, McAfee with Shashwat DC, spells out the challenge before the IT managers and the ways they can cope with it.
How has the security landscape panned over the past few years? What have been the defining factors?
Specific to the threat landscape, we see a very sizable amount of growth of malicious software every year, which are hitting the internet & organisations globally. At the moment, we typically analyse 1,00,000 malware samples per day. And we catalogue 60,000 new threats every single day and that’s a significant number if you look at what it means at an hourly level or even down to a per minute level. It's around 41 threats per minute and that is significant because people at homes, larges enterprises and government networks use the internet every minute of the day. So that means you’re not up to date as far as protection against the latest threats is concerned. Now some people might argue that out of 40 odd threats per minute, there might be few that actually hit the network. Even if it’s 10 or 5, if you don’t update your anti – virus, that’s 5 threats that you have a risk to every single minute of the day. It is very hard for people to keep up with all the malware and vulnerability threats. If you look at the year 2010, we detected more threats in that one year than in the previous 20 years combined; so that causes some significant stress, as to how can you protect yourself internally and keep up with the latest security threats. Another interesting trend that we have seen in the last 12- 18 months is that a real focus of the attack is to solidly compromise a firm's network. In some cases, we have seen that people don’t know that these attacks are actually inside their network for more than 12 months. So, we released a report called “Night Dragon”. It was a specific attack that focused on oil & gas sector. In that particular example, there had been networks that had been compromised as early or as late as 2007, and if you look at that as an example and compare it to the threats that we see today, in several cases, peoples' networks has been compromised for more than 2 to 3 years and they were losing information all along. It's quite a common technique or a common threat landscape that we are starting to see.
The threats are very active and are designed to steal intellectual property of the organisation, financial data, and business data of their customers and employees. The types of threats that we see are starting to increase in complexity, but they are also decreasing the amount of noise they create on the wire in the network; so they go undetected and a lot of people in the industry call it Advanced Persistent Threat (APT) . I think we need to be somewhat cautious in naming all the threats. But as far as I have seen, it’s very specific & a very targeted attack on an organisation or to an individual in the company. And I keep going back to the number of threats today and some of these threats are attacking networks in a frequency of 12 months. You really have to ask yourself that are the technologies that the people are using for these networks up to the par? We see many examples of networks being compromised. Even security companies have their networks compromised and penetrated.
How can enterprises cope up with threats?
Though a lot of people are taking a traditional approach by deploying 12 – 15 products from different vendors, it has not worked. If you look at security courses, they always try the defence and death method. If one product gets it wrong or one vendor gets it wrong, the other product will catch up. But typically, what I saw is that a lot of organisations use the exact same technology to detect the threat that is bought from 5 different vendors, and that model has not worked. What it actually creates is a management overhead because people end up looking at 5 different places every time there is a threat. Now imagine having a critical incident; all your security technology does not collate any of these information, so somebody has to sit there eyeballing the system trying to pull information over the phone, which doesn’t work. So what I recommend to people is to have a look at technology, to have different detection techniques over different products. There is no point in implementing the same type of blacklisting on your desktop, server, gateway, and even on some of your network security appliances, because you are reactively trying to look at what’s happening at your network. Use different types of technologies. The benefit is that if you can get all of those technologies for one vendor or from a small number of vendors that carve out the information, you can see everything that’s happening across from your mobile device to your server all in one place. So when you update your patches, everything is consolidated on a single platform and that is typically a more efficient way, and we are finding a lot of people are now looking for such a technology globally as well as on the Asia Pacific Level, since it takes a lot of complexity out of our network.
One of the prime concerns these days is Stuxnet and the likes. How valid are such concerns?
Firstly, Stuxnet is an interesting piece of malware that we would be studying for the next few years and would be talking about it for a few years. The level of complexity of Stuxnet is very high. So, the people that developed it were extremely competent and extremely intelligent and what made Stuxnet interesting was that it was designed to target networks which showed how vulnerable our critical infrastructure could actually be and it used legitimate digital certificate that had been stolen. Once a device is connected to the network, it caused a significant damage. So I think it’s showing people that our networks are very fragile. The risk is increasing, the vulnerabilities are increasing, the potential threat is increasing, but the amount of money people are spending on security is not increasing and that is going to be a recipe for disaster at some point and we want to be spending a little more time to make sure it does not happen.
But many people believe that Stuxnet was a political tool designed to bring down Iranian nuclear plants, and it won't be used indiscriminately. What is your take on that?
