ITProPortal spoke to Brian Foster, the CTO of Damballa and a veteran of Symantec and McAfee about what the new landscape of security will look like going into the future, and why third parties could be the weak link in your business' security.
How can third parties damage your security?
I think the important thing to understand is that the future of security will come from the network and from the cloud.
I'll give you a couple of anecdotes. One of our clients was a financial company who had their auditors come in to look at the books and whatever, and what they found was that 100 per cent of their auditors' laptops that were connected to the network were infected. So these people were connecting to their network, and these infections were able to transfer on to their network from their own auditors.
Another example is a large retailer, with a couple of thousand stores around the world. And we did a proof of concept where we saw that a lot of the photo kiosks in the stores were infected. And as we dug into these photo kiosks, we found that they weren't owned by the large company – they were placed there by a popular photo brand, and still belonged to that company, but were connected to the store's network.
They didn't have security or whatever else, and we found that 100 per cent of those photo kiosks were infected with information-stealing malware. And that's where you put your credit card details, its where you might put a DVD with photos of your family on to get them printed.
These are just two examples from all of these that we've seen. And it's almost as if these companies have a blind spot towards third parties, and what kind of security vulnerabilities they might be bringing in to your environment.
If you have networking, and you're allowing partners access to that network, you're increasing the risk of bringing in outside threats.
So what can businesses do to protect themselves?
There are a couple of things you need to do.
The most important one is you need a defined policy between you and your suppliers, and the third parties you're in contact with. You need to be clear what your requirements are around security, right down to the control level. Like anything, you have to trust, but you also have to verify.
There are also technology-side things that are important. Network segmentation is still important. Just because you're allowing third parties onto your network doesn't mean they should be able to see everything on that network. You have to understand what they need access to on your network, and only give them access to those areas they need. This means that if they do bring risk, they're only bringing risk to those parts of the network they have access to. Identity access control is also important for third-parties.
Another solution is network access control. If a device wants access to your network, you have every right to interrogate that device, to see what that device is, and what risks it brings with it based on the what operating system, the patch level, security controls that are there, etc.
People are always saying "the perimeter's gone," but I say the perimeter isn't gone, it's just moved. Now the perimeter's around each of us, and our connected devices.
Is this problem going to get worse as we move into the Internet of things?
Absolutely. Machine to machine introduces all kinds of different challenges. In the past, people were told to put antivirus on all their devices, but that model isn't going to work for the Internet of things.
People aren't going to go and download antivirus for their refrigerators and their toasters and their cars. The way we secure those things is that it happens in the network. You're going to have to, from a network perspective, protect yourself from these devices through network segmentation and network access control.
We also need solutions that use inappropriate signatures and communications to identify which devices in the Internet of things are behaving badly so you can treat them differently.
So is signature-based detection dead?
Signature-based detection isn't necessarily dead. It depends what you're using it for. There are still threats out there on the Internet that are more than ten years old. A good example is SQL Slammer, which must be 13-14 years old now. You still see that going around the Internet, and the most effective way of catching that is to have a signature for that.
But there are hundreds of new malware written every day. Signatures aren't going to catch them all, and you need behavioural detection and other types of approaches that don't rely on seeing the malware.