• United States



Julie Sartain
tech journalist

Top security tools in the fight against cybercrime

May 18, 201515 mins
CybercrimeData and Information Security

Cybercrime is a massive global threat, and U.S. businesses are the No.1 target. For tips and advice about how best to defend against cyberattacks, Network World asked security pros to name their No.1, most valuable security tool.

Many of the experts we interviewed pointed out that there is no silver bullet when it comes to security. Ron Woerner, director of CyberSecurity Studies at Bellevue University put it this way: “There is no ‘one and best’ security tool. It really depends on the situation, circumstance, and personal preference. There are certain things all network, IT, and security professionals should have in their toolbag. The most important is knowledge; i.e., where to learn more about a particular topic, technique, or tool. It’s impossible to know everything; so focus on where to get quality instruction and information.”

Woerner recommends two websites: and for reference; and two toolkits: SysInternals and Windows GodMode. The former is a grouping of simple Windows tools (beyond the native administrative programs) and the latter is administration applications already available in the Control Panel.

Yier Jin, assistant professor of computer science and electrical engineering at the University of Central Florida, also believes knowledge is the key. “I would say cybersecurity awareness is the one, best tool. Many breaches are caused by internal workers who lack cybersecurity awareness and; therefore, click links from spam email, which often initiates the breach. For tools, I recommend Microsoft Enhanced Mitigation Emergency Toolkit (EMET), an excellent toolkit that every company should have.”

+ ALSO ON NETWORK WORLD: Old-school antivirus vendors learn new tricks +

Strategy first, then tools

Heidi Shey, senior security/risk analyst at Forrester Research, recommends that organizations first start with an assessment of their security maturity and the risks to their environment. Otherwise, they’re always chasing the latest, greatest, hottest, must-have tool. Strategy must come before tools. There are many different models for self-assessment, including COBIT, ITIL, NIST Cyber Security framework; the SANS Institute Top 20 Critical Security Controls, and ISF’s 2013 Standard of Good Practice (SOGP). (Watch a slideshow version of this story.)

“The purpose of assessing security maturity is to help identify where the organization’s security program and environment currently stands, where the gaps are, how to articulate responsibilities, and identify steps to improve security maturity. And, as a result, narrow down and prioritize a wish-list for tools that will help maximize results for the organization,” says Shey.

“Information security is in crisis and the popular approach to improve this situation is to move to a risk-based model,” says Jeff Northrop, CTO at International Association of Privacy Professionals. “Good plan; however, companies must first perform a proper risk assessment, which cannot be implemented without a sufficient picture of their data landscape. Most large organizations lack this information; therefore, cannot move to a risk-based model, and that’s a problem.”

Northrop has adopted the term data security intelligence tools to describe the emerging category of tools whose foundation is an understanding of the data landscape within an organization.

“Currently, we have business intelligence tools, data integration tools, data discovery tools, data encryption tools, compliance tools, and SIEM tools. All require that foundation for a data security intelligence tool; that is, an understanding of what data is collected; where it’s located; how it’s structured, categorized, and used; and who has access to it,” Northrop says. “Most vendors operate in one or two of these areas; but a few companies have recognized a need for better information on the data they’re responsible for protecting; therefore, taking advantage of their platform to extend their products to meet this need.”

Northrop suggests Informatica’s Secure@Source; IBM’s Q-Radar, HP’s ArcSight, and Splunk. He predicts that vendors such as Oracle, SAP, and Tableau Software, as well as database vendors such as Microsoft, Informix, and Teradata will join this club soon.

Tools: Administrative

Mike Papay, vice president and CISO at Northrop Grumman says, “In the context of destructive malware and insider-enabled data loss, businesses should invest in security tools that protect from the inside out. Similar to a broken windows policing strategy, security tools that can baseline, and then detect and alert on anomalies in network and client behavior helps businesses mitigate problem-activity early in the threat cycle.”

“I recommend Privileged Identity Management (PIM) tools that control the administrative password and, in some cases, shared business passwords and credentials,” says Andras Cser, vice president and principal security/risk analyst at Forrester. “These tools are absolutely critical to prevent data breaches by making always-on system administrator access to on-premises and cloud workloads a thing of the past. PIM tools check out and change passwords for critical workloads, which makes attackers’ snooped administrator and root passwords worthless. Also, PIM (generally) enforces close monitoring and recording of all programmatic and/or human administrative access to machines.”

“There are three tools that all companies should have,” says Gary Hayslip, deputy director and CISO for the City of San Diego, “patch management, data backup, and full disk encryption. These tools provide the basic cyber-hygiene foundation, which enables companies to continue to grow safely and respond to incidents. Then, as the revenue stream increases, they can add more security controls to the organization. If I had to choose just one, I’d say patch management. Having a patch management solution in place reduces risk exposure to the organization by keeping its IT assets up-to-date, which makes it harder for the bad guys. However, there’s no guarantee that any, one solution will resolve all issues.”

