Whitepaper: 10 Steps to 3D Security 10 Steps to 3D Security We’ve had a turbulent two years in IT security, with businesses suffering breaches and leaks on an unprecedented scale, and new threats emerging. In 2010 alone, we saw Operation Aurora, a cyber attack that targeted dozens of Fortune 500 companies, costing them several millions of dollars to remedy. This was followed by the Wikileaks breach that exposed tens of thousands of secret U.S. government documents on a single USB stick; and also the current high-water mark in known malware threats, Stuxnet, which targeted and succeeded in delaying Iran’s nuclear enrichment programme. These attacks were just the tip of the iceberg. Below the waterline, thousands of attacks are taking place on the Web every day – 69 attacks per second, to be precise. The majority of these go unnoticed or unreported, in many cases because that’s what they are designed to do – to stay under the radar and undiscovered. Malicious parties are choosing their targets, gathering information about them from a range of sources (such as LinkedIn, Twitter and corporate websites) and exploring vulnerabilities in ‘spear phishing’ attacks, under cover of innocent-looking communications. So as security threats change, how does a business ensure it can protect itself? One thing is clear: the security protection itself has to change. No organisation can afford to continue the security buying and deployment habits of the past decade, where different solutions are collected and bolted together in a piecemeal fashion. This approach is costly and has become unmanageable – and if it isn’t manageable, it isn’t secure. In March 2011, the Ponemon Institute surveyed over 2,400 IT security administrators around the world. A majority said that managing complex security environments is the most significant challenge they face, with over 55% using solutions from over seven different vendors to secure their network. Organisations are struggling with minimizing the total cost of ownership (TCO) and maximizing performance. “ 30% of IT managers globally say compliance is their main concern with new technology ” Source: Ponemon Institute, March 2011 Nearly 30% of respondents said their primary concern with emerging technology adoption is compliance. With the proliferation of cloud computing, mobility, Web 2.0 and file sharing applications, organizations often struggle to apply the appropriate levels of security across all layers of the network, while also adhering to stringent compliance requirements. These new technologies also make security more complex and increase the risk of data loss by employees or other insiders. So there are three key dimensions to security that need to be understood. To enforce better protection, organizations have to approach security with a holistic view of their environment, to understand where risks can reside. Then they need to define a clear policy that aligns with their business needs and industry regulations. Finally, they need to educate their people – their employees and partners – on their vital role in maintaining the organization’s security profile. softwareblades ™ © 2011 Check Point Software Technologies Ltd. All rights reserved. Whitepaper: 10 Steps to 3D Security We call this 3D Security: combining enforcement, policies and people to costeffectively protect against threats, and mitigate risks of breaches and attacks throughout the organisation. So what is the blueprint for 3D Security? This paper will outline 10 key steps to help you define policies, address threats, get control of your security estate, minimise total cost of ownership, and encourage users’ buy-in and involvement in security – transforming your organisation’s protection against threats. 1. Policies Matter The first stage in fully aligning security with your business needs is to evaluate your company’s IT security policies. When were those policies last looked at and updated to reflect new communications channels, such as the use of smartphones and other mobile devices for email and network access, or the use of social media applications? Furthermore, when were the policies distributed to your employees? Have they even read them, let alone understood what they mean? Recent research suggests that security awareness is low amongst employees in UK companies: in a Ponemon Institute paper from spring 2011, 53% of UK administrators believed that staff in their companies had low, or no awareness of security policies and compliance issues. To make a security policy relevant, first it has to truly reflect what goes on in your business right now. Are staff using personal laptops, smartphones and storage devices for work? If you haven’t audited usage of personal devices in your business yet, the answer is simple: yes, personal devices are being used, and your corporate data is on those devices with or without your approval. Are staff using social media and Web 2.0 apps for work purposes? Yes, and for non-work purposes too. An effective security policy starts with a complete, realistic audit on your organisation’s networks and devices which takes into account the types of computing happen in your business; what