Just like dealing with the plague during the Middle Ages, the traditional thinking has been "if you build a strong enough wall around the castle, nothing dangerous can get in."
In today's connected world, rarely does this strategy work. In most cases, maintaining day-to-day business requires punching holes in the wall to grant employees, partners, and customers access to the data they need. It seems that the more holes an organization creates, the more efficiently and profitably business practices operate - on the surface. However, even one hole in the wall provides a way into the castle, increasing the risk of unwanted invasion.
So what are companies to do?
The 80/20 Dilemma
To ensure only authorized entrance and only the clean exchange of data with selected and approved parties, companies have implemented firewalls, intrusion detection solutions and anti-virus software. Combined and well managed, these technologies can effectively plug the holes in the wall while maintaining business-critical connections. But only 20 percent of damage to data is perpetrated from outside an organization. Our great technologies address only one-fifth of the problem. These solutions do nothing to ensure that, once in the system, visitors will engage in entirely ethical practices.
Intrusion detection packages are based on a "red flag" approach, alerting administrators when specific criteria are violated. But they do nothing to alert administrators to what has happened once an intruder is inside the wall. Or even more alarming, what damage employees - the inhabitants the thick walls protect - are doing from the inside. A full 80 percent of the damage to corporate America's data is performed by those within the firewall and out of reach of intrusion detection packages or anti-virus software.
To overcome this challenge, many organizations augment the components of the castle wall with internal query-based analysis tools - roving guards, charged with finding unauthorized activities. These tools audit the state of the enterprise and provide the opportunity for administrators to detect policy violations based on change analysis. Query-based analysis tools provide a useful method for finding security holes or misuses of network rights. But as an administrator-driven tool providing raw data that must be interpreted, they provide a reactive remedy at best. Even the most vigilant query-based analysis (for instance, one that automatically runs every hour and reports violations to the administrator) is usually an hour too late.
Imagine a user who has inappropriately gained rights to the root of the network tree. That individual has access to all file servers and every file on that tree. The user has access to and control of all printers and routers as well as any databases and sensitive personnel and financial information stored therein. If there is malicious intent, this person can cause a complete failure of every resource on the entire directory in less than a minute. A regularly scheduled query-based analysis will not discover the damage until long after administrators have launched recovery activities.
Gaining Control Over the Critical 80 percent
The key to gaining control over the critical 80 percent of security breaches is to answer four fundamental questions:
- What happened?
- When did it happen, exactly?
- Who did it?
- What should be done?
Query-based analysis tools answer only the first question. They accurately log changes in critical network parameters when diligently compared with previous reports. But these tools only audit the current state of a network. They aren't equipped to log who, what, and the consequences of actions. Without these critical pieces of information and a real-time tracking capability, internal security stays in a reactive stance. Only proactive security policy management truly controls the elusive 80 percent.
It's safe to assume that very few organizations spend 80 percent of their security budgets on measures that directly improve their responsiveness to attacks from within. But with the financial repercussions those attacks can initiate, few can afford not to protect themselves.
With a proactive stance, security policy management moves the concept of intrusion detection to a more powerful and more appropriate intruder detection (even internal intruders). Internal security holes are people, not technology. Thus the focus quickly shifts from finding out what happened and patching the hole to finding out who did what, correcting the consequences, and eliminating the chance of repeat incidence. If you don't know who, you can't solve the problem.
Three Categories of Internal Security Risk
Internal security risks fall into three general categories: mistakes, intentional mischief and user ignorance. Mistakes can include users inadvertently gaining rights that they shouldn't have. Occasionally, when setting up new user accounts, executing account modifications, or performing other routine maintenance tasks, administrators provide administrator rights to the wrong users. Through no malicious intent of their own, these newly empowered users can accidentally cause serious damage to data and systems. The correct action is to remove the excessive rights and repair the damage. But query-based analysis would never reveal who actually has the rights that caused the problems, nor who granted them those rights.
In the case of intentional actions driven by employee (or ex-employee) malice, possible holes can range from a disgruntled employee setting up a trojan horse to gain access after leaving the company, to a current employee wreaking havoc prior to a termination or job change. Mismanagement of user and group rights often results in employees maintaining access to critical company systems long after their employment has ended. The correct actions in these malicious instances could include elimination of rights, removal of opportunities for mischief, notification of administrators, and gathering of forensic evidence to document illegal activities if prosecution is appropriate. Once again, traditional security measures, such as intrusion detection and query-based analysis, do nothing to reveal the perpetrator of such activities.
Security breaches caused by employee ignorance can be some of the most costly for companies that place a premium on storage space and productivity. If employees clutter servers by downloading a large number of MP3 and image files, the overload can compromise network performance. A glut of non-business-related files points to employee productivity problems. Additionally, some files (such as pornographic image files) can actually cause severe liability repercussions if opened inadvertently by employees. Appropriate security policy responses include education of users, removal of files found in violation of policy, and notification of administrators and management. Query-based analysis can initiate none of these actions.
Companies can successfully overcome each case of internal security policy violation by using proactive security policy management that includes real-time event tracking and automated policy enforcement. No matter whether the intent is malicious or the violation critically dangerous, an appropriate policy, tracked by real-time auditing tools with real-time enforcement capabilities, can combat virtually all of the most costly security breaches. These tools answer the who, what and when questions of security breaches - but perhaps even more important, they allow self-healing actions that actually return systems to their pre-attack state.
Security Policy Management Tools
The best tools for true security policy management should include real-time auditing of directories and servers. Directories should be constantly (and automatically) monitored for changes in user rights and group accounts (as specified by executive management and senior IT administration). Servers should be vigilantly monitored for pre-determined suspicious file activities. Whether it's an unauthorized user attempting to gain access to personnel files or a bored employee downloading an MP3 file, a true security policy management tool would notify all appropriate administrators and automatically launch pre-determined actions.
With this real-time tracking, notification, and repair capability, the dangers of internal security violations become much more manageable and require less administrator time. For example, policies could determine that downloading an MP3 file warrants nothing more than notifying the user that it isn't allowed and erasing the file. However, if an ex-employee begins accessing vital data through a trojan horse, these tools could concurrently notify the administrator, launch a full audit trail of activity, eliminate the backdoor, and restore all affected data to its pre-violation state. The options for event tracking and repair actions are literally as limitless as the needs and creativity of the administrator.
The Only Way to Truly Comply
Many countries have brought in legislation on data security. For example, in the United States' healthcare industry, new security requirements as mandated by the Healthcare Information Portability and Accountability Act (HIPAA) are severely affecting the way companies approach data security. HIPAA includes a closely defined set of required security practices. Foremost in this set is a requirement for an audit trail in the case of security violations. Nothing - not firewalls, intrusion detection, or query-based analysis - except security policy management tools provides a truly compliant audit trail.
Simply knowing what has happened doesn't give you the security you need. Organizations must be able to track who did it, when they did it, and what the consequences were. Additionally, smart companies demand a thorough and immediate means of repairing the damage. If you want to provide all these benefits, your only option is to use security policy management tools.
Todd Lawson is the CEO of NetVision (www.netvision.com), a Utah, U.S.-based global leading provider of network directory administration solutions.