Security intelligence

IBM hosted a round table discussion on IT security intelligence with participants from across a number of sectors. The discussion focused on the growing challenges around IT security and what issues managers should focus on to protect their organisation’s systems and data.

What are the major challenges facing your organisation with regard to IT security?

Seamus Doyle

Education of the users, particularly the senior executives. Everybody would like security to be a functional or IT problem but security is everybody’s problem. And also being able to assess what happens if I have a security breach and how to contain and fix it.

Chris Meenan

IBM has research teams that track every major breach and we find that attackers are now very targeted. They are very specific about the organisations and people that they target – people’s weaknesses are now the open door that attackers use to get in. People make mistakes, use the same password all the time and click on things they shouldn’t click on, and it’s almost as if people are looking at IT software and security to balance that lack of education.

David Bryce

We used to have an encrypted corporate PC: two-factor authentication to get into the VPN, all the USB ports locked down and internet access through our filters. We did our best to protect people from themselves so they were constrained in what they could do. We’re now rolling out mobile devices and we’re under pressure not to take that approach. We’re moving from “here’s the security policy, we will lock this down, you will do this” to a situation where the user is being asked to take personal responsibility for their behaviour.

The consumer devices that people want to use, like iPads, don’t really let you do that even with a mobile device management platform. The business wants to give people that flexibility but it comes with a risk; the argument is that the risk is worth having for people to be able to be innovative.

The staff member will have a personal security policy document that they will sign before they get a device. We’ve been rolling out some of these iPads with a relatively small number of users. There’s also an issue about perceived ownership and what the user can do with a device. Senior business leaders do not generally understand the severity of the threat environment but they do if the systems go down.

Seamus Doyle

We have a duty and obligation to ensure that our board and executive understand their responsibility on security in the same way that they do with finance and governance. I have formally briefed my executive committee and board on the 20 critical security controls that the Centre for the Protection of National Infrastructure [CPNI] recommend for water utilities across the UK and I go back to them on a regular basis, reminding them of their obligation.

David Crozier

As a centre charged with developing new technologies in this area, a lot of our programmes going forward will not only involve academics and researchers from our schools – electronic engineers and computer scientists – but also social scientists and psychologists. Solutions would previously have been technology solutions but the questions is now: “How can they take account of user behaviour?” Our research is taking account of very human traits, whether that’s just lapses in humans’ attention or employees getting disgruntled. How do we detect these behaviours not just in IT but also in access control? How can we reason with those behaviours and come up with an awareness of threat?

Peadar O’Byrne

I’m not sure that education helps. People who make decisions in organisations are generally non-technical and so there is an apathy about security. Security is not tangible – they can’t touch it, they can’t see it, it doesn’t appear on a spreadsheet or on a financial sheet therefore they don’t really take it seriously. There’s an inherent thought: “Security’s very important but how important?”

I get frustrated when I try to educate people on security because they tend not to listen all that much.

One day, for a particular company, I brought up their firewall on a screen for their management team and showed them the amount of hacks or potential breaches just through port scans.

And they were shocked because there were literally hundreds every minute and they couldn’t believe that they as a small organisation, sitting in the middle of Northern Ireland, could possibly attract any attention whatsoever. Give them examples and show them what it actually means to be attacked as an organisation.

Seamus Doyle

Our board, every month, has a standing agenda item on health and safety which has moved on immeasurably compared to where it was 20 years ago at board level.

Boards are getting there but unfortunately, in the Target episode in the US, the CIO was fired straight away, the CEO was tasked with cleaning up the mess before leaving. South Korea lost their whole national insurance number database. My executives were surprised when I told them that 95 per cent of the emails that hit us are spam. They get a monthly report from me that shows up those attacks and I go to the board quarterly to discuss information assurance.

David Bryce

The health and social care system has a big focus on information governance. Each organisation has a senior information risk officer and they have done a lot of work on that. What worries me is that gap between that and the technical security issue. There’s a perception that a hacker is a kid sitting in a room – the Hollywood stereotype – but many people don’t realise that this is a robotic, automated, industrial process and it doesn’t matter whether you’re small or big.

Is cloud making the challenge more difficult?

Peadar O’Byrne

For the general public, cloud means that they can go home and have an iPad or a wireless device and update their Facebook or look at YouTube in their living room while watching TV. That’s their first experience of a cloud service and where, in any of the cloud providers’ adverts, do they start to mention security? They don’t. They mention accessibility but very little of that headline space goes towards security. People are influenced by what they can do at home therefore they come to work and expect to see the same things. You need to make sure that the company or the organisation is not exposed.

Chris Meenan

There’s a balance between business pressure to roll out services and make them accessible for user communities and security which is, depending on the organisation, left to later on. A balance needs to be struck between the two because the more you lock down and the more security you put in, fundamentally the harder it is to do business today.