data is being processed, by what devices, and where; the potential ramifications (both legal, regulatory and imagewise) if that data is lost, stolen or sent to the wrong person; and the avenues that potential hackers could use to breach your systems. This means having the ability to identify security needs and gaps in defences, in order to understand where risks may reside. Once the policy is defined, it has to be understandable by employees at all levels, not just by staff who know their IPS from their IDS. This means the policy should be presented in simple business terms, not just technology terms. For example, it should contain simple instructions such as: n Laptops used for business purposes must have data encryption deployed on it, whether the laptop is company issue or personally owned n Any data copied to removable devices must be strongly encrypted. You should only use your company-issued device for this “ 53% of UK IT staff say their company’s employees have little or no security awareness ” Source: Ponemon Institute, March 2011 n Your use of social media applications within the office (LinkedIn, Twitter, YouTube etc) will be monitored and actions logged softwareblades ™ © 2011 Check Point Software Technologies Ltd. All rights reserved. Whitepaper: 10 Steps to 3D Security Most organisations today do not have policies that are easy to understand, and they often neglect to inform their employees of these policies. As employees are a critical element in IT security, with increasing numbers of attacks aimed at ‘hacking the person’ – getting your employees to make a mistake – in order to access sensitive information, it’s vital that your staff understand and buy into those policies. We will go into more detail on how to actively enforce policies at critical security decision points later. 2. Mind the (technology) gap In step 1 above, we mentioned that communications channels and business tools continue to evolve, which means security threats are evolving along with them. To take just one example of a typical security breach, data loss, in 2011 the Ponemon Institute found that just 25% of UK organisations had not suffered a data loss in 2010. Of those that had, 54% were caused by lost or stolen equipment; 25% by hacking attacks; 22% via a web application or file-sharing site, and 6% by sending emails to the wrong recipient. So organisations are almost as likely to lose data via a Web 2.0 app as they are from an active, malicious hack on their network. What’s more, simple unintentional actions such as mislaying a device or clicking ‘Send’ on an email too quickly are more likely to cause a breach. As such, the network audit we recommended in step 1 will highlight the way your business is using your IT resources, and the threats it faces from that usage. This in turn will highlights what additional protections may be needed to plug gaps that are not covered by your existing infrastructure – such as Data Leak Prevention (DLP) to monitor outgoing email traffic; User and Application Control solutions to give peruser, policy-based management over the use of Web and social media applications; Intrusion Prevention to help mitigate the risk of hacking attacks and nullify Advanced Persistent Threats (APTs); Anti-Bot protections to stop network botnet infections that can cause an organisation to be spam blacklisted and consume bandwidth, and more. 3. Consolidate, don’t compromise As touched upon earlier, managing the complexity of security is a growing concern, frequently raised by organisations of all sizes. According to the Ponemon Institute, it’s the biggest security challenge companies face currently. This is really no surprise: security environments today have become more complex than ever, as businesses constantly struggle to raise their level of security and cope with the latest security threats. As they add more layers to their security infrastructure and deploy a variety of point products for specific protections, organizations often end up managing 10 or more different systems, vendors and platforms. “ Just 25% of UK firms had NOT suffered a data breach in 2010 ” Source: Ponemon Institute, March 2011 Not only does this become very difficult to manage, it is also inefficient and expensive, financially and operationally. This is compounded by the need to deploy technologies such as: IPS, Firewall, VPN, Anti-virus, Anti-Spam, Network Access Control (NAC) and more at both network level, and also on growing endpoint estates, such as smartphones and laptops. More than ever, organisations need an approach that moves away from offering a plethora of different security products that addresses each problem individually. Instead, they need a flexible, extensible infrastructure that provides the security protections they need now, with the ability to grow with their evolving security needs. softwareblades ™ © 2011 Check Point Software Technologies Ltd. All rights reserved. Whitepaper: 10 Steps to 3D Security This approach is embodied in Check Point’s Software Blade architecture, a series of over 30 independent and flexible security modules, which can purchased independently or as pre-defined bundles, and deployed on existing gateways and appliances. This approach enables you to build a security gateway solution customised to your exact needs – and managed under a single console, consolidating functions and simplifying management without compromising security. 