BYOD Abounds – Can the Enterprise Flourish in this Environment?

Mobility is the trend of the new generation. Increased access to tablets, smartphones, robust data networks and even Wi-Fi everywhere has extended the capabilities of the professional in the field. When the BlackBerry first emerged on the market, the enterprise acquired, provisioned and controlled the mobile device for the workforce, enabling access to key applications and information, while also monitoring activity.

The demand for increased mobility has spurred a new phenomenon – BYOD. Employees are opting for the Bring Your Own Device to work strategy, balancing personal and professional conversations and information on the same device. The BlackBerry is no longer the smartphone of choice as the iPhone and Android dominate the market. BYOD has proven to be an effective strategy with the right policy in place, but how can it truly support the initiatives of the enterprise?

There are a few realities that accompany the adoption of BYOD:

Employees select the brand and type of device – while employees enjoy the freedom of selecting their own preferred brand and operating system, enterprise IT recognize the different challenges working in varied environments. It may be more effective for the corporate policy to allow BYOD to only include selected, approved brands, models and operating systems.

Employees control the level of personal information contained on the device – this is an important point if there is no separation between personal and corporate information. For example, if baby pictures are mixed with corporate or customers proprietary information, that’s a problem. Employees should be allowed to load their own information on their own device, but it’s up to IT to provide the technology and information to keep personal and professional information separated on the device with the application of mobile applications.

Employees access websites, applications and file sharing services not normally permitted by the enterprise – this is a critical threat for any network. Users may be accessing a vulnerable hotspot, uploading information to a file share site lacking the appropriate protections or downloading applications with malicious software. The enterprise BYOD policy should include guidelines to acceptable practices and mobile device management applications can be installed that prevent risky activities. The key to the successful application is to inform employees as to these rules and the consequences if those rules were to be broken.

Employees may allow other people to use their device – this reality is difficult to address from the corporate side. Employees may be educated on the risks involved with allowing other users to access their device, but complete control in this area is difficult. Monitoring and management applications can help control what the individual may do while using the device, however, which is an important step towards protection.

Employees may not demonstrate diligence in keeping track of their device – regardless of how much the employee uses his or her mobile device, it can still be lost or stolen. If that happens, the finder will have access to a wide range of network applications, proprietary information, authentication information and so much more. This is where keeping personal and private information separate is crucial as IT management can remotely wipe the device clean of any information that puts the enterprise at risk. Likewise, the employee can opt to wipe everything if personal information lost will also put them at risk.

While this list just scratches the surface in terms of the realities that can affect BYOD and the enterprise, they are important points to ensure success in this new environment. Any corporation can resist the trend and instead purchase mobile devices for all employees, but that may not always be the optimal choice. By understanding the realities that exist in a BYOD environment, the enterprise is more likely to benefit. 

Threats Associated with BYOD

The use of mobile devices among the global workforce is not a new concept, but the introduction of user ownership is a trend that has just gained momentum in the last few years. Professionals in a wide range of industries are relying on their own mobile devices to support the balance between work and home, introducing a whole new set of risks for the corporate network when the proper policies and controls are not in place.

While BYOD (Bring Your Own Device) offers plenty of benefits for the enterprise and the employee, a strategic approach is necessary to mitigate the risks associated with users accessing the network and supported applications from outside of the corporate firewall. Let’s take a look at some of the threats that exist with BYOD and what you need to do to protect your network, your users and your proprietary information.

1. Lacking a Robust Policy – Now that users are accustomed to relying on their own devices to access the network and their personal email, they also need to know what is acceptable use, who has access to their device(s), and what will happen if the device or the information contained within the device is compromised. An effective policy outlines expectations and outcomes, while also providing for the proper sharing of information so all employees are informed.
   
   
2. Weak Authentication Methods – It’s a given that employees will need unique user names and passwords to access the corporate network, but it’s also a given that such information is easily captured by hackers. It’s critical that IT management implements and enforces strong authentication methods and limits access to applications. Strong authentication methods demand constant monitoring and regular updates to ensure any breach is immediately identified and mitigated.
   
   
3. No Visibility or Control over Devices – Employees often prefer BYOD as a concept as it suggests they have complete control over their mobile device. While the physical control may remain, IT management establishes its own control over the device with mobile device management or other applications that provide remote access and complete visibility. Access to such technology ensures IT always knows what devices are accessing the network and can immediately locate, lock and wipe clean any compromised or lost device.
   
