In a talk with journalists after his speech at the Empire Club of Canada in Toronto recently, Symantec Corp. CEO John Thompson admitted that the Slammer worm two years ago was the eye opener that changed the direction of the company.
“It became apparent to us that what we needed to do was tie our security alerting and intelligence to a set of operational tools that manage the IT infrastructure,” he said.
It was in Slammer’s aftermath that Symantec decided to buy PowerQuest Corp., ON Technology and later Veritas Software Corp. The acquisitions were not security companies, Thompson said, but rather those focused on backup and recovery, client and server provisioning, asset inventory tracking, software distribution and patch management.
“We believe that the marriage between security and availability is awfully important for customers,” he explained.
Part of the new corporate strategy at Symantec is the admission that “you can deploy prevention technology, but it is inevitable that some attacks are going to get through,” he said. In other words, protect your company but prepare for the possibility that your defences may not keep all systems unscathed.
In the case of Slammer, much of the damage was due to companies’ inability to recover from the attack.
“If they had done a simple backup of the data when they saw that the attack was under way, they could have made the restoration time much, much shorter,” Thompson said.
But for this strategy to have been successful, the backup would have needed to be almost instant since even Thompson admitted during his speech to club members that 90 per cent of vulnerable computers were infected within 10 minutes. The solution, he said, is to create an environment where interaction between interconnected systems is seamless.
During his Empire Club talk, Thompson used the analogy of a hurricane warning system being able to talk directly to a house to tell it to activate hurricane shutters and basement sump pumps. “If you can start further back up the value chain to where you now recognize that there is a new potential vulnerability out there, and you use that knowledge about the vulnerability immediately to trigger operational actions, you can start to mitigate the risk of damage or loss,” he said to reporters later.
This ability to mitigate risk is necessary in the corporate world since the time between warning and attack is shortening.
In this day of potential zero-day attacks — where the attack occurs the same day the vulnerability is announced and a patch made available — even the most effective patch management system is not a guaranteed solution.
Companies need to decompose the network to figure out best how to protect individual aspects of the system instead of trying to create one “silver-bullet” solution, he said. One example would be to deploy prevention technologies on multiple levels, he said. Extremely critical data sets or applications could be isolated behind different types of firewall technology. Instead of using a stateful inspection firewall, a proxy firewall may better protect systems, he said.
Thompson also touched on the weakest security link — humans — and the need for better education.
“If businesses were to accept that they have an important role here to make their employees more aware, that would go a long way,” he said. When journalists were asked how many of them had a security awareness program at their office, there was an awkward silence.
“It is only through repetitive, thoughtful cajoling and counseling that we’re going to get the society that we live in more aware of what they should and shouldn’t do,” he said.
Thompson said the reduction in forest fires and smoking, and increased seat belt use are examples of the general public being educated to change its habits.
“In each and every one of those three incidences government stepped up and played a role in raising the awareness and consciousness of the public about the threats that were there,” he said. “I would argue [there] is an important role for government now around information security awareness.”
Quick Link 057838