4. Boundary Issues Earlier, we’ve touched on the growth of mobile computing, and how it is already part of the daily work life in most companies. IT teams are struggling to keep up with all the devices their employees bring onto the corporate network. As well as laptops, technologies that started in the consumer market have found their way into business environments. Consumer hardware, such smart phones (iPhone, Blackberry or Android devices) and tablet computers have now found their place in business. To keep ahead of the consumerization trend, businesses must ensure that all corporate data and resources transiting on these mobile devices or services are protected, while guaranteeing their employees secure access to the network anytime, anywhere. The starting point, as we mentioned in step 1, is auditing all the devices in use in an organisation, and who amongst your employees are using them for network access, processing emails and so on. Then, once you have established where exactly your organisation’s boundaries are, you can apply protection: either by provisioning centrally-managed security for each device (for example, by using Check Point’s Mobile Access Software Blade and client software), or even by issuing employees and partners with personal virtualized workspace solutions, such as Check Point’s Abra, which secure any laptop or PC they are plugged into, enabling employees to work securely from any location, and leaving no traces behind on the host PC when the session is ended. With these solutions, you can safeguard even the most distant outposts on the perimeter of your organisation. “ Managing complexity is the biggest security challenge facing IT managers Source: Ponemon Institute, March 2011 ” 5. Secure your data Having established where your organisation’s boundaries are, it’s critical to secure your sensitive data wherever it resides. Although data can be regarded as being relatively secure on servers behind the corporate firewall, it’s only a couple of clicks away from being sent out of the organisation by email, copied onto a USB memory stick, or replicated on a mobile device. So you should deploy multiple layers of security to protect against these eventualities. A Data Leak Prevention (DLP) solution will help to mitigate the risk of inadvertent data losses by email. Endpoint data encryption solutions can automatically encrypt data being written to removable media, to ensure that data stays protected even if the device is lost or stolen. Endpoint solutions can also protect laptops and smartphones using full-disk encryption, ensuring that all data on the device is secured at all times. And as mentioned in step 4, some organisations are adopting personal virtualized workspace solutions, enabling employees to access their desktop securely from any machine, and keeping sensitive data protected. softwareblades ™ © 2011 Check Point Software Technologies Ltd. All rights reserved. Whitepaper: 10 Steps to 3D Security 6. Educate and empower, trust and verify In step 1, we mentioned that your employees are just as important to the security process as the IT solutions you deploy. Most organisations don’t pay much attention to the involvement of users in the security process. In fact, the attitude often expressed is that IT security should protect users against their own mistakes. Indeed, unintentional actions by users frequently result in malware infections and accidental data losses. However, involving employees in the security process can only enhance and strengthen protection. A workforce that is informed and educated on their organisation’s security policies, as well as on their expected behavior when accessing the corporate network and data, will play a key role in minimising risks. The key is to make the security as seamless, transparent and unobtrusive as possible, and to not inhibit users’ actions excessively or change the way they work – especially with the widespread use of social media and Web 2.0 applications for business. The most effective way to achieve this is to make users aware of the potential security issues that are involved in a seemingly-innocuous action like sending an email, by holding up a mirror to their actions so they can be actively involved in the security process. This is the approach embodied in Check Point’s UserCheck technology. Prevention is the cure Let’s look at a typical scenario involving a DLP solution, to show how UserCheck works. When an employee has composed an email, addressed it and clicked ‘send’, the body of the email together with any attachments should be analysed by the DLP solution, with the text and attached files compared with a set of defined characteristics for identifying potentially sensitive data. This may include certain key words in the email body text such as ‘financial’, ‘report’, ‘specifications’ and so on; also for file types such as spreadsheets or presentations (which may contain financial data), or documents which may include confidential records or strategic material. If the DLP solution detects a potential breach based on this analysis, it will override the ‘send’ instruction and present the user with a pop-up dialogue, alerting them of a potential data loss risk, and asking if they wish to proceed. Then the user must decide whether they: a) want to continue and send the email and attachments as it is, without changes; or b) realise that they may have made a mistake, prompting them to edit the body text or remove attachments. There should also be the option for the user to key in a brief explanation of why they overrode the DLP solution’s alert. The DLP solution logs the user’s action, the fact that the user was alerted, and any user-entered explanations, giving an audit trail for subsequent analysis and review. This also reduces much of the burden of day-to-day security management from IT staff, as employees take on a greater responsibility for protecting themselves against security mistakes. softwareblades ™ “ 28% of UK data losses in 2010 were due to inappropriate use of web apps or misaddressed emails ” Source: Ponemon Institute, March 2011 © 2011 Check Point Software Technologies Ltd. All rights reserved. Whitepaper: 10 Steps to 3D Security The same approach can apply for users’ access to social media applications. Instead of barring users from accessing YouTube, LinkedIn and similar site and apps at work, they can simply receive a pop-up dialogue reminding them of corporate policy regarding the use of these apps, and asking them to enter a brief note on why they wish to use the site. This has the effect of reminding users of the company’s security policies at the point where it matters the most – just before a potential breach can happen – and helps to reinforce secure computing behaviour by showing trust, but also verifying their actions. 7. Avoiding cloud storms A large percentage of businesses, from enterprises to SMBs, are anticipating migration of at least some of their computing capability to the cloud. Simultaneously, the spectrum of cloud services is also expanding considerably, as more and more applications will be offered in the cloud throughout the coming years. The cloud security challenges are clear: according to Morgan Stanley’s 2010 CIO Cloud survey, data security and the loss of control are the major concerns of companies – followed by data portability and ownership, regulatory compliance, and reliability and availability. Companies using in-the-cloud services don’t always know who they are sharing their environment with, and that raises serious concerns over vulnerabilities. Specialised protection is needed to secure dynamic, virtualized environments and external networks, such as private and public clouds, from internal and external threats by securing virtual machines and applications, in much the same way that conventional networks and devices are secured. Solutions such as Check Point’s Security Gateway Virtual Edition deliver this security, ensuring that virtualized environments can secured and managed as easily as conventional networks. 8. Maintaining visibility As threats continue to grow and security becomes more complex, managing that complexity has become a critical issue. In Spring 2011, the Ponemon Institute reported that 42% of UK IT managers said managing security complexity and enforcing policies was the biggest IT challenge they faced. This complexity makes it very hard to spot the clues that show when defences have been breached, and a security threat is emerging. Networks and security deployments such as IPS, IDS, firewalls and anti-virus throw out Gigabytes of log data every day, and can also generate false positive alerts, often hiding emerging threats from the IT team. These events take time to sort through – time that can be exploited by REAL security threats. The issue is insufficient context for the alerts. Firewalls and IPS don’t understand the business importance and vulnerabilities of all systems within the organisation. For example, an attempted malware infection of a web server may be reported as a high-priority event by the firewall, even if systems have already been patched against it. However, a Security Information and Event Management (SIEM) solution such as Check Point SmartEvent can automate the collection, correlation and contextualisation of security log data and events, which puts what’s happening on the network into perspective – removing the irrelevant noise, and enabling focus on the important events from a single management console. This makes management easier, and frees up time for the IT team, giving them the tools they need to maintain visibility without being overwhelmed. softwareblades ™ “ 42% of UK IT staff said security complexity and policy enforcement was their biggest IT challenge ” Source: Ponemon Institute, March 2011 © 2011 Check Point Software Technologies Ltd. All rights reserved. Whitepaper: 10 Steps to 3D Security 9. Choose the right platform We touched earlier on the growing complexity of security estates, with new and emerging threats demanding new products to mitigate