The Symantec Security Event, held in New Delhi and organized in collaboration
with Dataquest, had over 50 CIOs agreeing that a piecemeal approach to security
might only be a recipe for trouble; security policy-making has to take into
account the macro-perspective, and focus on its enabling function, not just its
prevention capacity
No organization has been able to calculate with absolute precision the RoI on
security. In fact, rather than looking at security from an RoI perspective, it
is better to look at it as an enabler. The prime objective for security
investments is to prevent information from going into the wrong hands. But
security must also enable people who need to access that information. Therefore,
since security helps in not just protecting but also enabling things that are
not possible under normal circumstances, it is advisable to come out of the RoI
vice-hold while investing on security.
|
However, this does not imply that there should be no accountability for
security investments in an organization. One crucial responsibility for CIOs and
CXOs is to assess and determine what would qualify as the right budget for
security. What would be an optimum spend that would give the organization
maximum protection without wasting any of its resources? Some sort of RoI
calculation might help in specific cases. This could be particularly true of
certain domains like BPO where SLAs play a much more important role. In these
cases, it is easier to calculate the cost of downtime and in turn the need for
security both in quantitative and qualitative terms.
|
The Integrated Approach
It is vitally important for organizations to design an integrated approach
that takes care of not only network security but also perimeter and information
security. Though it is best to do this at the design board level, from where one
can get the best efficacy and efficiency, in practical terms, it does not quite
happen this way in most cases, as organizations are largely reactive in nature.
In many cases, there is already some sort of system in place and CIOs look at
integrating the subsequent systems with the existing ones. However, even the
integrated approach can be adopted holistically from ground level up by
understanding the business process, defining the security policies, identifying
the relevant security products and then deciding on the investments.
There are many products available on the network security side. Though
information is protected from the network side, there is still lot of data in
physical form that is not protected. Therefore, in this case, every effort to
protect the digital data goes waste. So the overall planning should include both
aspects and not just network security. Security policies and procedures are
important but they should not become the be all and end all of security. While
policies will always be there, one needs to implement them too, and this is
where products come in. Once these two are properly married, one can derive the
maximum benefit, as policies are of no use if they are not enforced. Even
policies need constant updating to take care of change.
Internet Protection Technologies
Generic Virus Throttling
Just as a properly shaped key can open a particular lock, only a properly
shaped or written code can exploit a particular vulnerability. Once it is known
what the vulnerability is and what the shape of the threat to exploit that
vulnerability might be, the shape can be used as a signature to scan network
traffic and block the worm. Entirely new worms can be blocked immediately using
this technique. But not all vulnerabilities are simple: many may be
multi-vectored, which makes it that much more difficult to write the signature
code.
Protocol Anomaly Detection
The idea here is to intercept the data at the gateway and perhaps at key
hosts, and only allow in those data that meet Internet standards (HTTP, RFC
standards). With new protocols coming up and new ones emerging every day,
keeping pace is difficult since detailed scanning of networks takes complex
algorithms.
Behavior Blocking
This would intercept the behavior of any operating system and block any
malicious behavior in real time. This is the last strategy to be adopted and is
used to minimize the damage and restrict the infection as the virus is already
on the loose. It tries to block the docking point of the virus on the system. It
is a good technology but blocking the APIs and interface blocking the program
may not work properly.