Enterprises too complacent over security

Enterprises too complacent over security

Summary: IT departments are too trusting of their security vendors and commoditized tools yet unconcerned over threats like APTs, and such mindsets leave organizations in a vulnerable position.


SINGAPORE--Enterprises tend to trust their vendors too much with their security recommendations, which tend to include traditional and commoditized tools, while remain unconcerned over real risks such as advanced persistent threats (APTs).

Such mindsets would leave organizations vulnerable and need to be addressed, RSA executives urged.

Jeffrey Kok, technical consultant director of RSA Asia-Pacific and Japan, said companies generally accept the security designs and recommendations from vendors too easily when they should be asking more from them in terms of advice to address the evolving, sophisticated cyber threats proliferating the enterprise space currently.

This is because these companies trust in brand names more than whether the security tools recommended meet their needs, adopting a mentality that if the vendor's recommendation does not work they will not be the only ones affected, Kok added. The executive was speaking at the Security Exchange 2012 conference here Thursday.

Go beyond one-size-fits-all
Vendors, on their end, tend to recommend the "official industry threat model", which are generic security designs that might not tackle most security threats, he added. These default designs do not work because every IT environment is different, and the security architecture will need to be customized accordingly, he stated.

These designs also use commoditized security tools such as signature-based antivirus, firewalls, intrusion prevention systems and intrusion detection systems, the executive said. A commoditized security tool can be defined as one which is offered by 10 or more vendors and its functionalities are difficult to differentiate, he explained.

An internal survey by RSA on IT spending, for example, showed 70 percent of Singapore companies investing in commoditized products for known threats instead of tools for advanced security threats and analytics, Kok pointed out.

Commoditized tools are created based on understanding what "bad threats" and "good systems" look like, but with APTs increasingly favored by cybercriminals, these threats are able to bypass the detection of such tools, he said.

David Cohen, head of knowledge delivery and business development at RSA, who attended the same conference, added enterprises still do not believe "in the severity of APTs".

Organizations think APTs are not real because they have not been breached, but this mentality is wrong because many other organizations have been breached, he said. High-profile APTs such as Stuxnet and Flame have also surfaced in recent years, the executive pointed out.

So, instead of spending on security offerings that uncover known threats, enterprises should invest in finding out more advanced threats potentially hiding in their IT systems, Kok advised.

They should also spend more time understanding their IT environments, such as having internal visibility at all levels, he added. "[They] must understand their adversaries and environments and how they can come and get you… before knowing what goes into the design and architecture of a threat model that can protect them," the executive said.

Topics: Security, Enterprise Software, Malware

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion

    Not surprising!
    Just look at the new "PINPad" devices in most shopping facilities in Australia. That hand cover or "sock" that was part of the security provision to protect your entry of a PIN from being easily observed has GONE! Entering your PIN is now open to anyone to see - contrary to any best security practice (oh - and - yes, the PINPad is attached to a desk or counter so you often cannot pick it up to try and hide your entry!)

    So - well - it is all part of a decaying interest in information security at the business and corporate - and may I add - government level. (They just do not want to regulate the ICT industry, even though it is now critical to any economy, to protect their vulnerable citizens. Easier to just blame the end-user / blame the victim! Strange - this does NOT apply to cars, pharmaceuticals, food, healthcare, and on and on).

    Simple - once again this report shows the well established fact of "MARKET FAILURE" when it comes to cybersecurity. The recently failed USA congress cybersecurity bill just demonstrates the fact that even given this accepted failure of the marketplace when it comes to safety and security in the ICT industry, governments just sit and offer "advice" to the poor old end-user.
  • Are they sure they haven't been breached?

    From the article:
    "Organizations think APTs are not real because they have not been breached

    For enterprises, least-privilege and signature-based tools don't cut it any more.
    Rabid Howler Monkey