   
4. Applications – While a number of applications exist to promote the activities of the professional in the field, a larger number exist to waste time or access proprietary information with malicious intent. Any applications downloaded by the user without IT approval are a risk to the corporate network. The simple scan of a QR code could quickly launch malware on the device, with reach into any network to which it is connected. The corporate policy must define what constitutes an approved application and how to avoid downloading malicious software.

While this list merely scratches the surface of the threats that exist with BYOD, it still provides clear insight into what you need to consider within your own environment. Whether yours is a large enterprise, small- to medium-sized business or sole proprietorship, any mobile device used to access your network, server or other IT assets presents a threat to your operation. Before allowing BYOD to flourish, put the right strategy in place to support only the safe use of all mobile devices.

Spain Breaks Global Money Laundering Ring

Spanish authorities have arrested twenty people suspected of having facilitated an international money laundering operation through the sale of drugs. The investigation was initially launched in May 2008, when Police became suspicious over several substantial transfers of money to Colombia. Police reports suggest that the group was responsible for transferring in excess of 3 million euros during 2007 and 2008, which was sent from Spain to bank accounts in China, Panama, Venezuela and the United States and were eventually collated at a fake dentistry foundation in Colombia. The Police statement went on to say that the suspected ringleader of the Colombian network was detained by US police in Miami, whilst the remaining suspects were detained by Spanish police in raids carried out across Spain. At the same time, the Police confiscated 5 vehicles; 32 mobile telephones; a quantity of cocaine; 6 fake passports and other documentation.

How to Ensure That Your Risk Management Strategy is Complete

Many companies embark on their risk management strategies from a single perspective, and do little more than put automated tools in place that will monitor activities for patterns and trends, and alert appropriate personnel when an abnormal or out of the ordinary event occurs. 

However, risk management is not nearly that simple.  Related strategies are complex and multi-faceted.  Even the slightest oversight can put sensitive or confidential data in jeopardy – and result in stiff monetary penalties or negative impact to the company’s image and reputation.  So, in order to ensure optimum security of their IT infrastructure, organizations must make their risk management initiatives as comprehensive as possible. 

A truly complete risk management strategy must include the following steps:

• Risk assessment.  Identify all probable threats, and prioritize them based on their likelihood and their potential impact.
• Asset audit.  Build a list of all information assets, including databases, applications, files, and other sources that contain data that may subject to breach.  Carefully evaluate each, and assess their vulnerability to an attack.
• Process definition. Create and document the procedures for the ongoing monitoring and analysis of all software, hardware, and virtual information assets.  These defined activities must be readily accessible to and clearly understandable by all key stakeholders.  They must also be strictly enforced, with specific penalties outlined for those who put information at risk by failing to adhere to written guidelines. 
• Tool selection.  Determine what types of technology solutions may be needed, and evaluate and select a suite of automated tools to assist in the monitoring and alerting process. 
• Incident response.  Define step-by-step workflows for responding to and investigating (when needed) a potential breach.  This must not only include a list of all required tasks and activities, but rigid timelines for executing them. 
• Assignment of resources.  Determine who will be responsible for the various aspects of risk management, and clearly highlight the roles and responsibilities of each key stakeholder.  Be sure to define a chain of command, as well as a contingency or succession plan to minimize disruption to risk management when assigned resources are unavailable, or when they leave the company. 

The last, and perhaps most important, step is ongoing enhancement.  Continuously test and evaluate the various components of the strategy, including tools and technologies being utilized, and make refinements as needed.  This is particularly important after the detection of a breach event, when a post-response de-brief can help facilitate the creation of best practices (for those processes that proved to be effective) and result in lessons learned (for those procedures that did not work). 

Leveraging the NIST Framework for Effective Risk Management

Risk management has become a key priority for many companies.  Yet, few really understand what a comprehensive risk management strategy entails, or how to effectively implement one across their entire enterprise. 

That’s why many businesses are turning to the National Institute of Standards and Technology (NIST) for guidance.  NIST has designed a methodology for implementing comprehensive and consistent risk management guidelines and processes throughout the federal government.  The goal is to maximize protection of classified information contained within IT systems and services by ensuring that common tools, solutions, and procedures are deployed and utilized among all agencies.  At the same time, the NIST methodology strives to create a secure technology environment, without hindering the needed information sharing between federal, state, and local offices. 

