By Invitation

The case for the defence

Securing the foundation of the Internet business platform

The Internet may be today's most crucial enterprise productivity tool. However, unfettered use of this business platform can endanger an even more critical business asset—an organization's essential information. Information at immediate risk ranges from sensitive intellectual property to financial statements to customer and employee data. Security managers must shift their protection emphasis from guarding against inbound attacks at the infrastructure level-a model suited to perimeter boundaries and the Internet as a simple content resource-to guarding essential information against blended threats and accidental or malicious loss, in tune with Web 2.0 and the Internet as a business platform.

The requirements for Web security, email security and data loss prevention have changed.

Today, the Internet touches every facet and asset of business. Efficient organizations rely heavily on the Internet as a business platform-through software-as-a-service and Web-based applications, remote workplaces and extended partner ecosystems. This Web 2.0 platform helps competitive advantages and Employee 2.0, the anywhere, anytime, always-connected worker.

Yesterday's enterprises locked precious source code, proprietary research, financial statements and personally identifiable information inside secure servers or behind isolated network segments. Progressive enterprises now let this essential information flow freely within and beyond their boundaries.

For security managers, the Internet platform is both friend and foe. Web 2.0 allows collaboration and exchange of information, and companies that close the door on the opportunities offered by Web 2.0 risk losing their competitive edge. But Web 2.0 also introduces an entirely new type of risk, with Internet-enabled threats that take full advantage of new technologies and vulnerabilities.

Threats that no longer focus on either the core or the extended edge of the network, but instead, use Web 2.0 and converged communications to integrate invisibly with day-to-day operations.

The risks are not all from the bad guys or from the outside, either. The openness of the Internet platform has also increased the risk from the inside. Whether opening up liability issues with inappropriate content, reducing productivity or allowing accidental and malicious loss of essential business information, Internet-enabled risks are forcing security managers to deal with more than just black or white security issues.

To keep up with these changes, data and network protections must evolve as well. Defenses that take at-the-network or on-the-endpoint, signature or behavior-based, good or bad approaches simply will not guard against these threats. Worse, these approaches use a simplistic "on or off" model of access and blocking that can cripple the Internet business platform. No enterprise can just turn the Internet off. The Internet is a business tool that must be managed and appropriately protected, like every other significant asset in the business. Security managers must find a way to say 'Yes' to these advances with the confidence that the company's essential information is safely guarded.

Appropriate Protection for Essential Information

Application of appropriate protection is both critical and subjective. Each business must protect its sensitive information and workflows in ways that match its environment, risks and risk posture. Let's consider today's challenges and remedies.

Can sensitive and regulated data be identified and its loss prevented?

The situation: Data is the currency of organizations today. It is stored in, and accessed from, databases, document repositories, file shares, end-user file systems and portable storage. It is exchanged inside the organization and shared outside with vendors, partners, end-users, consumers, the government and many other constituents.

The problem: Data is often stored, used and exchanged inappropriately. It is also increasingly the target of attack and theft. Failure to protect data results in risks of non-compliance, fines, lawsuits, loss of competitive advantage, brand damage and even violations of national security. Proliferation of Web based applications and information exchange compound these risks.

Today's response: Traditional data loss prevention tools rely on simplistic ‘on or off’ controls based on primitive data identification. For instance, basic guessing around keyword matching can result in false positives or multiple matches that do not constitute actual violations. Yet these results trigger blocks on transmission or collection of files. Blocking data in motion or removing data at rest with this falsepositive laden approach literally brings the flow of information, and, by extension, the business, to a halt.

In addition, these on or off solutions typically have no concept of business workflow or policies that can adapt controls to match changing business needs.

Can IT managers say Yes to blogs?

The situation: Blogs are a great Web 2.0 example of information exchange and user-generated content. Blogs can help a financial organization discover companies to invest in, a media company to gather storyline ideas or a technology company to search for market opportunities and drive brand awareness.

The problem: Exchanging innocent information is fine, but no entity wants its users to be compromised by vulnerabilities on a blog, bring inappropriate content into the organization, waste time, or worse, post sensitive client information, new storylines or intellectual property. These issues mean liability for the organization.

