Wednesday, May 11, 2011

Network attacks have security pros, investors looking at new approaches

By Galen Moore

As governments increase their vigilance over how companies handle sensitive data, hackers, as usual, have moved one step ahead, launching attacks that often have made today’s best efforts at data protection look laughably inadequate.

Damaging breaches at three large enterprises have highlighted the need for a shakeup in data security. Marketing software provider Epsilon, consumer electronics maker Sony, and data security firm RSA (a division of EMC Corp. (NYSE: EMC) presumably had the best existing anti-malware technology in play: they are certainly large enough and possess data valuable enough to afford it. Whatever they were using wasn’t enough to protect against a new breed of hackers who place higher value on stealth and trickery than coding muscle.

Investors and IT managers are now looking more closely at setting rules and establishing monitoring within the organization than running the arms race of anti-malware protection around their perimeter.

The tactics and the targets are not new. Security professionals have been talking for at least a year about so-called advanced persistent threats (APTs), and warning of a new breed of cyber criminal who shuns notoriety. Often suspected of being state-funded, these attackers are after more than credit card numbers. They’re assembling dossiers for identity theft, and downloading trade secrets. Targeting highly valuable information gives them latitude to wage longer and more varied campaigns.

Sony and Epsilon haven’t said much about how hackers compromised customer data — but RSA has. In a blog post after the fact, head of new technologies Uri Rivner revealed how a phishing attack lured an employee into opening an attached spreadsheet, by faking an internal email.

Avoidance is the hallmark of APTs. Unfortunately, most of the technological advances of the past five years have focused on responding to the direct attack, said Carbonite Inc. CTO and chief security officer Eric Golin.

Carbonite isn’t near the scale of Sony or RSA, but it manages petabytes of user data, and it’s among a class of midsize businesses some watchers feel will become the next range of targets for data theft, as large enterprises harden up protections. In defending against an APT, policy can be as important as technology, Golin said. “Look at the data that you’ve got and try to understand what you’ve got that someone would want to go after and what you think is valuable. Look at the different levels of what you need for protection in different parts of the system,” he said. “You probably won’t be able to protect your entire environment against a persistent threat.”

To date, only the largest organizations have turned attention to software systems to manage those kinds of concerns — like data governance software provided by Kalido Inc. The Burlington company has about 100 customers, mostly in the $2 billion to $10 billion annual revenue range, said CEO Bill Hewitt. But the demand is growing. He expects to double that number in a year, on the strength of a market that could quadruple by 2014, Hewitt said.

That will be a welcome development for Kalido’s investors, who have put $68 million to work in the Burlington company in the more than 10 years since it was spun off from Royal Dutch Shell.

Other investors are lining up to back similar plays. Last month, information protection software company Verdasys raised $15 million in a round led by new investor GE Asset Management. Existing Verdasys backer Fairhaven Capital Partners remains bullish on the company, said Fairhaven partner Rick Grinnell. He and partner Mark Hatfield have been at work on revising Fairhaven’s thesis for investing in data security, they said.

“Anything that’s signature-based, like antivirus in a firewall, is not working. The stuff that has a better chance of working is behavioral,” he said. The Cambridge venture capital firm is evaluating new investments and Grinnell said they are looking for approaches that will disrupt current models for defending data.

“I think on a high level you could bucket it into better behavioral monitoring and defense. Mark doesn’t particularly often have activity from his machine go to an IP address in China. He doesn’t typically do a certain list of things in succession, like downloading some file and then opening an application that’s now talking through a firewall,” Grinnell said. “There were companies talking about things like that four or five years ago. But I think there’s a whole set of companies out there talking about better ways of doing it so you’re getting a whole lot less false positives.”

But a protection strategy doesn’t have to be technological wizardry, said Brenda Sharton, a partner at Goodwin Procter LLP who defends businesses against data breach litigation. For smaller businesses that don’t have a lot of network activity to monitor, and who probably can’t afford to adopt emerging technology, human resources — not IT — can be the most effective department at preventing a damaging breach.

“The way the malware usually will get onto the system is through the employees of the actual company,” Sharton said. With that in mind, training employees about what not to do, and limiting access to sensitive material, is the easiest way for a small company to cover its bases, she said. “There’s no real magic to this thing.”

At Carbonite, customer data are encrypted. In a company of about 200 people, only six have access to systems that process credit card information. Tiered access and careful monitoring are critical to warding off APTs, Golin said. “The real issue is if someone’s going to penetrate (one employee machine),” he said, “make sure they can’t bridge from there to the other levels of the system where they can get more access.”