From the very start of considering a move from IBM Security Systems to Bit9, I gave a lot of thought to my security philosophy. I really do believe strongly in IBM’s security portfolio, and I wanted to make sure moving to Bit9 didn’t undercut my security philosophy. Working for IBM taught me a lot about holistic security and how good security products are usable no matter if you have basic security maturity, or advanced. I generally focused on the network side of security, mainly in SIEM and NIPS. I’ve shied away from endpoint security (for the exception of dabbling in forensics and TEM), because it’s such a headache. Virus scan software is a joke, letting just about everything modern in. Case in point with the recent attacks at the New York Times:
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
I see this all the time. That’s why products like QRadar and IBM Security NIDS are so popular. You have to fall back to the network, if can’t get control of the endpoint. Why attack the endpoint? It’s seems to be the easiest and most successful. There’s typically three categories of attacks:
- Remote attacks launched from the internet (DoS, SQL Injection, etc.)
- Insider threats, and
- Infect an endpoint, then launch attack from within (phishing, drive-by downloads)
Network based protection is very useful at blocking and/or detecting all three of these attacks categories, but that leaves you with a perimeter based security protection. With perimeter based security, one tries to tackle the channels of infections like email and web browsing. There are tons of solutions that help with this, but nothing helps as soon as that endpoint walks out the door. Network security should be used to protect infrastructure, not endpoints.
So what can be done to protect the endpoint? IBM Tivoli Endpoint Manager does a lot to manage all the small stuff like patch management, software delivery, compliance, and virus scanning. I say small stuff, not to dismiss its importance, but they are processes that should be in place already. Having TEM take care of it all is just easier.
When I was at IBM and a customer was worried about the Insider Threat, we would use either TSIEM or QRadar to pull in system and audit logs. What we usually found near pure chaos, since it’s very hard to figure out what is what within system logs. The best approach I have found is using white list policies. We would build profiles of acceptable behavior in an environment, filter it out, then analyze the rest. It was a great approach and bled over into some of my other SIEM and NIPS scenarios.
The reason I bring this up is that one of the reasons I like Bit9’s software is that it employs a similar white list approach, but looks to be MUCH easier than the rat’s nest that is system and audit logs.
Let me summarize:
- Network security is best when focused on protecting infrastructure like hosted applications and databases. It loses effectiveness when trying to secure the endpoint.
- As for hosted applications, security vulnerability testing and security development should be a closed loop.
- Insider threats can only be managed if you are doing system and audit log analysis. It’s a costly investment, but worth it to certain business sectors like banking and military.
- Endpoint protection must include basic measures including patch management, lifecycle management, and basic written security policy.
- I believe SIEM is critical to tie it all together and should be the single pane of glass.
- Maturity in other security processes like identity management, access management, policy, compliance, encryption, and asset management help all your other security investments.
- Overall security policy governance has to be tailored to the size and type of organization.
As I write this out, I see that going after endpoint security with Bit9 fits for me. I am looking forward to learning more about its capabilities and how our customers would like to use it.