I think it’s interesting to look at why somebody would simply dismiss stuxnet saying it was a political attack and not really relevant. I think, if anything stuxnet showed, it is how competent people are as far as malware attacks are concerned and how vulnerable our networks really are. So that is the learning I think we need to take from it. Look at the examples of Operation Aurora that happened in Jan- Feb last year; a lot of people started talking about it. What we saw was that a lot of companies got their networks compromised and then Stuxnet happened, which impacted a lot of networks globally. The Night Dragon McAfee report showed how 5 very large organisations, who had significant budgets, had their networks compromised. So I think the learning has to be that the attacks are increasing in their complexity and maturity. Are our security measures we use to protect our data also increasing in maturity and ability to protect our network? I would suggest that’s not the case, which is why a lot of these attacks happen.
How has the security landscape changed with the addition of mobile devices like iPad, etc.?
It’s another interesting and exciting area to look at the benefits that these technologies provide us. The benefits are huge and I think there is a typical consumer technology that is now coming into the workplace. The definition of what an endpoint inside every organisation is fundamentally changing and will continue to change for the next couple of years. The operating systems of various tablets have been introduced by Google, Samsung, Symbian. It has become a situation where a consumer technology has ended up in the workplace and you have to manage 5 to 10 operating systems. Some of these technologies have no security. For example, you can‘t buy a full anti – malware technology for your Apple iPhone, nor can you install a firewall or a data loss prevention technology for it. So we might have an issue at some point of time with these devices, like IT management & support and security. I am not sure if a lot of organisations are ready to manage the complexity of the types of Endpoint. How do they manage the fact that if somebody in an organisation loses corporate information from their iPad? The firm would want to make sure that the corporate data is not lost. From an IT support perspective, if you don’t install an app and you’re trying to use that app to connect your phone to you business, is your company ready to configure that app? So it is going to stretch out the traditional support model and the security area as well? For example, the Android platform has had a number of malware examples developed for that platform and Google had to remove more than 50 malicious apps from their marketplace that were downloaded 50,000 to 1,00,000 times. This shows the complexity and vulnerability of these platforms.
There is also this perception that Apple devices, namely iPads, are more robust and secure in comparison to Android tablets. What is your view?
It is a good thing that people are deciding which device to support and which not to. Let me give you a different perspective; if you allow 10 users of company to remove the security technology and let them browse the internet for a day and let them download whatever they want, they will be vulnerable to security risks. But if you use an iPad and download applications for the device with no security, it is a risky proposition because you may have to jailbreak your device to access it, which makes it vulnerable to security risks. But even if you use it without jail breaking and put corporate information into it, it is vulnerable to security risks, as it doesn’t have any anti-malware technology. So, there are a whole range of issues people are going to start to deal with if they are not already.
BlackBerry is another popular enterprise device. How secure is it?
We have seen a growth of about 46 % increase in the first quarter as far as mobile malwares are concerned. There have been malwares developed for the Android platform, Symbian platform and the Apple platform. There are other types of malwares that are being ported over the endpoint world. The Zeus Trojan is one of the serious challenges that the banking and finance industry has been facing for sometime. The behavior of the people that use technology is that they will buy the product and start using it. The device won't have any top up protection on it. At some point, I think we will see an interesting scenario when people might need to have a lot of security technology on their devices.
In the past, the enterprise believed in guarding the perimeter, namely with firewalls, etc., but with the security issues ballooning out of proportion, there needs to be a change in the same. What do you suggest?
I would suggest that to ensure the security, one has to protect the data and build the perimeter. But today, the security of the perimeter is weak. Things like monitoring where the data goes, how it is stored, how it is really accessed, should be at the front of the security policy in companies. Organisations carry out a risk – assessment technology, which reveals risks like data-leakage. Technologies exist to allow the organisation to track the data as to where is it going. Typically, it would be very hard in this scenario, but what they could do is to adopt a technology which enables them to see what their users are doing with the data and where is it going.
How about the threat within, namely a disgruntled employee or so?
While data leaks most often take place due to a careless employee, a CD misplaced, a lost laptop or BlackBerry, data theft can also be caused easily by printing the data. A classic example of data loss and theft is the amount of USBs and laptops that are lost around the world. So it is interesting to look at what is the actual problem in majority of the organisations. 70 to 80% of data losses are due to accidental loss of USBs, laptops, etc. Lack of data encryption causes a huge data loss. The endpoint from anti malware can roll out the encryption for the endpoint and the USB key. One can encrypt the content in a USB key to protect it. A couple of simple examples like that can protect against a significant percentage of data- loss.
The more difficult problem is obviously a disgruntled employee because he could find creative ways to get any kind of data out of the company. But that is something you cannot manage very well, as you would require secure technologies that track where the data is going, and, forensic technology to have a look and see what the users are doing. Organisations today have a lot of IPS technology. The problem is that they buy them from different vendors, so they don’t share any information. If their firewall shares information with their IPS and that information could be shared with the data loss prevention technology, that would see a world of information that’s going on and being transferred and issues that are happening in their network that buying their product from so many different organisations doesn’t allow them to achieve. For your example, if you see a huge amount of FTP traffic that is happening, why not use the source of that information. You would probably find that you have got a very serious data loss issue, but how many solutions or how many networks could do that?