Today's response: Traditional content and network security can only respond by turning off blog communication wholesale or leaving it on with the uncomfortable knowledge of unmitigated risk. This heavy-handed response does not match business needs for information exchange and modern tools.

Can tools accurately differentiate good Web 2.0 from bad?

The situation: Web 2.0 is very different from the world of informational sites in simple content categories. Web 2.0 uses dynamic programming to build unique Web pages that present different content to suit the moment, history and attributes of the user. This Web is not just about the coffee break visit to MySpace, but about commercial sites-Wikipedia, LinkedIn, YouTube and Google-that support legitimate research and business operations.

The problem: Changes in Internet technologies make it possible for criminals to target essential information and invite accidental disclosure. Along with acceptable and "safe" content, Web 2.0 sites can also readily host transitory malware and spiked user-contributed content that's unmonitored and unregulated. There is no "click to accept" button to alert users. Corrupt links, malicious widgets and embedded scripts introduce malware within content and within pages. Users visiting benign sites can be redirected to sites that scan the user's computer for sensitive data, passwords and vulnerabilities.

Today's response: Today's responses rely on traditional concepts of blocking based on good or bad sites. This fails to keep up with the pace of change vulnerability at the content level. Adding reputation is not enough to address the content-based threats. For example, the reputation of MySpace varies depending on the content being served on each page and when good sites such as MSNBC are compromised at the content level, reputation is irrelevant. Without such content becoming part of granular understanding of the overall site and its respective classification, traditional solutions over- or under-block and cannot facilitate safe business use of the Web.

Can solutions protect users and data from blended email and Web 2.0 attacks?

The situation: Email and Web applications have become tightly entwined in webmail and email with HTTP content. These communication channels also serve other enterprise applications like ERP and CRM, especially in hosted services. Converged communications streamline workflows, reduce error and enable non-stop operations.

The problem: Today's commercial crime rings combine spam, email and application channels in crosschannel techniques. For example, one type of inbound blended threat uses email to lure viewers to counterfeit URLs, or even to known good URLs that have been compromised with rogue code to capture email passwords and plant key logging software or Trojans. What is most dangerous is that this malware can be tailored to steal specific data of high value to the individual and the enterprise. These targeted compromises often go unnoticed, especially on niche industry sites.

Today's response: Most enterprises still protect each communication channel and direction with independent outbound email and data content filters, inbound filtering of spam and viruses and blocking of inappropriate and malicious URLs. These separate silos look at the URLs or the email headers, but not both, and they rarely pay attention to the data itself or proactively block its outbound transmission. They react based on a historical view of threats built on outdated inspections, signatures, reputation and behaviour. Blended threats easily bypass these inspections by morphing and moving around the Web while stealing data.

These examples illustrate the complexity and difficulty of protecting the Internet platform. Traditional solutions have proven inadequate, judging by a 2008 IDC survey on top network security threats. With inadvertent data loss at the top of the list for the first time, security managers now worry most about:

• Employees inadvertently exposing sensitive data
• Trojans, viruses, worms and other malicious code
• Spam
• Data stolen by employees or business partners
• Hackers

New Requirements

Security defenses must shift the protection emphasis from guarding infrastructure from inbound attacks-a model suited to perimeter boundaries and the Internet as a content resource-to guarding essential information from outbound data loss, in tune with Web 2.0 and the Internet as a business platform. Instead of working in silos, protections must collaborate across application channels, inspection techniques and usage perspectives. Through collaboration, tools can examine both content and context in real-time to accurately identify and block sophisticated threats.

For long-term success, two constituencies must be satisfied: risk managers and end-users. Risk managers want visibility and reliable control over data loss. End-users want to stay productive and effective. End-user needs cannot be trivialized. Frustrated (or malicious) users will find ways to circumvent tools or insist blocking rules be tamed to the point of irrelevance. With these demanding audiences, solutions must adapt efficiently to both threats and business requirements.