Because it is so comprehensive, corporations are seeking to leverage this framework for their own risk management purposes.  For example, the NIST approach has already taken into consideration all the factors that have put information systems at greater risk than ever before, including:

• The growing complexity of IT architectures
• The increased sophistication of cyber criminals
• The rising number of “virtual” assets that need to be protected
• The need to balance security with real-time collaboration and data access and sharing requirements

Additionally, the NIST technique utilizes a phased approach to risk management that can act as a guide to other companies, helping them take the needed steps to implement true, enterprise-wide risk management, such as:

• Defining and measure existing risks
• Prioritizing threats based on likelihood, extend of potential damage, and acceptability
• Identifying those staff members who will be responsible for risk management, and outlining their roles
• Selecting, purchasing, and deploying the needed tools
• Configuring all systems, databases, and services for maximum protection
• Setting, documenting and enforcing security monitoring procedures
• Creating response processes to be executed in the event of a breach
• Conducting ongoing auditing and analysis of current procedures, and continuous refinement as needed

And, because NIST created their recommendations to address broad, nationwide security requirements, as well as the needs of various individual federal agencies, they offer maximum flexibility.  This is particularly important for large, global organizations that need to standardize its risk management activities, while allowing each department, office, or business unit to adjust techniques as needed to satisfy unique security requirements. 

Risk management initiatives require a tremendous amount of time and resources.  So, instead of starting from scratch, companies should look to NIST, and use their existing framework as the basis for their projects.  This will accelerate the development and implementation of risk management strategies, while ensuring success through the use of proven techniques and methodologies.

Real-Time Correlation: What It Is and How It Can Enhance Security

As organizations begin to place a greater emphasis on the development and implementation of broad-reaching IT security strategies, they are receiving a rapidly increasing number of alerts from the various technologies and devices they have deployed.   As a result, they faced with the challenge of effectively managing, prioritizing, and responding to them. 

Real-time correlation is an emerging technique that takes the raw data generated by potential security events, and transforms it into information that is easy to interpret, and more importantly – actionable. 

Most security management tools and methodologies trigger alerts based on specific actions taken by system users.  However, they don’t necessarily interpret what those activities mean, and whether or not they require an immediate investigation.  That responsibility lies with systems administrators and others who oversee IT protection. 

Additionally, the disparate activities that make up breaches – and the data that they generate – are often spread out over numerous applications and devices, making them more difficult to detect.  Therefore, stakeholders must manually sift through multiple logs, and analyze the related event information to make sense of it all.  

On the other hand, real-time correlation extends the capabilities of “point” systems, using a sophisticated algorithm that consolidates security data from various solutions, mines it for sequential patterns, and generates intelligence about the safety status of the entire network.  It dynamically identifies vital trends in cryptic security event information, and leverages built-in rules to instantly translate those trends into something meaningful and useful.  As a result, it can help detect and pinpoint the root cause of attacks in progress, and anticipate the next steps in multi-stage attacks.   

What are the primary benefits of this approach? With real-time correlation, companies can:

• Obtain a more comprehensive and holistic security status across an entire infrastructure
• Accelerate the discovery of security breaches in progress
• Reduce the time to respond to attacks by more rapidly initiating countermeasures or launching investigations
• More effectively identify and react to multi-phase or multi-prong attacks
• Minimize the number of false positive alerts

As hackers and other cyber-criminals become smarter, and acquire the knowledge and skills needed to divert traditional security management solutions, the attacks they launch will become more sophisticated and harder to expose.  Therefore, the need for real-time event correlation will become more and more critical in order for companies to mitigate all potential risks, and maintain full protection across their network from end to end.

Alerts: Avoiding False Positives

Every day, security analysts and the other professionals responsible for infrastructure monitoring and protection receive a series of alerts from the various hardware and software components that make up their technology architecture.  The key challenge lies in prioritizing these alerts, and determining which ones require immediate attention. 

 

False positives, incidents where security alerts are triggered even though no breach event has actually occurred, are becoming more and more common.  Many intrusion detection systems are designed to uncover even the slightest unauthorized activity, looking not just for actual intrusions, but for any possible intrusion.  As a result, they are often configured in such a way that a high number of false positives are also generated in addition to valid alerts.  These can cost companies a tremendous amount of time and money, and distract incident responders from those alerts that really do require further investigation. 

