NEW YORK — There’s a lot to be afraid of in the world of network security
threats.
That was the general consensus of a diverse panel at Interop that included
vendors, an analyst and an enterprise user. The panel agreed that NAC
(network access control) isn’t necessarily the solution and that much more
needs to be done within enterprises themselves to properly understand the
threats they face.
“I don’t want to be a FUD [Fear. Uncertainty. Doubt.] dealer but the truth is
there is quite a lot to be afraid of,” Joshua Corman, host protection
architect at ISS (Internet Security Systems), told the capacity crowd.
“It’s time for a reset on education. You can’t defend against what you don’t
understand.”
According to Corman, network security professionals are all chasing
vulnerabilities and compliance-related items. Hackers know this fact, too.
The hackers know what you’re doing.
“The bad guy is getting badder, the techniques better and the volume of
badness worse,” Elliott Glazer, director of security architecture and
consulting at Depository Trust Clearing Corp., said. “We don’t see
solutions keeping pace.”
The issue, though, isn’t entirely about technology or even compliance;
sometimes there may be too much technology in play.
Mike McKinnon, director of security of ProCurve Networking by HP, noted that
his firm advises enterprises to start small when trying to figure out what
they need.
The portion of the enterprise that is most vulnerable from a
business perspective should be addressed first.
“It’s one thing to pass an audit, it’s another thing to be secure,” McKinnon
said.
Glazer agreed with McKinnon and added that his firm started out by putting a moratorium on buying more technology. Instead what he did was look at
their own existing inventory of hardware, platforms, data and devices and
look at the risk of each based on location.
Though NAC technologies are the topic of much buzz
at Interop NYC, panelists weren’t exactly buzzing about it.
“Be very careful when you’re investigating NAC,” Corman advised. “It’s
becoming the buzzword. Everybody says they’ve got a NAC solution but they
really don’t.”
Corman also suggested the enterprises don’t get educated purely by the
vendors about what NAC can do.
“Some of the vendors had a product for something different, and then when NAC
got hot it became a NAC solution,” Corman said. “On this topic there is
extreme exaggeration about what the capabilities are.”
Glazer suggested that enterprises need to think about whether NAC is
actually secure enough for their environments. He advised that even before
an enterprise embarks on the NAC path they make sure they’ve already
provisioned a secure environment.
He also noted that for his own enterprise,
it’s still a little bit too early for him to deploy NAC.
“You can be completely patched and up to date and still get infected by
something,” Corman said. “There is a fundamental assumption that NAC will
make you safer. It won’t make you immune though.”
Forrester Research Security Analyst Paul Stamp pointed out another big
threat, namely the inability of some enterprises to act.
In his experience, people justify security expenses only after they’ve experienced an incident within their own enterprise or are aware of one that their peers have had.
“Our biggest threats are CEOs, not rootkits,” Stamp said somewhat
sarcastically.
Glazer was somewhat more focused on where the threat lies and what makes him
nervous.
“We’re nervous about what we see; it’s a more professional bad guy, code is
getting better fast and that’s scary,” Glazer said.
“Combine that with targeted attacks, the attack is not going to be seen or known and also there are self-deleting attacks.”
Amidst all that nervousness, Corman believes that there is also another
contributing factor for network insecurity, and that might be coming from
security vendors themselves.
In particular those that continue to push
signature-based antivirus solutions.
“You’re not getting the education from your trusted security advisors,”
Corman argued. “This is not a virus problem.”
In the virus problem model there has to be a patient zero, the first person
that gets infected, and then AV vendors can produce a signature.
According to
Corman, criminals are writing tailored targeted
viruses that may never hit more than patient zero.
“The AV model requires discovery,” Corman said emphatically, “When it’s a
targeted attack, giving a signature is like giving a vaccine to a corpse.”
