Infosec Wares Need to ID Unknown ThreatsIndustry Expert Contends Security Products Must Do a Better Job
As more and more breaches show, sensitive information often isn't encrypted. Why is this the case? Gartner's Peter Firstbrook offers insight.
Encryption scares people, says Firstbrook, research vice president at Gartner. And one reason for that is the inability to recover sensitive information. "If your hard drive fails, it's fairly easy to recover from that," he says in an interview with Information Security Media Group's Eric Chabrow [transcript below]. "Once you have encryption, those kinds of recoveries become impossible."
When viewing encryption, organizations fear that the encryption scheme "becomes the denial-of-service attack," Firstbrook explains, because of a malfunction in the encryption scheme itself.
But another reason for the lack of encryption is that organizations haven't thought about it. "They haven't thought they have data on [something]," he says. "They don't realize there's sensitive data ... or they just haven't gotten around to getting to the budget or the resources to actually go ahead and do that."
Yet, encryption is most certainly a necessity. "Every mobile device should be protected with encryption if it has any sensitive data at all," he says, "and when you think about sensitive data, e-mail may be enough to make you require encryption."
In an interview conducted at last month's Gartner Security Summit, Firstbrook discusses:
- Advice on application controls;
- The need for vendors to do a better job;
- Issues surrounding the bring-your-own-device mobility trend.
As a research vice president, Firstbrook covers areas related to the endpoint security, secure Web gateway and secure e-mail gateway markets. The 15-year Gartner veteran previously worked as a financial analyst, implemented retail and branch office networks, developed software for tax reporting/invoicing programs and served as a database administrator.
ERIC CHABROW: What are critical capabilities of endpoint protection platforms and what are the future requirements?
PETER FIRSTBROOK: Obviously, the biggest current requirement is to protect you against known and unknown threats, and I think the unknown threat is a part of the equation, the one that the current vendors are not doing that good a job, and they're pretty adequate at detecting well-known threats, popular threats that are rapidly propagating but not so good at catching targeted threats as we saw from the Flame virus. Research into incidents show that the average dwell-time of some targeted threats is somewhere around 400 days, which means they've been in their organization for 400 days. That's the big area that most people are focusing on now.
Tips for End-Users
CHABROW: If the vendors aren't doing the type of job you feel they should be doing, what should the end-user be doing?
FIRSTBROOK: The big thing that they can do to start off with is what we call application control. The first step is constraining the number of applications that you have in your inventory. The second step is to monitor those applications to make sure there are no vulnerabilities, and when there are vulnerabilities that they patch them as immediately as they can.
The next big step they can take is to remove administrative rights; don't give end-users the ability to install applications and I realize for some organizations that can be pretty Draconian.
The next step to that would be to institute a sort of default-deny application environment where users can install applications but only after they've been approved by either IT or by a security vendor like Bit9, Kaspersky, CoreTrace or McAfee who have programs that actually do this for you.
CHABROW: With BYOD happening - bring-your-own-device - does that make this far more complex?
FIRSTBROOK: With BYOD, obviously this approach won't work. This is only for corporate-owned devices where you're concerned about malware. When you look at BYOD, you really have to shift your thinking from, "I'm going to protect the infrastructure," to, "I'm going to protect the information or my transaction systems." Now you're looking at tools like encryption, data leak prevention, app isolation and things like that. What you're really trying to do now is, if I'm going to allow somebody to access proprietary systems or our transactional systems or download data, I'm protecting that data or I'm protecting the transaction system.
CHABROW: You have expertise in endpoint protection. I hear a lot to don't worry about that; worry more about, as you sort of suggested, protecting the data. Where in today's world and going into the future is the importance of endpoint protection?
FIRSTBROOK: I think it's still important to maintain a clean endpoint for corporate-owned devices because the big issue is availability of computing resources. If your computer is infected with malware or it's not operating properly, somebody has to clean it up. They have to re-image it. We still need to protect it from that purpose, but yeah it's easier, much easier to keep the environment clean than it is to do what I'm describing, which is protect the data because following the data as people use it, they drop it in a drop box and then it goes to their home PC and then it goes somewhere else, that's a lot harder problem.
CHABROW: I hear about all these breaches and information's not being encrypted. Why do you think that's happening?
FIRSTBROOK: People are scared of encryption. It increases the propensity for an incident to become a major incident. What I mean by that is, if your hard drive fails it's fairly easy to recover from that, and I think sometimes it's even impossible to remove the hard drive physically and put it in another drive and detect what's on there. Once you have encryption, those kinds of recoveries become impossible. The real concern is that the actual encryption scheme becomes the denial-of-service attack because of a failure in the encryption scheme. A lot of people are worried about that, but equally a lot of people haven't thought about it. They haven't thought they have data on there. They don't realize that there's sensitive data on there, or they just haven't gotten around to getting to the budget or the resources to actually go ahead and do that. We think that they should. Certainly, every mobile device should be protected with encryption if it has any sensitive data at all, and when you think about sensitive data, e-mail may be enough to make you require encryption.
CHABROW: Earlier you mentioned you weren't quite satisfied with the vendors. Why don't you think the vendors are stepping up to this?
FIRSTBROOK: I think because they have a perfectly good business right now, and ... really there's no alternative. None of the vendors are poking their head up above all the others, so they're all equally bad at this and so there's no incentive for somebody like Symantec or McAfee to jump way ahead of the curve and invest too much in resources. Now to be fair to them, they're trying but they're not really driving away and equally no buyer of security solutions are saying, "Hey look, I'm not going to pay for AV anymore. I'm going to buy something else." Nobody is willing to make that career decision to not go with AV and to try to do another type of solution. We have reluctance on the side of buyers to do anything else, and we have reluctance on the side of the vendors to do much else than their peers.
CHABROW: So in some respects, it comes down to a basic cost.
FIRSTBROOK: Right. Like all security decisions, it's a cost risk benefit but there are some vendors out there. Kaspersky has done some interesting stuff with application control. McAfee has introduced a new application control platform. There are vendors like Bit9 out there, which is one of the few vendors to stand up and say, "Hey look, Flame, we could have stopped it. We did stop it." CERT tested, I think, 47 different anti-virus vendors against the Flame virus and none of them caught it, but Bit9 - which is an application control - it's a different paradigm, their default denied. They said, "Well, we stopped it. We don't need to have any previous knowledge of the threat."
CHABROW: Anything else you would like to add?
FIRSTBROOK: The other thing that you can do actually in respect to endpoint security - all of this stuff comes from the web so focusing on your web gateways and protecting it adds another layer. Some people are looking for a silver bullet. It may not actually be in the client software; it may be in the network and you can do that through SaaS, which is vendors like Zscaler, or you can do it as an infrastructure [with] vendors like Websense or Blue Coat.