Tools: Cloud, Mobile

David Giambruno, senior vice president and CIO at TribuneMedia, suggests that enterprises should move toward the concept of a software defined data center. “We’re using VMware’s solution stack for its micro-segmentation capabilities—summarized as security at the element layer,” he says. “Historically, this was incredibly challenging with hardware but, in the software world—where everything is a file—you can wrap everything with a security posture. Security follows wherever the element goes either internal or external. The audit-ability, operational automation, and visibility changes defensive capabilities.”

Giambruno deployed Cyphort for its capabilities to see east/west traffic in the cloud. The VM-based design provided quick deployment and integrated with the software defined data center.

“One interesting new area is using technology to provide a layer between the user and SaaS solutions, so the enterprise can manage authentication and encryption and hold its keys, while maintaining close-to-full functionality with the software as a service (SaaS) solution,” says Dr. John D. Johnson, global security strategist and security architect for John Deere. “There are also new solutions for cloud file storage and sync (like Box) that add encryption, data loss protection, and granular reports. We are seeing the evolution of hold your own keys in the cloud where the hardware security module is in Amazon Web Services instead of your demilitarized zone.”

Johnson adds that better ways to manage data on mobile devices beyond mobile device management is another concern. He recommends products that keep corporate data in a container and prevent it from moving or that record it, such as Bluebox, which puts a flexible walled garden around certain data and apps, and applies corporate rules. This could enable using BYOD in a more trustworthy manner without forcing users to comply with a full mobile device solution.

Monitoring: Defense-In-Depth

According to Neil MacDonald, vice president and distinguished analyst at Gartner, the key to information security is defense-in-depth, which consists of firewalls, patching, anti-virus, SIEM, IPS, etc. MacDonald advises clients to first remove administrative rights from Windows users (if they haven’t already). Then invest in an endpoint detection and response (EDR) solution that continuously monitors and analyzes the state of the endpoint for indications of compromise. Always assume that regardless of your prevention systems, attacks will get through to your enterprise systems. At that point you’re blind.

“You can’t depend on the technologies that failed to prevent the attack, to detect it after the fact,” says MacDonald. “Industry data shows the average attack resides undetected for around 240 days before discovery, and most don’t find it themselves. Usually, an outsider alerts the organization that it has been compromised.”

MacDonald emphasizes that EDR solutions provide continuous visibility that, when combined with continuous analytics, can help enterprises shorten the dwell time. Prevention alone is futile and end-users are a soft target that cannot be patched. Your ability to quickly detect and respond to attacks that will inevitably bypass your traditional security protection mechanisms is, at least, as important as your investments to prevent them.

“For server workloads, I’d replace anti-malware scanning with an application-control solution,” he says, “to prevent the execution of all unauthorized code, which keeps the vast majority of malware off the system and, also, reinforces good operational and change management hygiene. This should be the primary security control for protecting data center and cloud-based workloads.”

Troy Leach, CTO of the PCI Security Standards Council, concurs. “PCI Standards advocate for a defense-in-depth approach to security,” he says. “The underlying strategy is simple: deploy a variety of security controls aimed at different risk vectors, so your organization is better equipped to reduce the odds of a breach and keep cardholder data secure. But there’s another fundamental practice that determines the success of this strategy that’s often underutilized by organizations, which is the practice of monitoring. Its strategic use provides huge, untapped business benefits.”

Leach maintains that monitoring the performance and data provided by security controls enables increased awareness of security posture and the health of technical operations. In particular, continuous monitoring is a key mechanism to keep your hands on the pulse of security in real-time. Organizations should focus analysis of monitoring data on critical areas such as systems controlling access to the cardholder data environment and vulnerable PCs in the back-office running out-of-date software or security signatures. These were typical attack vectors exploited with malware insertions in recent major breaches.

“The data accrued with monitoring also allows you to measure and demonstrate financial benefits of your security program, which provides you with concrete terms for demonstrating the return on investment and getting security buy-in from senior leadership. Effective monitoring keeps your security team nimble and ready to respond to emerging risks, while helping control the costs of investments and compliance. The PCI Council urges you to continuously re-evaluate the effectiveness of your security controls with monitoring and help your security team make timely systematic responses to emerging threats,” Leach says.

Monitoring: Continuous

Randy Marchany, IT security lab director and security officer at Virginia Tech, also believes that an overall security strategy is very effective as opposed to the common strategy of perimeter defense. The flaw with static perimeter defense is that most organizations focus on inbound traffic rather than outbound traffic. Continuous Monitoring, also known as Network Security Monitoring or Extrusion Detection, focuses on traffic and log analysis.

“A key CM assumption,” says Marchany, “is that our machines have been compromised, so we actively search for those victims. CM provides a way to effectively detect, contain, and eradicate an attack. Three steps for a successful attack; i.e., the hackers’ goal, are: gain entry to the machine; once owned, the victim machine must communicate back to the hacker; and, if discovered, delete everything to cover your tracks.”