 

However, industry experts recommend several ways to reduce the number of false positives.  These suggestions include:

 

Fine-tuning systems

Many security systems are, by default, extremely sensitive.  But, their configurations can often be easily adjusted, to allow for more rigid definition of the criteria and thresholds that will trigger an alert.  Begin by reviewing past audit logs to identify those actions that most often result in false positives, and set system controls to ignore those activities.   

 

Using intelligent event correlation

Many experts believe that the future of enterprise security monitoring lies in event correlation, the ability for systems to leverage human-type intelligence to more effectively weed out false positives.  For example, multiple failed logins alone may not be enough to warrant a full-blown investigation.  Many of the more advanced systems will be able to dynamically perform further analysis and gather additional evidence, such as determining which IP address the logins were attempted from, before triggering an alert. 

 

Applying visualization techniques

 

A study conducted by the Department of Computer Science at the University of Virginia suggests that – particularly in massive data sets – the textual relaying of suspicious activity data alone can create an unacceptable number of false positives.  The report goes on to claim that by allowing system administrators and security analysts to visually analyze the same information using sophisticated graphics, it will be easier for them to identify the activity that represents low or no threat, and allow for faster detection of true malfunctions and breaches.  

 

Conducting more in-depth training

While false alarms cannot be eliminated completely, they can be more rapidly dismissed.  By training incident response teams to better tell the difference between a real alert and a false one, companies can avoid wasting precious staff time and incurring unnecessary expenditures.

How Early Breach Detection Can Prevent Major Losses

Sometimes, attempted incidents of fraud are unavoidable, no matter how hard a company tries to prohibit them.  In the past, before significant advances in technology, companies had little choice but to simply react to suspicious events long after they occurred.  But today, many experts believe that businesses have the tools at their disposal to take a more proactive approach to risk management.

It’s no secret that early detection can mean the difference between a minimal disturbance and a major disaster.  The sooner fraud is caught and stopped, the less damage a company is likely to experience.  For example, in the mid-1990’s, a trader at

Japan’s Sumitomo Trading Company perpetrated over $2.6 billion worth of fraud.  The offenses were committed over the course of a decade and a half, but had the activity been detected in the first year, losses could have been as little at $400,000.  

This is a particularly important when viewed from the perspective of a recent report issued by the Rollins Center for eBusiness, which claims that $1 in fraud-related expenses reduces net income by the same amount.  And because organizations have average profit margins of ten to twenty percent, additional revenue of five to ten times the amount of the fraud must be generated in order to restore net income to its pre-fraud level.

 

By identifying and diverting a potential breach in the earliest stages, companies can preserve the integrity of the data they manage, maintain profitability, save their reputation, protect their clients, and learn valuable lessons for the future.

 

But, according to a recent PriceWaterhouseCoopers survey, only about five percent of fraud and other white collar crimes are detected by active risk management strategies.

 

It’s obvious that early detection is critical.  But, what are some of the most effective methods, and how do they work?

• Behavior pattern analysis.  In order to immediately uncover an “out of the ordinary” action, you’ll first need to understand what constitutes “normal” activity.  By analyzing historical data to determine how authorized system users typically access information and perform transactions, companies can make suspicious activity clearer and easier to detect. 
• Identification of potential types of fraud and their symptoms.  When you know what you’re looking for, it’s easier to find.  Many companies have called in third party fraud consultants, who outline the types of events that are most likely to happen and what sequence of activities usually leads up to them.  This helps companies anticipate what may take place in the early stages of a breach, so they can begin their investigations and take corrective action much earlier. 
• Scoring.  Suspicious events need to be prioritized, in order to ensure optimum efficiency and effectiveness in investigations.  By scoring out of the ordinary activity based on its likelihood to lead to fraud, companies can allocate resources accordingly.  
• Real-time alerts.  Putting a “chain of command” into place, and implementing a software system that will automatically notify these key staff members when abnormal activity takes place will ensure the most rapid response possible, and enable the start of an immediate investigation if deemed necessary.

The Most Effective Incident Response Techniques

Many companies consider their log management strategy and related systems and techniques to be the most important weapon in their fight against fraud.  But, implementing IT auditing measures through the use of log management is just the first step.  In order to most effectively combat fraud, companies must have the proper procedures in place for handling incidents once they occur.  The speed and accuracy with which an organization responds can mean the difference between losses that are minimal, and those that are significant. 

 

What are some of the best ways to ensure swift, comprehensive incident response? 

