Do we need regular IT security fire drills?

IT security “fire drills’, supported by executive management and the risk committee should be conducted regularly in organizations, in order to understand the appropriate course of action in advance of a security breach. So says Neil Campbell, Group General Manager for Dimension Data’s Security Business Unit.

Organizations need to move beyond focusing purely on the prevention of security incidents, and start to concentrate on what they will do when an incident occurs.

“It’s inevitable that security incidents will occur. It’s therefore critical that organizations begin to focus on identifying what we call “indicators of compromise’, putting a comprehensive incident response plan in place, and performing regular IT security “fire drills'”, explains Campbell. He points out the regular fire drills – or rehearsals – will ensure that, in the event of an incident, IT and management teams are clear about what needs to be done, and the business is less at risk. This includes recovering evidence, identifying and resolving the root cause of the incident (not just the symptoms), and undertaking a forensic investigation.

So what other issues are on the watch-list in 2015 for IT security professionals?

Matt Gyde, Dimension Data Group Executive – Security Business Unit says, “We’ve identified what we believe to be five of the most significant trends in our industry for 2015. These are not the only areas where change is occurring. However, they certainly warrant discussion.”

He points out that a trend that did not make the top five list, but which is closely linked to each is the use of data and machine learning, which, when coupled with human interaction can create actionable and contextualized intelligence. “This enables organizations to make rapid decisions on how to protect themselves against a pending attack, how to respond during the attack, and what action to take post-attack.”

IT security gets cloudy

Both Campbell and Gyde predict a continued increase in the adoption of cloud services for security in 2015. “This holds true for software-as-a-service solutions, such as secure Web proxy, and secure email in the cloud. These solutions are particularly attractive as the implementation effort is negligible – you’re simply redirecting traffic to take advantage of the service through a consumption-based model. And the services are highly scalable. If you need to support 20,000 users today and you acquire a company and your headcount suddenly increases to 30,000 in six months, you simply amend your license agreement, and your new employees will be up and running immediately.”

Application security in the cloud and cloud-based, distributed denial-of-service controls such as those offered by Akamai are other areas of growing interest.

According to Campbell, security of the cloud will become increasingly important as more organizations move their workloads to the cloud. “It’s no good adopting this model only to be told by your auditors a year later that your cloud provider’s security protocols aren’t up to scratch. I believe we’ll see cloud providers investing heavily in building rich network architectures that support the gamut of security controls, so that they can assure their clients that enterprise-grade security technologies are being applied to their workloads.”

Gyde agrees and says that there’s still some work to be done within the cloud industry and security. “The most secure platforms in the world can still be compromised by human error or poor management,” he adds and points out that another area that needs attention is integration with existing organizational policies and processes. “It’s very easy for start-up companies to transition to the cloud as they have no legacy physical infrastructure, and can implement “greenfield” security controls. Larger, more established businesses find the prospect of cloud more daunting, as they’re unsure of how to adapt their security controls, policies, and processes to this model.”

From security technologies to secure platforms

2015 will also see the notion of security being a secure platform − rather than a series of point products or devices on the network – gaining traction. The expectation on security professionals will be to deliver a secure platform that allows the business to confidently run multiple applications, in a secure environment.

Gyde says for many years, organizations typically bought multiple security products from different vendors. While this helped create “defense in depth’, it also introduced complexity and potential risk. After all, 95% of successful attacks may be attributed to human error, rather than technology.

“Increasingly, organizations are weighing up their risks and making buying decisions that aren’t necessarily based on best-of-breed technology and are instead adopting a pragmatic, risk-based approach where they work with their existing infrastructure and partners to manage their risks to an acceptable level, rather than aiming for, but never achieving, “perfect’ security.”

The concept of cloud and its pay-per-use model is also relevant to this discussion. Organizations want to replicate the consumption-based approach of cloud in an on-premise model, either independently owned, or owned by a trusted service provider or vendor. Increasingly, organizations prefer security partners that are prepared to take on some of the financial risk, while also offering a flexible service construct, for example, one that allows them to turn on a firewall at short notice to deal with a specific event, and the spin it down when the requirement has passed.

The notion of a secure platform directly relates to organizations’ desire for a “single pane of glass’ through which to manage their security assets, delivered on-premise, hosted, or as cloud infrastructure. Essentially, this enables robust security to “follow’ an organization’s applications, data, and workloads without any compromises or changes in technology or management being required. This approach also supports and aligns with enterprise mobility requirements for corporate data to be accessible to users anytime, anywhere, and from anyplace.

Endpoint security back in vogue

Campbell predicts a resurgence in interest in endpoint security in the industry. “This is closely tied to the first trend we discussed − incident response − and the fact that some traditional network-based security controls aren’t as effective as they used to be. Security professionals will be looking at devices – whether they’re PCs, Macs, or smartphones – for indicators of compromise, and then enabling some form of incident response process. They’ll deploy technologies to endpoints to make incident response easier,” he says.

Application control is also expected to re-emerge as a key focus area for 2015. However, emphasis will be on identifying malicious activity on the endpoint, rather than malicious code. “While user awareness of information security best practices is a key priority, at some point someone is going to click on something they shouldn’t, so organizations must be proactive about managing the impact of such events,” Campbell concludes.