Technology briefing: Enterprise security

• Article 15 of 33
• SC Magazine, February 2009

But with so much needing to be secured, sometimes inside the perimeter, sometimes outside, and with the state of the art and approaches changing all the time, working out what's necessary and effective rather than "nice to have" and unproven are difficult matters.

Perimeter security, for example, is something that has been undergoing a rethink for several years. Once, keeping everyone out at all costs was the accepted thinking. But with more and more partners needing to interface with systems, and remote workers needing to access corporate data, endpoint and perimeter security have been changing.

Stuart Okin, managing director of Comsec Consulting UK, for example, argues that VPNs, the workhorse of remote access for several years, are going to be become superfluous or evolve in other ways. "You're going to see Windows 7 in the next two years and that will have IPv6 encryption on wire built in. It'll be easier to do, require less and energy and cost. It'll be no more difficult to deploy than Active Directory." With IPv6 available by default, many kinds of perimeter security could easily disappear, with VPNs retained to boost security even further by including multi-factor authentication, such as that available in some of Cisco and Juniper's VPN products, for example.

However, while encryption at the traffic level will make it easier to open up the network, encryption higher up the stack will still remain necessary and will need to become more ubiquitous, especially in light of the continuing loss of laptops by major organisations. Companies such as PGP provide centralised encryption solutions designed to manage encryption on all devices, whether they're physically contained in the enterprise or not. RSA's Data Loss Prevention Suite helps uncover business risks associated with sensitive data loss and reduces them through policy-based remediation and enforcement mechanisms.

DES argues that application level encryption will soon become necessary. "If the database application is encrypting and decrypting the file content, then the default state of the stored information would be encrypted." Electronic document and record management systems that meet the new National Archives' Model Requirements 2 will also provide additional levels of document security, Mike  Gillespie from consultancy Advent-IM argues.

Stonewood, by contrast, has opted for hardware-level encryption of storage devices, with OS-independent software. It offers both built-in and USB-pluggable hard drives, with multiple user accounts and optional two-factor authentication.

Not all data can be encrypted and data coming into an organisation usually won't be - and can often bring problems, including viruses - so gateway and endpoint protection aren't going away any time soon. Companies like BorderWare advocate analysing data that goes through gateways such as email servers. However, cover-all laws for information do not work, BorderWare argues. Blocking all users from sending financial details over email or IM also hinders those that should be allowed to send such documents. Using policies, the right people can send what they need to, where they need to without hindrance. For example, the CFO might have a policy that lets him send financials to the accountant and other C-level execs but not to himself or another recipient.

BorderWare's systems also use Bayesian analysis to examine documents and give them a probability score of confidentiality. It does this analysis by learning the types of things that an organisation should not be sending out during the initial implementation then comparing these with the document in question.

More and more organisations are becoming aware that many problems can stem from internal attacks, either from infected PCs or untrustworthy employees. Products such as HP's ProCurve move some of the traditional perimeter protection to the network.

'Virus throttling' is based on the behaviour of malicious code and the ways in which that behaviour differs from that of normal code. Under normal activity, a computer will make fairly few outgoing connections to new computers, but instead is more likely to regularly connect to the same set of computers. A rapidly spreading worm, however, will attempt many outgoing connections to new computers so virus throttling puts a rate limit on connections to new computers, such that normal traffic remains unaffected but suspect traffic that attempts to spread faster than the allowed rate will be slowed. This creates large backlogs of connection requests that can be easily detected. Once the virus is slowed and detected, IT staff have the time they need to intervene in order to isolate and eradicate the threat by cleaning it from the system.

For access control, ProCurve configures security and performance settings based on user, device, location, time, and client system state. IDM provides network administrators with the ability to centrally define and apply policy-based network access rights that allow the network to automatically adapt to the needs of users and devices as they connect, thereby enforcing network security while providing appropriate access to network users and devices.

Sourcefire's real-time user awareness (RUA), part of its 3D System, enables users to correlate threat, endpoint and network intelligence with user identity information so they can mitigate risk, block users or user activity, and take action to protect others from disruption. RUA uses LDAP and Active Directory domains as its sources of data to build user intelligence.

Prevx uses behavioural analysis to monitor employees and devices, together with whitelists and blacklists, to ensure data remains secure, while InterGuard has a suite of products for monitoring employees behaviour and its results: Datalock runs as a desktop agent and monitors emails and removable media, looking for restricted data types and information such as bank account numbers; Laptop Cop allows administrators to remotely geo-track a stolen computer no matter where it goes and retrieve and/or delete any files, and record and control everything that the thief does on the computer; while Sonar builds up logs of employee computer usage for inspection by administrators.

Logs, however, remain a bugbear to many administrators. While just about every device, particularly security devices, generate logs of activity, it still requires someone or something to check those logs to see what they reveal.

"Searching raw logs for text strings is tedious and unreliable, since each system and application vendor uses a different nomenclature for classifying and defining events," said Jon Oltsik, senior analyst at Enterprise Strategy Group. 

LogRhythm's "Intelligent IT Search" enriches log entries with intuitive classifications, human understandable names, risk modelling and prioritisation, and a universal time stamp. It can defend against internal threats by, for example, instantly querying all audit events, such as modifications to access and authentication privileges, linked to a given user's Active Directory (or other network login) account during a specified time period.

Possibly the newest internal threat to the enterprise is from the IT staff itself, thanks to the spread of virtualisation. While this increases server utilisation rates, it does increase security threats, such as lack of separation of duties, insufficient security via isolation and inadequate auditing. Mike Small, principal security consultant at CA, says: "An extra layer of protection is needed to effectively protect virtualisation platforms. This layer needs to properly identify administrators and enforce the principle of least privilege to protect the mission-critical information and services running in the virtual data centre."

There are few products as of yet to defend virtualised environments although Gary Wood, a research consultant at the Information Security Forum is aware of products being developed that will maintain profiles of server and deploy security according to the new virtualised environments. However, Sourcefire 3D has facilities to help combat "VM Sprawl", where staff deploy new virtual machines without following established configuration and change management procedures and internal IT acceptable use policies, or AUPs. Sourcefire can detect VMware virtual machines, enabling security staff to identify new hosts.

Although the state of the art in IT is changing, vendors are doing their best to keep up. Whether the budgets will be there in 2009 to buy their products is a different matter.