Whitepaper:
10 Steps to 3D Security
10 Steps to 3D Security
We’ve had a turbulent two years in IT security, with businesses suffering breaches
and leaks on an unprecedented scale, and new threats emerging. In 2010 alone,
we saw Operation Aurora, a cyber attack that targeted dozens of Fortune 500
companies, costing them several millions of dollars to remedy. This was followed
by the Wikileaks breach that exposed tens of thousands of secret U.S. government
documents on a single USB stick; and also the current high-water mark in known
malware threats, Stuxnet, which targeted and succeeded in delaying Iran’s nuclear
enrichment programme.
These attacks were just the tip of the iceberg. Below the waterline, thousands
of attacks are taking place on the Web every day – 69 attacks per second, to be
precise. The majority of these go unnoticed or unreported, in many cases because
that’s what they are designed to do – to stay under the radar and undiscovered.
Malicious parties are choosing their targets, gathering information about them
from a range of sources (such as LinkedIn, Twitter and corporate websites) and
exploring vulnerabilities in ‘spear phishing’ attacks, under cover of innocent-looking
communications.
So as security threats change, how does a business ensure it can protect itself?
One thing is clear: the security protection itself has to change. No organisation can
afford to continue the security buying and deployment habits of the past decade,
where different solutions are collected and bolted together in a piecemeal fashion.
This approach is costly and has become unmanageable – and if it isn’t manageable,
it isn’t secure. In March 2011, the Ponemon Institute surveyed over 2,400 IT
security administrators around the world. A majority said that managing complex
security environments is the most significant challenge they face, with over
55% using solutions from over seven different vendors to secure their network.
Organisations are struggling with minimizing the total cost of ownership (TCO) and
maximizing performance.
“
30% of IT managers
globally say
compliance is their
main concern with
new technology
”
Source: Ponemon Institute, March 2011
Nearly 30% of respondents said their primary concern with emerging technology
adoption is compliance. With the proliferation of cloud computing, mobility, Web 2.0
and file sharing applications, organizations often struggle to apply the appropriate
levels of security across all layers of the network, while also adhering to stringent
compliance requirements. These new technologies also make security more
complex and increase the risk of data loss by employees or other insiders.
So there are three key dimensions to security that need to be understood. To
enforce better protection, organizations have to approach security with a holistic
view of their environment, to understand where risks can reside. Then they need to
define a clear policy that aligns with their business needs and industry regulations.
Finally, they need to educate their people – their employees and partners – on their
vital role in maintaining the organization’s security profile.
softwareblades
™
© 2011 Check Point Software Technologies Ltd. All rights reserved.
Whitepaper:
10 Steps to 3D Security
We call this 3D Security: combining enforcement, policies and people to costeffectively protect against threats, and mitigate risks of breaches and attacks
throughout the organisation. So what is the blueprint for 3D Security?
This paper will outline 10 key steps to help you define policies, address threats, get
control of your security estate, minimise total cost of ownership, and encourage
users’ buy-in and involvement in security – transforming your organisation’s
protection against threats.
1. Policies Matter
The first stage in fully aligning security with your business needs is to evaluate
your company’s IT security policies. When were those policies last looked at and
updated to reflect new communications channels, such as the use of smartphones
and other mobile devices for email and network access, or the use of social media
applications?
Furthermore, when were the policies distributed to your employees? Have they
even read them, let alone understood what they mean? Recent research suggests
that security awareness is low amongst employees in UK companies: in a Ponemon
Institute paper from spring 2011, 53% of UK administrators believed that staff in
their companies had low, or no awareness of security policies and compliance
issues.
To make a security policy relevant, first it has to truly reflect what goes on in your
business right now. Are staff using personal laptops, smartphones and storage
devices for work? If you haven’t audited usage of personal devices in your business
yet, the answer is simple: yes, personal devices are being used, and your corporate
data is on those devices with or without your approval. Are staff using social media
and Web 2.0 apps for work purposes? Yes, and for non-work purposes too.
