Cyber-Security Teams: No Rest for the WaryBy Tony Kontzer | Posted 2015-03-31 Email Print
Today's IT security teams face a constant and evolving barrage of threats that force them to assess their security policies and procedures on an ongoing basis.
Routh says the security philosophies of yesteryear—when the focus was on keeping malicious actors out of the enterprise—have become obsolete. Security today is about round-the-clock fine-tuning.
"There's a constant reinvestment in controls that fit the landscape," Routh says. "Ten years ago, policies and control standards didn't change that much. They were published annually, and there were a few new wrinkles, but they were relatively static. Today we're introducing new control standards almost every week."
As a result, Schwab's Lish adds that the posture has evolved from incident response to gaining a better understanding of the threat landscape. For example, he says his company is watching indicators such as how often it is targeted by threats, whether those campaigns are focused on certain individuals, and from what countries it detects scans originating.
Schwab is also making good use of threat intelligence it gets as part of the Financial Services Information Sharing and Analysis Center. This forum was founded in 1999 to encourage a more collaborative approach to security intelligence in the financial services industry.
"As part of our threat intelligence capabilities, we're constantly, taking that information and putting it into our environment so we can monitor, get alerted and take action," says Lish.
Monitoring Isn't Enough
However,451 Research's Hanselman states that monitoring isn't enough. He says organizations must constantly review their security plans and adds that doing so requires combining expertise and insight with practical preparation—not unlike the importance of practice for professional sports teams.
"A good place to start is with scenario exercises," Hanselman says. "Put plans in place and, most importantly, practice them so that the organization understands that the plans are there."
Along those lines, both Schwab and Aetna send out fake phishing emails to see who clicks on malicious links. They then use that information to target their awareness and education efforts.
Routh says Aetna's users have scored better on such tests than the employees at any company he's worked for, and yet, "I'm still not convinced that's enough."
He's also taken steps to prevent phishing emails from reaching customers, who can unwittingly trigger breaches by granting hackers access when clicking on malicious links. Aetna authenticates its outbound emails with its Internet service provider, and any email that's not authenticated is dropped before reaching a customer's inbox.
The need to go so far in protecting customers—who have grown more savvy than ever about the security of their data—is another layer of complexity piled on the ever-changing world of information security, where nothing less than the health of the business is at stake.
"More and more of our clients are caring about this to the point where they're saying, 'Hey, if you don't do the right thing, I don't want to do business with you,'" says Schwab's Lish.
It's an ominous message that should provide high motivation for companies and their IT security teams to keep their security strategy top of mind and up to date at all times.