 

Assemble a team

Companies who designate specific staff members – in advance – to address incidents once they are detected will experience less confusion and delay.  By clearly outlining who is responsible for what operational, decision-making, and investigative tasks, you can dramatically accelerate your incident response and resolution times.   

 

Document policies

Once everyone knows what they are responsible for in the case of a security event, they then need guidelines as to how assigned tasks should be carried out.  Formal, fully document response procedures will ensure that all actions taken are decisive, correct, and effective so losses can be contained as quickly as possible. 

 

Consult with external parties immediately

Many companies make the mistake of contacting their legal counsel or local law enforcement agencies after the investigation has been completed.  However, it is best to involve them in your evidence-gathering as soon as an incident occurs, since they can look at supporting data in an unbiased and experienced manner. 

 

Utilize live response

The size and complexity of today’s technology architectures, combined with the increasing volume of malicious activity, have made it more difficult than ever to gather forensic evidence when a breach takes place.  However, there are now tools on the market that allow for “live response” – the collection and analysis of system memory.  This approach not only minimizes any impact on system performance during the evidence gathering process, it allows investigators to more rapidly examine data to find the supporting data they need. 

 

Conduct ongoing assessments

Each time an incident occurs, have your team gather afterwards to discuss what areas of your incident response policy worked, and which ones didn’t. This will allow for ongoing learning and continuous enhancement, so policies can refined to be as effective as possible. 

 

Be proactive

Of course, the best defense against fraud is to proactively prevent it.  By analyzing log data in great detail to gain a full understanding of the patterns and trends that represent “normal” activity, companies can instantly uncover the peculiar or out-of-the-ordinary actions that lead up to a security event.  Therefore, they can detect and stop breaches before they happen – instead of simply reacting to them once they have already occurred. 

Appliance-Based vs. Software-Based Log Management: Which is Better?

When it comes to log management few can agree – which is better, the appliance-based approach, or software-based solutions? 

 

Software, by nature, is more flexible.  It’s easier to set up and configure.  Additionally, it comes with none of the storage demands that are typical of hardware-based solutions.  On the other-hand, appliance-based log management solutions take up valuable real estate.  While larger companies may have the extra office space to spare, many small and mid-sized companies do not.  This makes software-based log management the better choice for companies that plan to set up their log management infrastructure across multiple remote locations. 

Additionally, they are limited in scope.  The typical “log collector boxes” will eventually max out, many experts believe, as the quantity of log data that companies must collect continues to grow at a rapid pace.  A 2007 study conducted by the SANS Institute, the world’s largest and most trusted provider of internet security training and certification shows that the majority of companies today (57 percent) store logs from as many as 500 different sources.  

And, appliance-based log management often requires significant investments in proprietary hardware.  This can drive up implementation and administration costs, hinder the portability and sharing of log event data, and negatively impact network performance.  It can also make access to data difficult for third parties, which may be needed in the event of an investigation into a potential security breach. 

 

But, there are also advantages to appliance-based log management systems.  Some industry pundits feel that software-based solutions can create yet another disparate application – particularly in large enterprises where technology environments are already more dispersed than they should be.  The SANS report cites that more than 55 percent of Global 2000 companies rely on hardware-based solutions for their log management needs, and this is likely the reason. 

 

Total cost of ownership can also be much lower with appliance-based solutions, since they are turnkey systems.  Software-based log management requires customers to purchase a variety of other components, including the server hardware and operating system, and storage devices.  This raises significant concerns about security, since multiple layers of the infrastructure must be protected, as opposed to just a single appliance.  And, much time and effort must be spent installing and integrating these various components, making appliance-based deployments and roll-outs much, much faster since they are usually “plug and play”.  

 

Others believe that software-based log management is highly prone to problems and inconsistencies.  In fact, in an article published in the ISSA Journal, David Ting states that, “deploying a software-based security application is a painful process ripe with opportunities for error”.  But, appliance-based solutions are dedicated to performing a single task – collecting and organizing log data – and are therefore more reliable. 

 

However, as applicance based vendors are popping up on daily basis, companies are starting to rethink applicances all together.  Log Management in particular, is storage hungry and companies have already commited storage infrastructure for many of their enterprise applications, why not leverage that investment?

 

You can always find arguments for or against one approach over the other.  However, which is better truly depends on each individual company’s log management strategy, and the resources it has available to dedicate to executing and supporting that strategy.  When choosing a log management solution, investigate both methods thoroughly to determine which is right for you.