An effective security policy starts with a complete, realistic audit on your
organisation’s networks and devices which takes into account the types of
computing happen in your business; what data is being processed, by what
devices, and where; the potential ramifications (both legal, regulatory and imagewise) if that data is lost, stolen or sent to the wrong person; and the avenues that
potential hackers could use to breach your systems. This means having the ability
to identify security needs and gaps in defences, in order to understand where risks
may reside.
Once the policy is defined, it has to be understandable by employees at all levels,
not just by staff who know their IPS from their IDS. This means the policy should
be presented in simple business terms, not just technology terms. For example, it
should contain simple instructions such as:
n Laptops
used for business purposes must have data encryption deployed on it,
whether the laptop is company issue or personally owned
n Any
data copied to removable devices must be strongly encrypted. You should
only use your company-issued device for this
“
53% of UK IT staff
say their company’s
employees have
little or no security
awareness
”
Source: Ponemon Institute, March 2011
n Your
use of social media applications within the office (LinkedIn, Twitter, YouTube
etc) will be monitored and actions logged
softwareblades
™
© 2011 Check Point Software Technologies Ltd. All rights reserved.
Whitepaper:
10 Steps to 3D Security
Most organisations today do not have policies that are easy to understand, and
they often neglect to inform their employees of these policies. As employees are a
critical element in IT security, with increasing numbers of attacks aimed at ‘hacking
the person’ – getting your employees to make a mistake – in order to access
sensitive information, it’s vital that your staff understand and buy into those policies.
We will go into more detail on how to actively enforce policies at critical security
decision points later.
2. Mind the (technology) gap
In step 1 above, we mentioned that communications channels and business tools
continue to evolve, which means security threats are evolving along with them. To
take just one example of a typical security breach, data loss, in 2011 the Ponemon
Institute found that just 25% of UK organisations had not suffered a data loss in
2010. Of those that had, 54% were caused by lost or stolen equipment; 25% by
hacking attacks; 22% via a web application or file-sharing site, and 6% by sending
emails to the wrong recipient.
So organisations are almost as likely to lose data via a Web 2.0 app as they are
from an active, malicious hack on their network. What’s more, simple unintentional
actions such as mislaying a device or clicking ‘Send’ on an email too quickly are
more likely to cause a breach.
As such, the network audit we recommended in step 1 will highlight the way your
business is using your IT resources, and the threats it faces from that usage. This in
turn will highlights what additional protections may be needed to plug gaps that are
not covered by your existing infrastructure – such as Data Leak Prevention (DLP) to
monitor outgoing email traffic; User and Application Control solutions to give peruser, policy-based management over the use of Web and social media applications;
Intrusion Prevention to help mitigate the risk of hacking attacks and nullify Advanced
Persistent Threats (APTs); Anti-Bot protections to stop network botnet infections
that can cause an organisation to be spam blacklisted and consume bandwidth, and
more.
3. Consolidate, don’t compromise
As touched upon earlier, managing the complexity of security is a growing concern,
frequently raised by organisations of all sizes. According to the Ponemon Institute,
it’s the biggest security challenge companies face currently. This is really no
surprise: security environments today have become more complex than ever, as
businesses constantly struggle to raise their level of security and cope with the
latest security threats. As they add more layers to their security infrastructure and
deploy a variety of point products for specific protections, organizations often end
up managing 10 or more different systems, vendors and platforms.
“
Just 25% of UK
firms had NOT
suffered a data
breach in 2010
”
Source: Ponemon Institute, March 2011
Not only does this become very difficult to manage, it is also inefficient and
expensive, financially and operationally. This is compounded by the need to deploy
technologies such as: IPS, Firewall, VPN, Anti-virus, Anti-Spam, Network Access
Control (NAC) and more at both network level, and also on growing endpoint
estates, such as smartphones and laptops.
More than ever, organisations need an approach that moves away from offering a
plethora of different security products that addresses each problem individually.
Instead, they need a flexible, extensible infrastructure that provides the security
protections they need now, with the ability to grow with their evolving security
needs.
softwareblades
™
© 2011 Check Point Software Technologies Ltd. All rights reserved.
