APTs Require a Comprehensive Architecture

Wednesday, June 08, 2011

Rahul Neel Mani


Steve Robinson, General Manager, Worldwide IBM Security Solutions talked to Varun Aggarwal during his visit to India about various new threat vectors, including smart grid security, Advanced Persistent Threats and mobile.

In recent reports, there have been allegations that smart grids can lead to a complex security problem for a country making them more vulnerable for a cyber war. You comments.

Smart grids have opened up an issue that you’re dealing with systems that are highly connected and may not have the same protection like the traditional IT systems may have. Various sensors in such grids can be lying in the open and it is often a lot easier to break into these sensors than to break into a data center.

So, there are a lot of discussions starting to take place on how do we improve the security in embedded systems and how do we trust those sensors for sending us the right information.

IBM has got involved in the embedded security domain. We bought a company called Telelogic about three years ago, which is popular for doing embedded designs and embedded programming. Many vendors including LG you our technology to make their devices smarter like smart refrigerators etc.

We also have some work at IBM research called Trust Us, wherein we can put a key check on the sensors to test the data that is being sent and wipe the data, if required, infiltration can be detected. So instead of a passive communication, we can have an active communication with a remote server. We are making these sensors tamper proof.

There are also other issues with embedded systems. Stuxnet, for example was focused on Siemens Controller systems and Windows as the operating system. We’re also in discussion with many medical device manufacturers that are running Windows operating systems. A typical smart medical device has a life of 15 years and often the Windows is not patched in the device’s entire life cycle.

I question if Windows is the right operating system for these controller systems and medical devices or there are more hardened operating systems for them. Our BigFix solutions are now moving to these non-traditional systems to search for unpatched devices across the network. We’re not there yet, but gradually extending to more and more such devices.

There’s so much of programming that’s started to get into embedded devices including the smart phones that there aren’t enough skilled programmers who can write secure code for embedded systems. There’s a huge skillset gap in this industry and a lot of education needs to provided there. The good thing is that security solutions for PCs and smart phones are also moving to other devices like Tablets etc.

Advanced Persistent Threats are becoming a common threat vector and studies suggest that while employee education is good but not enough to mitigate these risks. What do you organisations need to do safeguard against these threats?

We just released our X-Force report and tried to define what an APT really is. I agree with you that they are becoming more and more complicated. However, there are certain security measures that organisation still need to take. Take the case of Epsilon data breach, or RSA breach. Hacked using simple social engineering tools like spear phishing and phishing e-mail to succeed.

There is no one solution to solve the APT threat and I think organisations need to pick up the game. You need to build a robust security framework. Follow  good network security, follow good data protection, follow good encryption.

Research around X-Force report is wrapped around certain IPs where the attacks were coming from. You you can get into the game by adding IP reputation technologies into your IPS and managed services so that these attacks can be blocked. At the end of the day it comes down to the domains of security the areas you focus on that APTs uncover by doing the right things to block them.

But do you think typical enterprises would have the expertise to build such level of security for themselves?

Well, I think most of them wouldn’t. And therefore, we see organisations increasingly seeking expert support through managed security services to do some very advanced security work for them. We manage security environments for 4000 customers. Small organisations find it really hard to cover their risks by completely securing their environments against the advanced threats.

Many enterprises are looking for managed security to outsource common perimeter security while they focus on unique elements of their security. Some of the managed security players are also putting into place a super cyber team with highly skilled security professionals.

Some our customers giving us their log information, all their data, and asking us to analyse their security loopholes so that we can plug all the holes. So, managed security is being seen for both common functionalities like Firewall and perimeter security as well as very high end security.

What would be the biggest threat vectors going forward?

We’re focused on a hand full on areas. Some are external threat vectors and some are internal. There is still a lot of issue with internal threats. It is quite common for some employees to send out sensitive spreadsheets through their personal mail accounts from office.

Mobile security seems to be on every one’s mind. Most firms are either moving or being forced to move towards device of choice to let employees manage their mobile device. In some cases, employees are even responsible for buying their laptops. This is a great cost saving but also has a lot of security challenges.

Some of the issues are what policies do you establish for these devices, what enterprise applications can be put on these, do we partition the device or not and treat it as private as well as a work device. Then how do you manage it, wipe it and control it in case it is lost. There are solutions coming up to address these issues but there aren’t any complete solutions yet.

Cloud and virtualisation would be the next big threat vectors. Organisations are leveraging virtualisation and cloud to optimise their resources and reduce costs. There are a lot variants of cloud and we do a lot of work with customers to see if the model of the cloud should be private, public or hybrid. Managing risks in these environments would be critical going forward as organisations start to put their critical data over the cloud.

There’s a general trend in the security domain that every system, every device, every user needs to be protected equally. I think this would go through some changes. We’re seeing people focusing on user roles, reclassification of roles data, understanding, understanding data policy, data risks, data motion etc. And then start to put smaller parameters around key users and key assets within the organisation.

Finally, we’re getting some core technologies that allow us to handle some large data issues around security so that we can integrate data from various security tools and analyse them in real time. Banks have used for many years to protect against credit card frauds, looking for patterns of fraud and based on the behaviour of usage they are alerted for frauds. We are starting to see similar technologies in security. We’ve seen cases where the same ID has logged into the network from two different geographical locations simultaneously. That should set off a security alarm.

However, there are tons of data coming in from various devices like firewalls, IPS, log information etc and you need the capability to suck all this data together and analyse it in real time.

How do you see the CISO role changing and evolving?

CISOs previously used to do security for compliance. Now, they are turning it upside down. CISOs now need to build to secure, and if you can prove security, you can always get compliance. So, you need to put risk assessment in place, meet with the board, do an annual risk assessment.

We’re seeing a lot of CISOs have started reporting to the board as instead of chasing compliance, CISOs are driving security and letting security drive compliance for them. CISO is now becoming a risk advisor for the organisation. I think CISOs are gradually becoming business leaders and they are headed in this direction over time.

What would be your focus areas in terms of acquisitions?

We’d be looking at fairly mature companies with proven technologies which also work with our existing technologies. Our BigFix acquisition was tightly integrated with our systems management capabilities and went well with some of the security things that we were doing. So, we’re not looking for companies with technologies that work in a standalone environment. What we’re looking for is something that can complement and accelerate our existing core offerings.

Cross-posted from CTO Forum

Possibly Related Articles:
Information Security
Virtualization APT Advanced Persistent Threats Stuxnet Architecture IDS/IPS Mobile Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.