My sense is that the balance is still very much on the business side. Coming out of the recession, there’s a lot of focus on getting money and customers on board. We will see a right-sizing over the next few years, depending on the industry and some industries are definitely further ahead.

David Crozier

For some of the big clients we deal with, they can put a figure on breaches in terms of lost business as a result of a breach or maybe where they’ve been competing with other companies and the breach has resulted in their bid failing. How do you put a figure on security in utilities?

Seamus Doyle

The easiest way is Information Commissioner’s Office [ICO] fines and their reputational damage. And I can easily put a figure on a disruption to a water supply (per day) in Northern Ireland – from the freeze-thaw – and that wasn’t a full interruption.

There are numerous examples, unfortunately, across the UK of sensitive data getting out. It has always been thus but IT makes it easier to scale it up and I’m finding it easier to get senior executives’ attention.

Cloud providers have a larger security team but there are other downsides. They’re a bigger and more attractive target and I think that some of the more technical people don’t realise that the intellect and capital being expended by criminals is immense.

David Bryce

I would always have seen the largest threat as being the ‘hobby hacker’ – people who can find automated programmes to go off and see what they can get access to – but now there’s a more sinister element because the internet and the cloud is so prevalent. The phone hacking scandals and Apple iCloud downloading show the huge potential for it.

How do you see the issue of BYOD [bring your own device] evolving? And what are the security implications?

David Bryce

The tool sets that we have – theoretically – will manage BYOD. Where we are at the moment is trying to sort out a lot of those issues around corporately provided devices – and we have not yet rolled these out to a scale to see what those issues are. I think that will be the next stage.

Seamus Doyle

I don’t see a commercial driver for BYOD. There is a staff morale aspect to it but there is not a strong commercial driver for BYOD. At the moment, it is more trouble than it is worth. In the current technology refresh cycle that we are doing, there are good enough devices and direct access and Windows 8 are taking away a lot of the downside of corporate devices. I don’t see a move to BYOD – certainly within the next two years and perhaps not in my lifetime.

Chris Meenan

We see the counter side of that. IBM does BYOD and we see many organisations now supporting BYOD – and many organisations’ staff now demand it. The big difference with BYOD is that it is a device outside your corporate network most of the time. Therefore traditional firewalls, IPS or whatever security measures are not present. You get this with corporate devices but unlike people’s own devices they are usually used for checking emails and not for using things like Facebook and Twitter. As a technology provider, the challenge is how do you put stuff on that device that is within your security guidelines and also how do you spot malware on the device? Again, it is the issue of balancing business pressure and security.

David Crozier

If people are going to bring their own devices there are three things people are going to have to improve on: the authentication and verification of the user, which will be getting away from user names and passwords and using things such as biometrics; communication over untrusted networks, with encryption over WiFi and mobile data networks; and also how do we wrap applications in a secure way on unsecure devices so that other applications do not interfere with corporate applications? We are also looking at alternative ways of detecting malware.

Peadar O’Byrne

Personally I am not a big fan of BYOD – it is another buzzword, driven by a media message from some providers. From experience, once you move any data off the corporate network it is open to anyone – it is outside your control. I believe BYOD is going to become more popular but my view is that it is a dangerous thing. We have done it for clients but we provided a virtual desktop onto the device and no actual data moves onto the device – that is the only way I would recommend using your own device.

How have you approached giving remote access from mobile devices? How do you manage third party remote access?

Chris Meenan

A recent high profile break-in started with a breach in the company’s air conditioning partners system because that had weaker security practices. The hackers stole the air conditioning company’s credentials and then used them to log into the partner portal. We are seeing this approach more and more with many attacks starting in organisations once removed.

David Crozier

For the utilities, smart meters potentially open up access to their systems. We are talking to the companies making smart meters and that is a concern for them. There will be a node in homes and businesses.

Seamus Doyle

We are quite far behind on smart meters as we have no domestic billing in Northern Ireland and the rationale for us to implement smart meters is very low. The real business rationale for the power industry is about managing peak demand and reducing meter reading costs. All utilities have a rigorous air gap between their corporate network and their telemetry asset networks.

David Bryce

Bringing third parties into our system is via the NHS Net. That is an English NHS system which has a very rigorous accreditation process before they can connect to it. Typically, we are using a UK-based company providing an application and we bring them in via that accreditation process and that has worked well for us.

As regards mobile users, the mobile network coverage is a problem outside the metropolitan areas. Some of the trusts are pushing this hard but that is a real barrier.

Seamus Doyle

On the third party access issue, I think what is going to happen – when you have a corporate breach and it has caused you economic damage, you are going to go after your sub-contractors. It is by going after them and hurting them financially that their behaviour will change. The feedback loop will close: “Here is the contract and under its terms and conditions, you owe me money.”