the risks, leading to ‘solution sprawl’. Your security solutions should enable IT teams to set and deliver effective, policy-driven protection, without needing constant maintenance and without complex, multi-interface management. Solution sprawl needs to be reversed, and infrastructure simplified and rationalized, to contain cost and management overheads. This can be achieved in two ways: first, by deploying a security gateway solution, which combines functions including firewalling, IPS, VPN, endpoint security, URL filtering and more onto one hardware platform. These gateways can offer excellent value and greatly simplified management, especially for smaller and medium-sized businesses, because they combine multiple best-of-breed products in a single solution. A criticism that used to be leveled against multi-function security gateways was that they were jacks-of-all-trades, but masters of none; and that they were inflexible and could not easily be upgraded to include new protections. However, latestgeneration gateways have the performance and capacity to be extensible and accommodate growth. The second approach is to use an extensible architecture such as Check Point’s Software Blades, a deck of independent and flexible security modules, which can purchased independently or as pre-defined bundles, and deployed on existing gateways and appliances according to your exact needs. The two approaches are not mutually exclusive: Check Point security gateways also utilise the Software Blade architecture, giving optimum flexibility and adaptability to change. However a key question remains: how do you choose the right gateway to suit your current needs, and be sure it can grow to keep pace with your changing requirements in the future? Different organisations can have vastly different requirements in securing their computing environments: network size, required throughput, desired security functions, ability to handle future growth and allotted budget are all significant components of the decision process. Furthermore, the comparison data available for gateways is compromised, as it typically includes only firewall throughput, measured in ideal lab conditions – making comparisons unrealistic. However, Check Point recently introduced its SecurityPower benchmark metric that allows customers to select security appliances by their capacity to handle real-world network traffic, multiple advanced security functions and a typical security policy. Each appliance has a specific SecurityPower Capacity that represents its real-world performance. This is calculated by integrating multiple performance measurements based on a real-world mix of network traffic derived through extensive research involving a large number of Check Point customers. Different combinations of advanced security functions including firewall, IPS, application control, antivirus, URL filtering, and data loss prevention are applied to the traffic. All measurements are performed using a realistic security policy that includes 100 firewall rules, logging of all connections, Network Address Translation (NAT), a strong IPS protection profile, and up-to-date antivirus signatures. softwareblades ™ © 2011 Check Point Software Technologies Ltd. All rights reserved. Whitepaper: 10 Steps to 3D Security There’s also an Appliance Selection Tool to help determine which appliances can best meet network security needs and support anticipated future traffic increases and additional security functions. By choosing the right platform, you can cut out the complexity of security, reduce overheads costs and the IT management burden too. 10. Avoid future shocks The final step in transforming your organisation’s defences against threats is to make security a central part of its overall IT infrastructure, not just an add-on component or afterthought. The security should align with your organisation’s requirements, to help ensure that business can continue smoothly with minimal risk of disruption. To do this, consider the three critical dimensions of security: a holistic view of your business and IT environment to define a clear policy that aligns with your business needs and industry regulations n gain n enforce protection according to policies using integrated solutions your people – employees and partners – on their vital role in maintaining your organisation’s security policies and profile. n educate Also, maintain a dialogue with your security integrators and providers: they should keep you appraised of latest developments in solutions that could address emerging needs; and by keeping them updated with your situation, they should be able to suggest new approaches to enhance security, reduce TCO and management overhead. In conclusion, an educated, security-aware workforce, combined with a solid, in-depth security system and well-defined security policies delivers the strongest defence against all types of threat. With this 3D Security approach, you’ll have the clearest view of the risks to your business, and the ability to respond to and nullify those threats, both now and in the future. softwareblades ™ © 2011 Check Point Software Technologies Ltd. All rights reserved.