At the recent IT Security Analysts Forum in London, organised by Eskenzi PR, one could be forgiven for thinking that the dozen or so vendors represented were all fierce competitors. Their high-level taglines all sounded pretty similar; “we secure your business’s data”, “our product is the next generation of data theft prevention”, “your data is safer with us” and so on. None of these statements were untrue per-se; however, they are too abstracted from the nuts and bolts to describe what the individual vendors actually do.
The forum mainly attracts smaller vendors whose products help mitigate specific threats or protect data at certain stages in its life-cycle. What all the products being showcased had in common was they had a part to play in mitigating aspects of the growing threat of targeted attacks, which, as Quocirca reported in its free research report earlier in 2013, are a growing concern to most businesses (free report here The trouble heading for your business).
The easiest way to get more insight into what was on offer is to consider the keys stages of a targeted attack; gaining access to systems, installing and running malware, the compromise and exfiltration of data.
There was general agreement that the primary means for gaining access was to dupe employees in some way into giving access details or downloading malware. A key way to prevent this is to educate users in the dangers of phishing and social engineering. One attendee, PhishMe, claims to be the market leader in launching spoof phishing attacks on its customers with the aim of singling out the most vulnerable employees for special training. Another, Exonar, provides consultancy services with a similar aim.
Attackers will also probe web facing applications and databases. Imperva has a long pedigree of providing web application/database firewalls to detect and block such attacks. It also monitors the use of privilege to make sure it is as expected; attackers often need to gain privileged access or grant it to themselves to achieve their gaols. Another vendor, zScaler, focuses specifically on tying down web based risks, blocking dodgy URLs and keeping users focussed on their day jobs!
Tripwire focuses on change management, checking that updates being made to systems are as expected. More recently, through the acquisition of nCircle it has also moved into vulnerability scanning—making sure any known problems within infrastructure and application software are found and fixed. Meanwhile, the Israeli vendor Portnox’s product is in the resurgent area of network access control, ensuring devices requesting network access are compliant, behaving within the rules and are in the hands of known users.
Some malware will always find its way through. When it does Bit9 can stop it. It is best known for white listing applications—that is restricting what can run to an approved list. However, this also means it has a big role to play in forensics and compliance reporting, as it claims to be able to keep a record of everything that has ever happened on managed end-points over a given period of time.
When it comes to the exfiltration of data, to keep stuff safe it helps to know what is important in the first place. That is a role played by Mimecast; it is expanding its capabilities from well beyond email management to other repositories including cloud-based data storage services. It can run queries across all data under management applying consistent security policies, it too provides reports on who has been accessing what data for forensic and compliance purposes. Exonar’s Document Overshare product also finds and classifies data, whilst its In-Flight module looks at what is being done with data.
When it comes to storing and transmitting data, there to remind us all of the importance of encryption was Voltage. It uses identity based encryption (typically based on an email address) which saves having to issue certificates and keys. It also does data masking, which can actually protect data in use, and is a powerful capability as attackers try to get round encryption through the use of memory scrapping.
On day two of the forum we met the chief information security officers (CISOs). Among the things they we fretting about were 'big data management', protecting open supply chains (especially with lots of SMBs involved), the fallibility of passwords, identity management (users, devices and applications) and skills shortages. The vendors present all had stories to tell that could help the CISOs counter these issues at some level.
At one point the CISOs were asked to cite a time security had added value rather than just mitigated risk. One answered “every time we trade online we have achieve a security success”. ISACA had reminded us all the day before about this; its new COBIT 5 standard includes modules focused on both risk and value called RiskIT and ValIT.
No one is going to put the internet genie back in the bottle; so all security vendors have the potential to share in the on-going opportunity to make a highly connected world safer. However, they should not forget that this as much about ensuring the value of IT as well as mitigating the risks. Many could also hone their marketing messages to be a bit less generic and little more concise.