Whitepaper:
10 Steps to 3D Security
This approach is embodied in Check Point’s Software Blade architecture, a series
of over 30 independent and flexible security modules, which can purchased
independently or as pre-defined bundles, and deployed on existing gateways
and appliances. This approach enables you to build a security gateway solution
customised to your exact needs – and managed under a single console,
consolidating functions and simplifying management without compromising security.
4. Boundary Issues
Earlier, we’ve touched on the growth of mobile computing, and how it is already part
of the daily work life in most companies. IT teams are struggling to keep up with all
the devices their employees bring onto the corporate network. As well as laptops,
technologies that started in the consumer market have found their way into business
environments. Consumer hardware, such smart phones (iPhone, Blackberry or
Android devices) and tablet computers have now found their place in business.
To keep ahead of the consumerization trend, businesses must ensure that all
corporate data and resources transiting on these mobile devices or services are
protected, while guaranteeing their employees secure access to the network
anytime, anywhere.
The starting point, as we mentioned in step 1, is auditing all the devices in use in an
organisation, and who amongst your employees are using them for network access,
processing emails and so on.
Then, once you have established where exactly your organisation’s boundaries are,
you can apply protection: either by provisioning centrally-managed security for
each device (for example, by using Check Point’s Mobile Access Software Blade
and client software), or even by issuing employees and partners with personal
virtualized workspace solutions, such as Check Point’s Abra, which secure any
laptop or PC they are plugged into, enabling employees to work securely from any
location, and leaving no traces behind on the host PC when the session is ended.
With these solutions, you can safeguard even the most distant outposts on the
perimeter of your organisation.
“
Managing
complexity is the
biggest security
challenge facing IT
managers
Source: Ponemon Institute, March 2011
”
5. Secure your data
Having established where your organisation’s boundaries are, it’s critical to secure
your sensitive data wherever it resides. Although data can be regarded as being
relatively secure on servers behind the corporate firewall, it’s only a couple of clicks
away from being sent out of the organisation by email, copied onto a USB memory
stick, or replicated on a mobile device.
So you should deploy multiple layers of security to protect against these
eventualities. A Data Leak Prevention (DLP) solution will help to mitigate the
risk of inadvertent data losses by email. Endpoint data encryption solutions can
automatically encrypt data being written to removable media, to ensure that data
stays protected even if the device is lost or stolen.
Endpoint solutions can also protect laptops and smartphones using full-disk
encryption, ensuring that all data on the device is secured at all times. And
as mentioned in step 4, some organisations are adopting personal virtualized
workspace solutions, enabling employees to access their desktop securely from any
machine, and keeping sensitive data protected.
softwareblades
™
© 2011 Check Point Software Technologies Ltd. All rights reserved.
Whitepaper:
10 Steps to 3D Security
6. Educate and empower, trust and verify
In step 1, we mentioned that your employees are just as important to the security
process as the IT solutions you deploy. Most organisations don’t pay much
attention to the involvement of users in the security process. In fact, the attitude
often expressed is that IT security should protect users against their own mistakes.
Indeed, unintentional actions by users frequently result in malware infections and
accidental data losses.
However, involving employees in the security process can only enhance and
strengthen protection. A workforce that is informed and educated on their
organisation’s security policies, as well as on their expected behavior when
accessing the corporate network and data, will play a key role in minimising risks.
The key is to make the security as seamless, transparent and unobtrusive as
possible, and to not inhibit users’ actions excessively or change the way they work
– especially with the widespread use of social media and Web 2.0 applications for
business.
The most effective way to achieve this is to make users aware of the potential
security issues that are involved in a seemingly-innocuous action like sending an
email, by holding up a mirror to their actions so they can be actively involved in
the security process. This is the approach embodied in Check Point’s UserCheck
technology.
Prevention is the cure
Let’s look at a typical scenario involving a DLP solution, to show how UserCheck
works. When an employee has composed an email, addressed it and clicked
‘send’, the body of the email together with any attachments should be analysed by
the DLP solution, with the text and attached files compared with a set of defined
characteristics for identifying potentially sensitive data.