Marchany suggests some CM goals: monitor outbound traffic to suspicious sites; search for compromised machines within a network; and use analytics to determine if sensitive data exfiltration has occurred. Virginia Tech’s unique network architecture runs a full production, dual-stack, IPv4 and IPv6 network, so its network defense tools must support IPv6. He recommends the FireEye Malware Detection appliance, Netflow data (which provides invaluable information that determines if internal machines have been compromised), and tools such as ARGUS Software, SiLK , the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team, and/or the Bro network security analyzer.

Johna Till Johnson, CEO at Nemertes Research, advises organizations to focus on Advanced Security Analytics (ASA), an emerging category of security products and services that provide real-time insight into—and, increasingly, proactive responses to—situations that indicate a potential breach, compromise, or vulnerability. ASA includes the existing categories of security event/incident management and monitoring (SEIM) by adding analytical capabilities often derived from Big Data technologies. It also includes earlier categories such as forensics and Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS). These capabilities include User Behavioral Analytics (UBA), which can detect, report on, and take action against anomalous behavior by users (whether systems or humans), and visualization.

“Why do you need ASA and, particularly, UBA,” she asks. “To protect against multi-factor threats and, in particular, witting or unwitting attacks from within the network. Users may misbehave and/or their systems may be compromised. Often, the only way to detect advanced persistent threats is to detect anomalous behavior, which is challenging if you don’t know what normal behavior is. With UBA, you don’t need to know what’s normal—the system figures it out for you.”

Johnson recommends ASA tools from vendors such as Agiliance, Blue Coat, Damballa, FireEye, Guidance, HP ArcSight, IBM, Lastline, LogRhythm, McAfee/Intel, and Splunk.

People Are the Key

“If you want true security in an enterprise of any size, you must start with people,” says Eddie Block, CISO, Department of Information Resources at the State of Texas. “People are the ones that configure the firewalls, update anti-virus software, patch servers, and the other myriad tasks that ensure breaches and intrusions are minimized. People with technical skills and understanding have an eye for anomalies and a natural sense of curiosity. They’re the ones on the front line reviewing logs, who see something odd in a log file, and then have the compulsion to figure out what happened. Many of the large-scale breaches experienced over the past few months could have been discovered earlier with the right people. There’s nothing new, flashy, or sexy about log files, but if you truly want to understand your security posture, put a curious person in front of a log server.”

“My vote for security’s best option is collaboration tools. Yes, we have plenty of silver bullets; what we really need are more tools that allow communication and collaboration for our distributed workforce. We need to capture tribal knowledge to make staff more effective. We need to invest in tools that make staff more agile,” says Rick Holland, principal security/risk analyst at Forrester Research.

Guy Delp, director of Cybersecurity and Advanced Analytics at Lockheed Martin, believes the focus should be on hiring cybersecurity talent that can capitalize on existing investments and influence all aspects of the organization’s security posture. He challenges companies to ask if network visibility issues should be addressed? Are there organizational stovepipes that hamper incident response? Are existing tools used to the fullest, and are open-source tools implemented within the infrastructure?

“When investing in key talent, consider three essential criteria: balance, adaptability, and influence,” he says. “Knowing the technical aspects of the mission is not enough. Key talent must be leaders as well, sharing information, mentoring, motivating others, and getting their hands dirty (balance). The most successful superstars understand the technical and political aspects of their environment. Rapid change is likely, so quick learners will adapt best (adaptability). Security organizations do not operate in a vacuum. The most successful, key talent are those who can navigate across organizational boundaries to drive the results they need (influence).”

Frank Kim, CISO at the SANS Institute, believes security capabilities that detect attackers and anomalous activity are even more important in the face of advanced threats, which are determined to bypass traditional, preventative mechanisms. As a result, threat intelligence and robust information sharing are key aspects of modern cyber defense. But it’s not just about sharing indicators of compromise, it’s also about advanced analytics and the ability to mine internal and external sources of data. Building a data science capability to intelligently analyze large amounts of information provides organizations with actionable information that allows security teams to respond more quickly.

“However, it’s not just about these technical capabilities,” Kim says. “Having the right people with the right skills and expertise is key to appropriately protecting critical assets. It’s not the arrow, it’s the archer.”

“Rather than endorsing a particular product or solution, I have lectured students in my data privacy class on the virtues of assembling an Incident Response Team,” says Jill Bronfman, program director and adjunct professor of Law/Data Privacy for the Institute of Innovation Law at the University of California Hastings. “That is, a team of trained professionals to prevent (or at least mitigate) data security breaches and if/when such breaches occur, respond to them with all deliberate speed and attention.”

Bronfman asserts that in cases which involve both employee and consumer information, such as healthcare and finance and/or corporate and personal data, companies are best served by a cross-functional team of security experts. She recommends establishing groups in advance that consist of legal, IT, CTO, CIO, human resources, risk management for insurance, public relations/marketing, consumer relations, regulatory/government, and relevant vendors—especially if they’re involved in security—and then train them on an Incident Response Plan. Smaller companies could combine these functions in fewer people, but the key is to identify individuals responsible for each function and provide actionable checklists for when incidents occur.

Sartain is a freelancer writer. She can be reached at