At last week's Gartner Security and Risk Management Summit, threats were booming, budgets were lean, and businesses were challenged to do more with less. Security professionals now scramble to safeguard new IT initiatives like cloud computing, social networking, mobility, and Windows 7, while meeting escalating regulatory, compliance, and e-discovery demands. CISOs have little choice but to focus finite security resources on those risks that most impact business success.

As Gartner analyst Eric Ouellet said about Data Loss Prevention: "Don't try to boil the ocean – follow the priorities of your organization to attempt only what makes sense for you right now."

Organizations are buying too much DLP, said Ouellet. Most fail to deploy all of the components they have purchased within three years. Worse, many underestimate the need to involve non-IT stake holders, right from the start. Too often, the result is an expensive disappointment. "Start with one big business issue and focus on solving it first," he said.

Similar recommendations were made about other technologies throughout this summit. Cyber-crime continues to grow, as do vectors through which we expose business assets. As the attack surface expands, it becomes impractical to lock down everything. Instead, speakers told attendees to enable key business processes with targeted security controls.

Learn to share—smartly

In his summit kick-off, former US Attorney General John Ashcroft said that organizations must learn to protect sensitive information while balancing privacy vs. usability. "The important breaches – those that are the most costly – come from inside," Ashcroft warned. As in the infamous case of FBI-agent-turned-spy Robert Hanssen, Ashcroft said, "There can be just too many people with too much access."

However, ignoring situational awareness can be just as damaging. Whether the result of policy or lack of consolidation, "Siloing of information inside IT can be as dangerous [to enterprises] as siloing inside intelligence agencies was to the US before 9/11," said Ashcroft. "Don't let this happen to you."

Ashcroft cited recent "shoe bomber" and "Times Square" terrorist attacks that were defeated through the participation of individuals, not just law enforcement. When it comes to effective enterprise security, IT cannot go it alone. "We need to enlist the broad public in securing information," argued Ashcroft. Privacy should be about enabling access, by the right people, to the right data—not preventing access by everyone.

Prioritize defenses

Gartner analyst John Pescatore took attendees on a tour of cyber-threats, past, present, and future. "In mainframe days, all we had to worry about was insider threats," said Pescatore. "But then the Internet changed the way that we did business."

Soon thereafter, worms began to prey upon e-mail as a common business communication medium. "Today, social network and virtualization are reshaping cyber-threats once again. We're seeing the rise of non-traditional application ecosystems, where everything occurs outside the good old data center," he said.

From Twitter and Facebook worms to DNS cache poisoning, it's tempting to think of next generation threats as requiring new controls. However, "more than ninety percent of these attacks are exploiting vulnerabilities we already knew about, or should have known about. Very few attacks – less than 1% – are zero-day attacks," said Pescatore.

As a result, Pescatore advised attendees to focus on a few big-impact areas:

  • Scouring inbound messages at security gateways (or inside cloud services);
  • Supporting IT consumerization securely using NAC, desktop virtualization, and application whitelists; and
  • Improving Web security through software vulnerability assessment and SaaS.

Supply chain pollution, hypervisor/VM threats, Trojans downloaded from app stores, compromised clouds, and LTE/4G attacks are likely to emerge over time. But those sexy new threats should not be permitted to siphon attention away from today's top-priority defenses.

"Don't count raindrops," said Pescatore. "Focus on leaks in the roof."

Look before you leap

Ouellet observed that turnout for his Data Loss Prevention session was bigger than ever. Despite early-adopter burn-out, the DLP market continues to grow. [Editor’s note: For advice on how to choose the right DLP for your company, read “How to Choose a DLP Provider”.]

DLP products now are widely available for deployment at the network perimeter or on endpoints, policing data delivered through a single channel (e.g., e-mail, DRM) or enterprise-wide. Acquisition costs can be hard to plan because components are often sold a la carte – for example, separately-licensed discovery, prevention, and encryption modules. The good news, said Ouellet, is that per-endpoint prices have fallen to the point where the incremental cost of single-channel DLP may now be considered negligible.

Of course, bigger operational costs are incurred as DLP is rolled out.

"Most deployments end up in monitor-only mode because the cost and impact of blocking can be too much," said Ouellet. One example: It is rarely appropriate for first line IT to examine leaked data to decide how to remediate an incident. "The person who should probably look at content is the data owner – finance, legal, HR, compliance." Thus Oeullet's imperative to get non-IT stakeholders involved at project start.

Ouellet described one trial that compared monitor vs. prevention modes. "Remediation was actually lower in the blocking trial. It turned out to be more effective to monitor, warn, and educate than to block," he said. Organizational resistance, false positives, and national privacy laws may all pose concerns, but DLP rollouts are most successful when focused on one big business problem. "Start with single channel or skip prevent for now," Ouellet recommended. "Work closely with user awareness programs to get the most value from DLP and measure success by reduction in events. If rates don't drop, educate."

Pursue quick returns

In his session on Windows 7 security planning, Gartner fellow Neil MacDonald noted that most enterprises skipped Vista. He predicts that half will deploy Windows 7 this year, and that making this transition will have real security impact. However, the most promising security features in Windows 7 are only available in Enterprise or Ultimate versions, which require additional on-going fees.

However, MacDonald said that many enterprises could greatly improve their security posture even without Windows 7. "The two most significant things you can do today are get off Internet Explorer 6 and get rid of administrative rights for end users," he said. "Neither requires moving to Windows 7, although you can use Windows 7 migration as a catalyst to make them happen."

Some IE6 applications will not run on IE8 (included in Windows 7). Companies stuck on IE6 for this reason should consider using Windows 7 XP Mode or terminal services to (virtual) XP desktops to preserve legacy access. Moving all other Web activities to IE8 without further delay can tap improvements like DEP and ASLR protection while browsing, smartscreen filters, and Type 1 cross-site scripting defenses.

"You will need to test all of your applications, especially if you're running as a standard user, but you should start using IE8 as soon as possible," counseled MacDonald.

Windows 7 User Account Control (UAC) does not require running as a standard user, but it can discourage users from making unauthorized changes. MacDonald acknowledged that the politics of eliminating administrative rights can be daunting. "Our users are like ponies running around free on the prairie. Now we're putting up barbed wire fences and they're getting spooked," he said.

Nonetheless, MacDonald argues that companies should start running all applications as standard user prior to deploying Windows 7, clearing this hurdle before UAC prompting begins. Organizations grappling with tough cases should consider solutions like BeyondTrust or Avecto that can permit privilege elevation on exception while running as standard user most of the time.

More intriguing security features like AppLocker, BitLocker, and DirectAccess may come with full-blown Windows 7 deployment, but executing a migration plan can easily take a year. In the meantime, get these two big-payoff steps out of the way, advised MacDonald. And don't forget to survey your security tools for Windows 7 (32 and 64 bit) support and involve your security team in deciding which Windows 7 features to use.