This may include certain key words in the email body text such as ‘financial’,
‘report’, ‘specifications’ and so on; also for file types such as spreadsheets or
presentations (which may contain financial data), or documents which may include
confidential records or strategic material.
If the DLP solution detects a potential breach based on this analysis, it will override
the ‘send’ instruction and present the user with a pop-up dialogue, alerting them of
a potential data loss risk, and asking if they wish to proceed.
Then the user must decide whether they: a) want to continue and send the email
and attachments as it is, without changes; or b) realise that they may have made a
mistake, prompting them to edit the body text or remove attachments. There should
also be the option for the user to key in a brief explanation of why they overrode the
DLP solution’s alert.
The DLP solution logs the user’s action, the fact that the user was alerted, and any
user-entered explanations, giving an audit trail for subsequent analysis and review.
This also reduces much of the burden of day-to-day security management from
IT staff, as employees take on a greater responsibility for protecting themselves
against security mistakes.
softwareblades
™
“
28% of UK data
losses in 2010 were
due to inappropriate
use of web apps
or misaddressed
emails
”
Source: Ponemon Institute, March 2011
© 2011 Check Point Software Technologies Ltd. All rights reserved.
Whitepaper:
10 Steps to 3D Security
The same approach can apply for users’ access to social media applications.
Instead of barring users from accessing YouTube, LinkedIn and similar site and apps
at work, they can simply receive a pop-up dialogue reminding them of corporate
policy regarding the use of these apps, and asking them to enter a brief note on why
they wish to use the site.
This has the effect of reminding users of the company’s security policies at the point
where it matters the most – just before a potential breach can happen – and helps
to reinforce secure computing behaviour by showing trust, but also verifying their
actions.
7. Avoiding cloud storms
A large percentage of businesses, from enterprises to SMBs, are anticipating
migration of at least some of their computing capability to the cloud.
Simultaneously, the spectrum of cloud services is also expanding considerably,
as more and more applications will be offered in the cloud throughout the coming
years.
The cloud security challenges are clear: according to Morgan Stanley’s 2010
CIO Cloud survey, data security and the loss of control are the major concerns of
companies – followed by data portability and ownership, regulatory compliance, and
reliability and availability.
Companies using in-the-cloud services don’t always know who they are sharing
their environment with, and that raises serious concerns over vulnerabilities.
Specialised protection is needed to secure dynamic, virtualized environments and
external networks, such as private and public clouds, from internal and external
threats by securing virtual machines and applications, in much the same way that
conventional networks and devices are secured. Solutions such as Check Point’s
Security Gateway Virtual Edition deliver this security, ensuring that virtualized
environments can secured and managed as easily as conventional networks.
8. Maintaining visibility
As threats continue to grow and security becomes more complex, managing that
complexity has become a critical issue. In Spring 2011, the Ponemon Institute
reported that 42% of UK IT managers said managing security complexity and
enforcing policies was the biggest IT challenge they faced.
This complexity makes it very hard to spot the clues that show when defences
have been breached, and a security threat is emerging. Networks and security
deployments such as IPS, IDS, firewalls and anti-virus throw out Gigabytes of log
data every day, and can also generate false positive alerts, often hiding emerging
threats from the IT team.
These events take time to sort through – time that can be exploited by REAL
security threats. The issue is insufficient context for the alerts. Firewalls and IPS
don’t understand the business importance and vulnerabilities of all systems within
the organisation. For example, an attempted malware infection of a web server may
be reported as a high-priority event by the firewall, even if systems have already
been patched against it.
However, a Security Information and Event Management (SIEM) solution such
as Check Point SmartEvent can automate the collection, correlation and
contextualisation of security log data and events, which puts what’s happening on
the network into perspective – removing the irrelevant noise, and enabling focus on
the important events from a single management console. This makes management
easier, and frees up time for the IT team, giving them the tools they need to maintain
visibility without being overwhelmed.
softwareblades
™
“
42% of UK IT
staff said security
complexity and
policy enforcement
was their biggest IT
challenge
”
Source: Ponemon Institute, March 2011
© 2011 Check Point Software Technologies Ltd. All rights reserved.