Many organisations these days restrict device usage. Do you think it is counter-productive?
There are a couple of ways to approach that. I have seen so many different examples in our customer network that go from one extent to the other. In some situations, depending on what type of organisation it is and depending upon what it does, you may have to have a policy that is extremely restricted and secures the firm, secures the data and enforces some inconvenience onto the user. On the other extent, there could be an organisation that allows users to connect their devices but it depends on the nature of the firm and the type of business it does. There are certain things that need to be secured and protected to make sure that the network can operate and the users can operate it smoothly. One of the very progressive organisations that McAfee has worked with the past uses our company's Vulnerability Management Technology and does a daily assessment of all the employees’ machines. If the employees have an obligation, it makes sure that their endpoint is free from vulnerabilities and the patch is up-to-date. So, the users can install anything they like, but they have to make sure it is safe and secure and it’s become somewhat of a competition inside that organisation that everybody is striving to have the most secure business unit. The security technology should not slow the user down. It should also not create so much inconvenience that the user is looking to turn it off and that is really important when you start looking at technology like mobile security and tablet PCs. If you think about the amount of R&D a firm like Apple has done to create a phenomenal user experience, as a security vendor, you don’t want to kill that experience, because then no one is going to use. Hence, there are so many aspects to look at. I think it’s a balance, but unfortunately at the end of the day, there are many scenarios where the end user can’t do certain things because if you look at it from the IT, CIO, CSO perspective, they have to do something to protect the data, the network and to protect the brand of the company. You don’t want to be seen as a company whose name appears in the front due to the loss of customer data. Hence, certain things have to happen on the network to make sure that security is in place, which may restrict in some ways what a user can use or install.
What are your views about the threats from social networking? How valid is the concern?
As a result of a huge rise in social networking, the threats in social networking are definitely on the rise. It is one of the threats predictions of 2011 and obviously the malware rise will tend to follow the technologies and the applications that people use more and more. If you develop a malware for a mobile phone platform, then you’re going to target a main player and not the one that has a 2% market share. It is the same thinking if you look at the application that people use. For example, social networking websites like Facbook and Twitter are used more and more; so unfortunately, the malware developments will be seen on those platforms and we have a seen a growth of malware on those platforms as well. So, a lot of malwares and scams that are served on Facebook have got nothing to do with the social networking site itself, but it preys on the general public, like phishing attacks and other scams pretending to be emails from Facebook or Twitter. We have also seen a complexity in the malware development where people are using those tools to control their malware. There are examples of Twitter being used as a command and control system for certain types of malware. So, we have started to see more and more development in the types of threats that are targeting these platforms. But again, there are very updated technologies that help in protecting against these types of attacks. Hence, it is very interesting to talk about threats because they increase in terms of complexity. But the technology is also developing at a rapid rise and maturing to deal with such threats and protect against such organisations is the need of the hour.
Over the years, with rapid adoption of consumer devices and technologies within the enterprise, the line between enterprise and personal threats has blurred. Now, a malaware on Facebook is as much as a threat to an individual as it is to the enterprise. What’s your take on this?
The lines between a consumer and a network threat have definitely blurred. Now, a threat doesn’t discriminate by nature. It doesn’t pick and choose a network. If a piece of malware is developed to exploit, it doesn’t discriminate between Adobe Acrobat or Windows Internet Explorer. It is going to attack a government network, large enterprises, and, small and medium businesses. What has changed is the targeted attack. Now there are focused attacks that are targeted at specific networks or certain people within those networks. So, it is a significant challenge.
So, you agree that IT managers, while fretting over the virus and botnets attacks, should also be on the lookout for the malwares on FB?
Yes absolutely, because as a IT manager, your task is to not only protect the traditional perimeter, but also the data inside that organisation, as well as the brand that belongs to the company. All the small issues will start to become bigger when you have employees who connect to the social media network that could be talking about the company. Employees could take data out of the organisation or it could be lost, stolen or compromised, which could impact the brand of that organisation. So, it is a tough challenge, but you have technologies that are available to help the CIO to get visibility as to every device connecting to that network, in order to understand what is vulnerable, what is safe and target their time and effort to secure their most important apps, systems and data in an efficient way.
Finally, considering the challenge at hand, do you think IT managers can rely on today's technology to solve the issues on hand?
There has been a massive improvement in a lot of technology. There has also been an increase in the effort by law enforcement agencies to catch the number of people developing these threats. The issue is that how many people are using the next generation technology. There are a lot of organisations that still use a lot of legacy security technology and legacy firewall, just because they have been there for many years. They just patch it, update it and use it. That is certainly an issue.
Reference:IT Next
For our Security Solutions Log On to www.digitalwaves.in
