Pick up any security magazine....it's ok, I'll
Stories are abound with the latest worm, identity theft,
targeted attacks and other "James Bond-ish" types of attacks that have claimed
its next victim. Don't get me wrong, all of these things happen with astounding
regularity, but there are times, such as now that we need to take a step back to
Our employees are our biggest asset, but they can also
be our biggest security risk. Every day, confidential information walks out the
door when employees bring thumb drives, laptops and in fact their brains, home.
In most cases, it comes back in the next day when employees return to work. But
what happens when it doesn't? PCs get stolen, thumb drives get lost, and people
talk - sometimes divulging proprietary information that they shouldn't. And this
puts organizations at risk.
In efforts to stem the incidents of viruses, Trojans,
worms and other bad things that can infiltrate a network, we not only should be
investing in gear to secure our network, but we must also invest in our own
employees in the form of education. In order to truly stack the deck in the
company's favor, it is essential to establish a real and ongoing "in-service" to
educate employees on the ways they can help
secure the organization from security incidents.
Striking the right balance between employee education
and purchasing security products is not easy, but is necessary. However,
focusing on one without the other can be a recipe for a breach. From a security
perspective, investment in the network and employees costs money, but it also
pays dividends. And you can take that to the bank.
As we begin 2009, we return to work with the “clean slate” feeling and with renewed vigor to implement our 2009 plans that we have diligently worked on in Q4’08. We have celebrated our 2008 victories and are ready to implement adjustments in course to take advantage of emerging opportunities that will take the company to the next level.
From an IT perspective one constant planning exercise revolves around security; specifically ensuring the security of applications, and perhaps most important the security of proprietary information and customer data. Every year, we endeavor to stay one step in front of the hackers by deploying and fine tuning the right combination of security element to our networks.
In reviewing the security news events of 2008, the good news is that a lot of highly sophisticated and damaging attacks were identified. The bad news is that in the vast majority of cases were discovered after the breach occurred.
The big question is: why do we accept this approach as an immutable law of security? We continue to purchase and deploy security that reports about what has happened in the past instead of what is happening right now. We deploy “rear view mirror security” that empowers us to take action only after the damage has occurred.
In our personal lives, would we ever buy a physical security system that promises to inform us after a thief has broken into our houses and made off with our most prized possessions?
In planning our security strategy for this year (and indeed beyond), it is essential to choose security that not only provides a detailed historical view with drill down capabilities, but also a security solution that can identify what is happening right now in order to take action before the damage has been done. There are lots of options as to whether manual, semi-automatic, or fully automatic actions are taken when a breach is detected. Leading security solutions allow for the appropriate action to be configured based on the threat or type of attack.
Make the resolution now to no longer accept rear view mirror security to secure your most prized asset. Your organization depends on it.
To a happy (and secure) 2009!
Message Edited by mrothschild on 01-06-2009 09:05 PM
"I want to deploy NAC in my network,
but there are older components in my wired/wireless infrastructure that do not
support 802.1x, so I can't deploy NAC yet, right?" As a PLM for a NAC product,
I hear this question constantly. True, 802.1x is the most visible and prevalent
type of NAC enforcement, but it is not the only type of enforcement provided
with available NAC architectures. In fact, depending on your security and
access control needs, and your existing network architecture, one of the other
options might actually be a better choice for your deployment. Let's take a
look at some of the available methods of
Enforcement - This is supported by most of the primary NAC solutions on the
market today. This provides ultimate control in that an end user is unable to
pass a single packet until they have been authenticated and their machine has
been checked for the appropriate patches, endpoint security applications, etc.
One downside, however, is that 802.1x must be enabled on every switch and
wireless access point in your network. The first switch port, for example, that
is not 802.1x enabled represents a potential security hole in your NAC
Enforcement - In this model, a software agent running on the endpoint performs
the enforcement. When the user logs on to the network, the software-based agent
contacts the NAC system to do the authentication, endpoint integrity scans, and
apply the appropriate access control rules to the user's
Enforcement - With DHCP enforcement, the DHCP protocol is used to assign
differing network configurations to devices connecting to the network based on
user authentication and endpoint integrity. One of the traditional downsides of
DHCP enforcement has been from a security perspective, with spoofed and/or
static IP addresses being an easy way to bypass these types of access control
Appliance Enforcement - This approach leverages an appliance through which all
end user traffic passes in order to perform access control. A positive
attribute of such a scheme is that it does not require any changes to the
existing network configuration, nor does it require hardware upgrades. In
addition, many of the solutions out there enable a much more granular set of
policy types that can be enforced versus other types of enforcement. A
downside, however, is that from a deployment perspective, a large enterprise
network might potentially need to deploy a large number of these across their
network in order to contain traffic sufficiently. Some such enforcement models
use existing security devices such as firewalls and IPS devices - appliances
that might already be deployed in your network, minimizing even further the need
to deploy additional network/security gear.
In actuality, most NAC solutions on
the market today will provide more than one of these options, for additional
flexibility. The key point is that 802.1x is not the only approach to NAC out
there. For example, if your primary goal when deploying NAC is to restrict
access to key financial applications and data stored in your primary data
centers, 802.1x might not be the best alternative. You might instead look
towards an inline appliance solution, where the appliances are deployed in front
of the data center. When a Finance user needs to access that information, they
authenticate to NAC. This is a solution that is faster to deploy than an
enterprise-wide 802.1x solution, but still meets the needs for this specific
Remember: always start with your
organization's security needs and then seek out the appropriate solution rather
than the other way around. You might miss more suitable solutions if you jump
on the technologies presented to you before determining your true
This week I was at a partner event talking about security and a person in the audience asked me, "so how do I sell security"? On first blush, this seemed to be like a question that is so general, it cannot be answered! Ask me an easier one, "why is the sky blue"?
Then I got to thinking, selling green is easy, consolidation is cake, virtualization sells itself. Why? Because they have a demonstrable and predictable cost savings. Selling security is like selling insurance. It's hard to quantify, until the unthinkable happens.
As I mentioned in a previous post security has changed...so much that this unthinkable is becoming more of a reality. I felt so strongly about it, that I recorded a 3 minute video to talk more about the changing security landscape and how that insurance policy is not a luxury, but a necessity to every high performing business.
Check it out and let me know what you think!
Message Edited by mrothschild on 11-20-2008 06:30 PM
There are an increasing number of access control products in the typical corporate network. This includes SSL VPN products for remote access control, and Network Access Control (NAC) for local access control. The mission of these offerings is to provide access to the network only for authenticated users on secure machines. At the same time, security products ranging from firewalls to IPS/IDP systems are monitoring the traffic on these same networks, ensuring that network assets are protected from unwanted behavior. Future security solutions will begin to blend these concepts of access control with end user behavior. These offerings will leverage not only user identity and posture assessment, but actual traffic on the network, to ensure that authorized users are staying within the confines of corporate security policies. Coordination of this sort will allow these systems to react dynamically to user behavior. For example, if an authorized user launched an attack against the corporate data center, an IPS might drop that traffic, providing the protection it was design for. At the same time, it would feed information related to the attack into the corporate access control infrastructure, so that action can be taken on that end user's session - quarantine, or session termination, for example. The result is end-to-end threat control and prevention - coordination of network and security elements that ensures that all of the relevant information that these devices are collecting can be used to make the best possible decisions on user access. With this type of system, the days of silo'd security devices are numbered.