Whitepaper:
10 Steps to 3D Security
9. Choose the right platform
We touched earlier on the growing complexity of security estates, with new and
emerging threats demanding new products to mitigate the risks, leading to ‘solution
sprawl’.
Your security solutions should enable IT teams to set and deliver effective,
policy-driven protection, without needing constant maintenance and without
complex, multi-interface management. Solution sprawl needs to be reversed,
and infrastructure simplified and rationalized, to contain cost and management
overheads.
This can be achieved in two ways: first, by deploying a security gateway solution,
which combines functions including firewalling, IPS, VPN, endpoint security, URL
filtering and more onto one hardware platform. These gateways can offer excellent
value and greatly simplified management, especially for smaller and medium-sized
businesses, because they combine multiple best-of-breed products in a single
solution.
A criticism that used to be leveled against multi-function security gateways was that
they were jacks-of-all-trades, but masters of none; and that they were inflexible
and could not easily be upgraded to include new protections. However, latestgeneration gateways have the performance and capacity to be extensible and
accommodate growth.
The second approach is to use an extensible architecture such as Check Point’s
Software Blades, a deck of independent and flexible security modules, which can
purchased independently or as pre-defined bundles, and deployed on existing
gateways and appliances according to your exact needs.
The two approaches are not mutually exclusive: Check Point security gateways also
utilise the Software Blade architecture, giving optimum flexibility and adaptability to
change.
However a key question remains: how do you choose the right gateway to suit
your current needs, and be sure it can grow to keep pace with your changing
requirements in the future?
Different organisations can have vastly different requirements in securing their
computing environments: network size, required throughput, desired security
functions, ability to handle future growth and allotted budget are all significant
components of the decision process. Furthermore, the comparison data available
for gateways is compromised, as it typically includes only firewall throughput,
measured in ideal lab conditions – making comparisons unrealistic.
However, Check Point recently introduced its SecurityPower benchmark metric that
allows customers to select security appliances by their capacity to handle real-world
network traffic, multiple advanced security functions and a typical security policy.
Each appliance has a specific SecurityPower Capacity that represents its real-world
performance.
This is calculated by integrating multiple performance measurements based on a
real-world mix of network traffic derived through extensive research involving a large
number of Check Point customers. Different combinations of advanced security
functions including firewall, IPS, application control, antivirus, URL filtering, and data
loss prevention are applied to the traffic. All measurements are performed using a
realistic security policy that includes 100 firewall rules, logging of all connections,
Network Address Translation (NAT), a strong IPS protection profile, and up-to-date
antivirus signatures.
softwareblades
™
© 2011 Check Point Software Technologies Ltd. All rights reserved.
Whitepaper:
10 Steps to 3D Security
There’s also an Appliance Selection Tool to help determine which appliances can
best meet network security needs and support anticipated future traffic increases
and additional security functions.
By choosing the right platform, you can cut out the complexity of security, reduce
overheads costs and the IT management burden too.
10. Avoid future shocks
The final step in transforming your organisation’s defences against threats is to
make security a central part of its overall IT infrastructure, not just an add-on
component or afterthought. The security should align with your organisation’s
requirements, to help ensure that business can continue smoothly with minimal risk
of disruption.
To do this, consider the three critical dimensions of security:
a holistic view of your business and IT environment to define a clear policy
that aligns with your business needs and industry regulations
n gain
n enforce
protection according to policies using integrated solutions
your people – employees and partners – on their vital role in maintaining
your organisation’s security policies and profile.
n educate
Also, maintain a dialogue with your security integrators and providers: they should
keep you appraised of latest developments in solutions that could address emerging
needs; and by keeping them updated with your situation, they should be able
to suggest new approaches to enhance security, reduce TCO and management
overhead.
In conclusion, an educated, security-aware workforce, combined with a solid,
in-depth security system and well-defined security policies delivers the strongest
defence against all types of threat. With this 3D Security approach, you’ll have the
clearest view of the risks to your business, and the ability to respond to and nullify
those threats, both now and in the future.
softwareblades
™
© 2011 Check Point Software Technologies Ltd. All rights reserved.