Accuracy and context are central to success. Accurate identification requires deep analysis of content and data, both externally, on the Internet, and internally, traversing the network and on corporate systems and servers. Accuracy must be maintained as the data and content is used and edited, on websites and in enterprise applications. Given the pace of content change (constant and instant), accurate identification requires significant computing and research resources, as well as sharing of threat information to detect threats that cross communication channels: "There's malware in your spam," "There's a spammer on that website," or "That data cannot be posted to that blog or emailed to that address."

Acknowledging context requires solutions to consider multiple aspects of usage before acting. Instead of thinking about technology channels-Is this email? Is this a website?-tools must move to assessing the content and the data, as well as the context of its use: Who is the user? What is the data type? What are the communication channels and applications being used in the workflow? This broader perspective creates a more nuanced and accurate protection system than the sledgehammer, all-or-nothing approach of the past. Incorporation of context makes assessments relevant and controls meaningful.

A key aspect of context is the Internet itself. Is the Internet destination valid for the business, or does it compromise regulatory compliance, security or proprietary business information? This contextual knowledge combines knowledge of the Web with knowledge of threats to flag risky destinations, clarify spam addresses and detect inappropriate transmissions. Organisations can make better decisions about the risk of access or the risk of information exchange.

Applying these requirements for accurate identification and context-aware responses, the table below summarizes characteristics that mark the shift from a security framework that is infrastructure-based to one that is information-based.

Solution Requirements to Protect and Enable the Internet Business Platform

Characteristics:

• Incorporates Web, email and data loss controls for full coverage.
• Inspects inbound and outbound data flows of multiple channels.
• Combines multiple detection, identification and classification techniques.
• Incorporates two-way knowledge of users, data, channels and Internet destinations.
• Provides simple mechanisms for quickly deploying accurate policies and gaining visibility, with flexibility to adjust and layer additional controls and processes as risk is understood.
• Despite the dynamic nature of content and data, establishes lasting association of policies with users, data, destinations and communication channels.

Examples

Data Loss Prevention: The solution should be able to accurately identify information across data at rest in repositories and file systems; data in motion within and outbound from the organization; and data in use in applications at the endpoint. The solution should also be able to understand what that data means in terms of regulations, proprietary data and internal policies and allow tuning of policies to business processes. At the same time, it should be able to apply consistent policies and enable workflows that range from incident management, automated incident response and notification, summary and detailed reporting.

Content, Information and User-Aware Blogging: The solution should understand the category of the blog, be able to identify the user and identify the data in real-time, with enough accuracy to be able to block posting of any information that is too private. By correctly classifying the host site, reputation and actual content of a blog, the solution should prevent the compromise of users and systems or inappropriate access to the blog.

Web 2.0 Threats: The solution should be able to understand websites, Web content, applications and malware beyond reputation alone, considering usage and Internet context for a real-time risk assessment. Only with this level of understanding can threats be blocked accurately and in real-time. Even if a well-known and trusted site with a good reputation were compromised, the threat would be prevented.

Blended Web and Email Threats: A solution should be able to identify links in an email and trace them back to malicious sites or content. Based on this accurate identification, solutions should be able to act in real-time to block the email and any other attempts to access that website, view content or transmit data to that destination.

Although today's Internet is business-critical, its use endangers essential business information, from proprietary formulas and source code to business plans and customer lists. Converged email and Web threats fueled by Web 2.0 technologies now employ surreptitious maneuvers to circumvent traditional protections.

To ensure risk mitigation keeps in step with the threat climate, enterprises must rethink their approaches to Web, messaging and data security. Instead of thinking about technologies, organizations must think about data. It's all about the data. How is it used? Who is using it? Where and when is it safe to use? Who can receive it? Which channels can safely send it?

This data-driven view means that, rather than investing in protection silos with limited coverage, enterprises will merge defenses across the technologies, the communication channels and the applications through which data is transported and utilized. This integration increases the accuracy of detection and the quality of response. More than just proactive enforcement, this integration provides appropriate protection, because it allows the use of context to understand legitimate business uses and adapt responses. By protecting sensitive data, the essential information of each business, organizations can both embrace and defend the Internet business platform.

This article has been excerpted from a Whitepaper by Websense titled ‘Protecting Essential Information‘. Copyright Websense.