Symantec Exec Touts Automation as Security Solution at RSA 2009

by Dana Tierney, Senior Assistant Editor

"The current security model isn't working. It's time for us to change how we approach security," said Enrique Salem, President and CEO of Symantec Corporation at RSA Conference 2009.

The widely distributed single threats of the past have given way to large numbers of highly targeted microthreats. "Today's servers are auto-generating malware at a very rapid rate, and they are targeted. They are targeted at individuals, they are targeted at trying to steal confidential information. Anyone could be a victim," said Salem. In 2008, Symantec created 1.6 million new signatures, as many as had to be created in the previous 17 years. "In 2008, we blocked 245 million attacks per month," he said. "In the next thirty minutes, we'll block two hundred thousand threats."

"Just last week we released our internet threat report," said Salem. "We collect data from millions of sensors from around the world. It's something we call the Symantec Global Intelligence Network and we combine it with first-hand threat research that we do every day."

The new malware also gets down to business. "Almost before your know it, you could lose your identity. You could have your information stolen and these attackers are not looking for notoriety but financial gain. What we are seeing is that last year, 90% of attacks targeted confidential information," resulting in loss in productivity, loss in revenue, and loss of customer confidence.

"Information is the most valuable thing that we protect," Salem said. The average cost of a data breach is now 6.7 million dollars per breach. "Per breach," he emphasized. "Some of these breaches are what we call sins of omission – incidents where employees are lazy or they just don't think about the risk." For example, an employee sends confidential information to his public email address and it gets stolen. Or an employee puts information on a USB device and leaves it in the back of a cab. One of every two USB keys that get lost has confidential information.

Inadvertently sending a file to the wrong individual is also frequent. Some companies deal with it by turning off the auto-fill feature in email, but then "in the name of security, we've hurt productivity. It shouldn't have to be an either/or," Salem declared.

According to a recently released survey done by the Poneman Institute, 59% of departing employees take information with them when they go. "This is a bigger issue now as more and more people are leaving organizations," said Salem. Twenty-four percent of departing employees report that they still had access to company network after they left, one third of them for more than a week after they left.

Infrastructure increasingly heterogeneous, compounding the difficulties in securing it. Southwest Airlines has simplified personnel allocation and supply chain by only flying 737s, but this is not often an option in IT infrastructure, where mergers and fragmentation or responsibility have created interoperability issues. "This fragmentation is not consistent to having a top down, policy-based approach," Salem said. Employees are also bringing in their own devices, iPhones and laptops. Software as a service (SaaS), where data is now being managed outside the organizations, represents an increasing trend.

Symantec's customers are saying that they are tired of piecemeal approaches, he said. "They are tired of dealing with point products, tired of being systems integrators," and want a solution that will allow them to respond to and remediate threats very rapidly.

But this starts to require automation, which "today is not what they have." Typically the subgroups in the IT department operate in separate silos, one for the desktop team, one for the security team, one for the data center. "A lot of the work that they do – it's manual," said Salem, and it can take up to a week for the parts to work together produce the logs and change a policy to respond to a potential breach.

Salem proposed a new model of risk-based, information-centric, responsive, workflow-driven security. It would identify an acceptable risk level. Protecting the infrastructure is necessary but not sufficient. Where is that information, he asked. It's increasingly in separate locations. A real-time view of what is happening is required, one without a lot of latency. Automation and closing the gaps between the security products reduces the latency for remediation.

For instance, imagine a policy that says you can't put customer credit card data on a USB device. If you detect an attempt to do so, you could warn the employee, conceivably all that is required if the action is inadvertent, then trigger an alert if they continue. The person responding to the alert may decide there is valid reason to allow the action, or not. The point is to make the policy and then make the decisions at the time. "All of these manual processes are a problem and so part of the answer has to be automating workflows," Salem said. These can also be set to automatially escalate, if required.

"Information walks out the door every day and we're often not in control," he said. Another use case would involve an early warning system and a backup system patch. In case of an impending threat, a data center might want to patch the vulnerability right away and also start a backup process. It would then be useful to know what systems have not been patched, in order to decide if any of the processes need to be changed or if any machines still need to be patched or even removed from the network.

Automation could also ease the pain of "weeks having to deal with compliance reports," reducing a multi-week process to a couple of days. Since most organizations can't replace their entire environment it would be important for such a system to work directly with the system in place.

The same needs to happen at the federal government level. "So we'd like there to be a cyber security person in charge working at the White House, reporting to the president," Salem said, "that's looking at how do we standardize policies across all of the different government agencies, drive consistent strategies at the federal level the same way we are all trying to do in our own environments."

Henry Ford said that if you asked his customers what they wanted, they would have said a faster horse. We don't know necessarily what the threat is going to be. "What's the approach for tomorrow?" he asked. Blacklisting works for massively distributed threats, and white-listing suits a few regularly performed tasks, but these approaches are potentially too slow or too restrictive. A new strategy to deal with future threats, reputation-based security, may offer a solution, taking into account exactly what is happening as well as origin, prevalence and age. This new method isn't just about blocking; "it's about defining policies, and you have to deal with the risk tolerance of your environment."

For example, a university might designate a student network as less secure and permit certain downloads to avoid flooding the helpdesk with calls. In a different environment an administrator might decide that no software will run until it has been released for a certain time, and has a certain number of users. This more conservative approach can be likened to waiting for a review before trying a new restaurant. You can define a policy and you can have it be different in the different types of environment you work in, Salem said.

He added that there do need to be some standards in this area and that the industry needs to define the interfaces that will allow that. Security need not be an inhibitor; "we can be in control of what we are doing," he said. As in skiiing, instinct says to lean back, "but if you lean back you lose control." We can start tearing down silos, making it easier for us to collaborate across the organization and bridging the gap between security and day-to-day IT operations, he said, creating a culture of confidence that enables productivity instead of inhibiting it.

Dana Tierney is the Sr. Assistant Editor at House of Fusion, where she causes authors to cry over their once-thought perfect articles. They recover, and their articles are better for it. But still, the sound of grown men weeping...

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie