When Slammer hit two years ago it caused an upheaval in a lot of places.
The worm led many security product vendors to rethink their strategy.
One of them was Symantec Corp.
CEO John Thompson admits that Slammer was the eye opener that changed the direction of the company. If they had done a simple backup of the data when they saw the attack was underway, they could have made the restoration time much shorter.John Thompson>TextIt became apparent to us that (we) needed to tie our security alerting and intelligence to a set of operational tools that manage the IT infrastructure,” Thompson told journalists after his speech at the Empire Club of Canada in Toronto on Thursday.
He said it was in Slammer’s aftermath that Symantec decided to buy PowerQuest Corp. and ON Technology…and later Veritas Software Corp.
What prompted the acquisitions of firms that weren’t security companies but focused on backup and recovery, client and server provisioning, asset inventory tracking, software distribution and patch management?
According to Thompson, it was Symantec’s conviction that “the marriage between security and availability is awfully important for customers.”
Part of Symantec’s new corporate strategy, he said, is the admission that “you can deploy prevention technology, but it is inevitable that some attacks are going to get through.” In other words, protect your company but prepare for the possibility that your defenses may not keep all systems unscathed.
In the case of Slammer, noted Thompson, much of the damage was due to companies’ inability to recover from the attack. “If they had done a simple backup of the data when they saw the attack was underway, they could have made the restoration time much shorter.” But this strategy would have only worked, if the backup were done almost immediately since even Thompson admitted during his speech that 90 per cent of vulnerable computers were infected within 10 minutes. The solution, he said, is to create an environment where interaction between interconnected systems is seamless.
During his Empire Club talk Thompson used the analogy of a hurricane warning system being able to talk directly to a house to tell it to activate hurricane shutters and basement sump pumps.
“If you start further up the value chain to where you now recognize a potential vulnerability… and you use that knowledge…immediately to trigger operational actions, you can…mitigate the risk of damage or loss,” he told reporters later.
According to Thompson, this ability to lessen risk is necessary in the corporate world since the time between warning and attack is decreasing.
He said in this day of potential zero-day attacks — where the attack occurs the same day the vulnerability is announced and a patch made available — even the most effective patch management system is not guaranteed to work.
Companies need to decompose the network to figure out best how to protect individual aspects of the system instead of trying to create one “silver-bullet” solution, the Symantec CEO said.
One option he suggested was deploying prevention technologies on multiple levels. Extremely critical data sets or applications could be isolated behind different types of firewall technology. Instead of using a stateful inspection firewall, a proxy firewall may better protect systems, Thompson said. He also touched on the weakest security link — humans — and the need for better education. “If businesses were to accept that they have an important role to make employees more aware, that would go a long way.”
When journalists were asked how many had a security awareness program at their office, there was an awkward silence. “It is only through repetitive, thoughtful cajoling and counseling that we’re going to get the society that we live in more aware of what they should and shouldn’t do,” Thompson said.
He said the reduction in forest fires and smoking, and increased seat belt use are examples of the general public being educated to change its habits. “In each of those three incidents government played a role in raising (public) awareness and consciousness about threats that were there,” he said. “I would argue [there] is an important role for government now around information security awareness.”
But he added a caveat. “Government and industry have to come together; this can’t be done by government or by industry alone.”
As a society, said Thompson, we must be careful not to over regulate or over legislate since it becomes too constraining and difficult to do business. “Don’t layer on new regulatory initiatives that aren’t required.”