What does that mean for compliance?

Chris Meenan

Our QRadar product has evolved over 10 years. Even today, in many organisations, compliance provides the budget vehicle for the purchase and that still is the main reason why funding becomes available for a lot of security products. Obviously those regimes that proved inadequate in protecting the organisation from getting breached. Are you expecting a compliance backlash now?

Seamus Doyle

A lot of the major breaches seemed to be detected by law enforcement, even for organisations that spend highly on internal security.

David Bryce

We’ve seen organisations of 5,000 people where the security team is in single digits – the actual team responsible for monitoring and managing security incidents is really very small. Our security manager is probably fed up with being perceived as a blocker but they think they’re there to enable people to do what they need to do in a safe way. Culturally, you have to get round that.

Seamus Doyle

They’re perceived in the same way as a dentist, to use a health analogy. They tell you how to keep your teeth cleaned and how you look after your gums and then, when you don’t do what they tell you, you have to come and get fillings and it’s all the dentist’s fault because it’s uncomfortable and sore. That’s how our security officers feel.

David Bryce

It’s been like that for about 20 years but it’s probably getting more like that as the pressure to give people mobility comes.

Chris Meenan

There’s been an evolution in security over the last five years driven by the increasing threat environment. Customers don’t generate an alert anymore because it happens all the time. There’s been an initial focus on getting visibility and bringing in new types of devices to deal with malware and spam attacks. There’s also an increasing focus on government risk and compliance reporting and a recognition that you can’t secure everything. People need to understand where their most significant business IT risks are located and the business impact of the incident.

What one area should managers and decision-makers focus on?

Seamus Doyle

Make sure you understand your responsibilities because in commerce, industry and the public sector, plausible deniability is no longer acceptable. Understand your responsibilities and ask the questions.

Chris Meenan

You absolutely have to have visibility – as to what’s going on in your infrastructure and what’s going in and what’s going out – because if you get breached, you need the data to go and understand what happened. You’re never going to find the breaches or understand their impact if you don’t have the visibility.

David Crozier

Compliance is only the starting point – it’s a baseline but you need to be aiming for compliance-plus in terms of security. Companies should try to aggressively hack their own systems and try and breach them in a controlled fashion before someone tries to breach them in an uncontrolled fashion. It’s especially important for companies trying to develop technology for other companies.

David Bryce

You need to be able to get your staff into a culture where they think about what they’re doing before they do it. The technology that you give them can assist them by being as safe as you can possibly make it. Those two things have to be at the top of the agenda.

Peadar O’Byrne

Whenever I talk to someone about security, my advice is quite specific: “How many different ways are there to access your email?” Of all the breaches I’ve seen over the last number of years, they nearly always centre around email. We don’t just use it for work anymore. We use it for everything. You’ve got passwords, credit card details and flight patterns in there. If it’s synching to your device and it’s not secure, your life’s not secure and therefore your business is not secure.

The Participants

David Bryce

David is the Assistant Director responsible for Information Technology Services within the Business Services Organisation. In this role, he has responsibility for the management and delivery of approximately 120 regional IT services. He has worked in health and social care IT for over 25 years in a broad range of areas including applications development, integration, technical support and data warehousing.

David Crozier

David is Technical Marketing Manager at Queen’s University Belfast’s Centre for Secure Information Technologies (CSIT) where he is responsible for marketing of commercial R&D, IP, MSc and membership programmes as well as planning its annual World Cyber Security Technology Research Summit. He previously held product management and pre-sales roles at Lagan Technologies and spent five years in systems engineering and security policy roles within the NIO.

Seamus Doyle

Seamus Doyle is currently CIO at Northern Ireland Water. Seamus has also served as IT Director with BT Ireland and Programme Director for BT Group. His responsibilities include IT operations and security, information systems development, systems design and information assurance. Seamus holds a bachelor’s degree in aeronautical engineering and a master’s degree in computer science, both from Queen’s University Belfast.

Chris Meenan

Chris Meenan is a Product Manager working on the QRadar security intelligence product within the IBM Security division. He has over 10 years’ experience in product management and has been involved in developing, managing, releasing and selling software products for over 20 years. Chris has an extensive knowledge in IT security, customer relationship management and telecom OSS solutions. Chris holds a first honours degree in physics and has a PhD in mobile satellite communications.

Peadar O’Byrne

Peadar O’Byrne is the Technical Director of the Xperience Group and is responsible for the cloud and ICT infrastructure departments. He has designed and executed enterprise solutions in this space for 18 years in the public, private and financial sectors, and is acutely aware of the demands security, compliance and governance place on ICT solution deployment.