The ZeuS botillustrates a troubling fact about IT security—despite the $13.5 billion spent on security software worldwide last year, companies are losing the battle.
The number of attacks classified as “highly skilled” is rising rapidly, and the data under attack now include formulas, product plans, personally identifiable Facebook details, and even blackmail material, for example the potentially embarrassing search terms executives enter into their browsers.
Botnets have been part of the lexicon for a couple of years now, but recent media attention and actions by companies like Microsoft to shut down large botnets such as Waledacunderscore the fact that organizations have done little to limit either the proliferation or damage caused by these invaders.
One of the reasons for this is the way companies approach IT-related risk.
In a recent survey by ISACA, a global non-profit association of 86,000 IT professionals, the most common reason for practicing IT risk management was regulatory compliance (28 percent), versus more strategic drivers such as improving the balance of risk taking with risk avoidance to improve return (8 percent).
Computer security is an excellent illustration of compliance-driven risk management.
Botnets generally operate using a single application or family of applications that is placed on the computers of unsuspecting users through e-mail payloads or invisible downloads from infected web sites.
Unfortunately, botnet malware such as ZeuS changes constantly, so it is often invisible to tools including intrusion detection systems and anti-virus solutions.
So does the existence of botnets mean that your company should completely give up on anti-virus and anti-spam software, and unplug your firewall?
Not at all.
These traditional tools are still important because they offer protection against the constant barrage of low-level, opportunistic threats that are part of the Internet landscape.
To provide the best protection for your organization, your IT team members need to change the way they think about network security monitoring.
Here are a few best practices for managing risk in a world of 24/7 security compromises:
Think outside the compliance box. Many organizations use frameworks such as ISACA’s COBIT to define and manage their security controls. Although ISACA recommends continuous monitoring, security and audit, staff typically review these controls frameworks only quarterly or annually in order to put a checkmark beside compliance. Ideally, they should switch to a governance process that lets them perform continuous monitoring of controls, especially those shown to have a high impact on the success of the security program.
Know your network. It seems simple to say, but your IT department members can’t know when unusual traffic crosses the network if they don’t understand the true content and context of network communications. Their job is to recognize botnet traffic and other advanced threats before damage occurs. The middle of an attack is the worst time to start network monitoring, since illicit traffic is already in the mix. To solve this problem, organizations should use real-time network forensics technologies, which will provide situational awareness and continuous monitoring.
Increase training levels. Many of those working in security operations come from a network or system administrator background. Although this provides a good technical underpinning, successful organizations are shifting network security training to focus on areas such as cyber threat analysis and network intelligence. Advanced tools such as real-time network forensics require familiarity with new methodologies for network analysis and controls verification based upon threat intelligence workflow.
Known botnets like ZeuS are the tip of the iceberg—they represent only one small aspect of the advanced threat landscape.
Modern advanced threats funded by organized criminals and nation-sponsored groups will leave traditional security approaches increasingly less capable of keeping up.
Financial systems, intellectual property, and personal information can be put at risk by a single significant security breach.
This risk makes situational awareness critical as organizations seek to protect themselves, their customers and their partners from the threats of the modern Internet.
Eddie Schwartz is a member of global information systems association ISACA, and the chief security officer of NetWitness. Schwartz has served on the review committees for ISACA publications, such as the Guide to Information Security Governance, and speaks regularly at ISACA conferences and other international industry events.