Speaking at the Symantec Vision conference in Barcelona, Francis deSouza, senior vice president of the enterprise security group at Symantec, claimed that people are spending more on basic security than ever before but are still suffering from breaches. Old methods of doing security with defence-in-depth, where you throw as many products at the problem as you can, are not leaving companies feeling secure.
He said: “I was talking to one CISO who said he has 235 security vendors in his environment, over 1,000 security products in his environment and he didn't feel safe. He said he would feel more secure if he could get it down to ten vendors.
“So increasingly companies are getting to a point where they say that having hundreds of security products in their environment is not the right way to do security, because you are only as strong as the most weakly implemented part of your environment.”
DeSouza looked at the trends over the last couple of years and thought 'what is the right way to do security'?
He said: “We have changed the way we think about security, the way we talk about security and frankly the way we develop security going forward. We believe that there is a problem with security going forward, that security is not about 100+ small spaces, if you have a virus it is anti-virus, if it is spyware you have anti-spyware, we don't think that is the right way to think about it.”
He said that there are five core problems in security.
The first issue is how do you protect your infrastructure in your organisation? DeSouza said the problem is how do you make sure you have all the right protections in all of the right places and how do you have a view across your environment to know if something is happening?
The second core problem is how do you protect the information. He said: “The old days of protecting the information was to protect the PC and 'hopefully I have protected the information on it', but that is not good enough any more, as the information moves away from the PC. So we think that companies need to have a separate but equal view on their information assets as they do on their infrastructure assets.”
The third core problem in security, according to deSouza, was how do you manage the systems in your environment? He said: “For years systems management and security have been two totally different fields but we have been saying for a while now that it is a safe infrastructure, that is a secure infrastructure, and things such as patch management which used to be core systems capabilities is now secure systems capabilities.
“Similarly things like asset inventory, knowing what you have in your environment used to be pure systems management, but if you don't know what you have, how can you protect it? Those are also core security capabilities.”
The fourth core problem in security is how do you develop and enforce IT policies. He said: “Security cannot be a reactive proposition where you have a point problem and throw products at it, you need to flip it around and start with a strategy to drive IT security investments. What is driving your polices? Use that to decide what your IT policies should be, assess your infrastructure against those policies and come up with list of things you can do to improve your security posture.”
Finally, he said that the fifth core problem in security is: how do you authenticate the identities in your environment, how do you know that the right people are connecting into your infrastructure or how do you know that the people across a transaction on the internet are the people who they say they are?
De Souza said: “To address those problems from a governance perspective is risk-based and policy driven, because the reality is in a complex infrastructure you cannot protect everything equally and nor would you want to because it would be too expensive. So identify what your most valuable assets are and your most at risk assets and apply the highest level of protections to those assets. Get a risk-based view of your infrastructure and a policy driven view of security because you start with a policy and use that to drive your security strategy.
“From a governance perspective, we think a security strategy needs to be risk-based and policy driven. From a focus perspective, we think the focus needs to move from being purely on the infrastructure to being focused on information and identity. A security strategy needs to be well managed over a protected infrastructure.”