Despite the persistent threats of malware and cybercriminals to large companies, the real enemy may be closer to security professionals than they think.
"The biggest danger to the success of the security professional is the vendor community because they are pedalling product that the clientele doesn’t need," says Mark Brown, director of UK and Ireland, Information Security Practice at Ernst & Young.
During a heated discussion at a London roundtable hosted by computer security software vendor Websense, Brown claims that security professionals need to reassess their security needs to avoid duplication of effort.
"There is often a complex web of architecture products which cancel each other out, says Brown. The first piece [of the puzzle] is understanding what you’ve got.
"The second is then to ask yourself: what do each of those tools do? And more importantly, what else is it capable of doing?" asks Brown.
Brown and other industry experts are advising security professionals to use software they already have in place to respond to threats that have already occurred, rather than trying to predict future malware threats.
Using hindsight to look forward
Carl Leonard, a senior manager at Websense, agrees that effective security solutions lie in looking back just as much as looking forward.
"Sometimes businesses will deploy a solution and then forget about it. Then three years later, they won’t have seen the reports. They could have been using that period to learn from their experiences and really explore the features that the product has," advises Leonard.
Data loss prevention (DLP) tools are often high on an IT professional’s list of requirements when it comes to security software, but it is clear that DLP is not being used to its maximum efficiency.
"We integrate DLP in some form, but customers don’t’ always realise it’s there and they don’t benefit from the intelligence these tools are generating. People do not check their logs.
Leonard highlighted the recent data breach in South Korea, which affected over twenty million people, as a classic case of negligence. While checking logs would not have prevented the problem, it could certainly have lessened the impact.
Around 11GB of data was leaked from credit ratings firm Korea Credit Bureau (KCB) in a week. Seizing such a sizable amount of data at once is sure to set off alarm bells, but by taking a few megabytes here and there over the course of the week, the cybercriminals can remain under technical threshold.
By proactively monitoring the logs in place, KCB may have noticed that something was amiss sooner, so anomaly detection is important. Leonard explains: "If you can see something unusual has happened in your environment, go and investigate it straight away, because a lot of the data will point you towards something that went wrong and amongst your standard set of operation data, that unusual thing should jump out at you."
The vendors’ responsibility
However, some IT and security professionals won’t know to employ these tactics unless they are advised to do so.
Andrew Philpott, senior vice president at Websense, agrees that vendors had a responsibility to demonstrate the value in employing such tactics as proactive log checks.
"Right from the initial conversations with sales guys, they should be sales consultants who are able to articulate the benefits those organisations are going to see but also identify the problems they don’t even know they have – it’s not scaremongering, it’s educating them," says Philpott.
Philpott adds: "It’s very challenging for end user customers to find their way through the myriad of different vendors who are claiming to do the same things.
"We are constantly looking for ways to differentiate ourselves because we understand the challenge IT directors have in terms of distinguishing the true differences between different offerings on the marketplace."