'Good enough' security not good enough, warns NTT Com strategist

Improvements in security technology have made security environments easier to manage, but this convenience is taking a toll as too many organisations neglect to implement incident response plans and other complementary procedures, the head of NTT Com Security has warned.

Gary Sidaway, global director of security strategy, told CSO Australia that the accretive approach to security pursued by many organisations had left patches of unidentified risk throughout the structure of the average company.

“From a client perspective the way they work together will be different tomorrow and the threats they face different tomorrow,” he said. “Bolting on technologies and point solutions clearly hasn't worked in mitigating that threat, and you've got to take a different approach to security and risk management.”

The company's recent NTT Group 2014 Global Threat Intelligence Report evaluated, among other things, the extent of this complacency and found that the predominance of 'good enough' security investments had left organisations vulnerable to constant pressure from determined hackers who “maintain constant pressure on the perimeter of the organisation until it is compromised”.

In many cases, that pressure is focused on one particular endpoint: NTT Group's analysis of more than 3 billion attacks found that 43 per cent of incident response engagements were the result of malware attacks against a specific end point. Open environments such as schools, where endpoint devices vary and controls are harder to enforce, were penetration hotspots with 42 per cent of all malware events.

“While businesses drag legacy security along, cyber-terrorism and criminal enrichment are carrying the attacks forward at a furious rate,” the report's authors warn. “Fighting back with traditional solutions is a failing strategy as attackers pour resources into circumvention, and skip over the defences to exploit the more lightly defended interior.”

The results can be devastating – a single unsanitised field on a Web form paved the way for an automated SQL injection attack and cost one organisation mentioned in the report over US$196,000 – yet the institutional complacency around security technology means that 77 percent of the organisations studied had no incident response plan.

Many organisations still don't even know what their legacy applications are doing, Sidaway pointed out: “someone wrote them 10 or 15 years ago, and people don't want to touch them and they're not quite sure what their users are doing,” he said.

“We start by taking that complexity out and simplifying it; that has been successful for us in helping them simplify those security architectures. It's about identifying the projects that make sense to an organisation, and aligning them from top to bottom.”

Tightening up the security controls for this interior should be a key priority for any company, the report warns, with employee engagement “vital” and application development strategies needing to build security into applications from the beginning.

“Security organisations have vast challenges under the existing security operational model to maintain wrappers around data objects especially when external and internal environments are addressed differently,” the report's authors warn.

“Security's responsibility is to ensure continuous business operation in vastly different environments than legacy capabilities are designed to manage. Security done right needs to move to the next level of investment so the basic embedded security fabric is the corporate way of doing things, rather than the ugly stepchild to business as usual.”

Companies where security policies have been tightened and are updated on a continual basis – for example, in companies adhering to Payment Card Industry (PCI) standards for protection of credit-card details – were able to remediate security issues 35 per cent faster than those without such regulatory requirements. Those with Vulnerability Lifecycle Management (VLM) processes had a 20 per cent faster remediation time.

While the benefits of better policy are hardly new, Sidaway said many organisations still struggle to deliver it in practice – particularly where the business is involved.

“Actually presenting information security as that business enabler is the challenge for a lot of organisations,” he said. “It has traditionally been seen as a cost that you can't justify.”

“Where we've had a lot of success is being able to turn it into something in terms of that business advantage,” he continued. “It enables your workforce to be mobile, to position that cost for the business, and to know that information security is already embedded in the business so the board can see that advantage.”

“Taking out complexity is hugely important; just doing the basics, and doing the basics well, significantly reduces your risk – and that is a message that's resonating with the board.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags NTT Com Security

More about CSOEnex TestLabNTT AustraliaNTT AustraliaThreat Intelligence

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts