More-targeted attacks, customer authentication, businesses keeping a closer eye on employees and customer data, security company mergers and acquisitions, better integration of security with the rest of IT—these are a few of the trends that security experts are watching, according to a panel of industry analysts and another panel of security company executives assembled for the RSA Conference last month in San Francisco.
Andrew Jaquith of Yankee Group talked about the "professionalization of malware" and an actual "supply chain" that now exists from finding vulnerabilities through to delivering malware that exploits those vulnerabilities. "There's money to be made," he said, and "malware is a full-time job for people." Attacks are smaller, more targeted, more geared toward financial gain for the attackers. Art Coviello, president of RSA, the Security Division of EMC, gave the example of an attack levied from the Philippines against a credit union in Louisiana. He called this "puddle phishing" because of the small size of the target.
The panelists also said that attacks are increasingly using social engineering; for example, an attack might be designed for a particular company to look like a message coming from one or more employees inside that company. Jaquith noted that long term, security suites will be more behavioral and less reliant on signatures, but short term, companies have exposure in this area. Ray Wagner of Gartner agreed, saying, "There's a human factors issue here. Can we educate users enough? How do we signal them? You can have locks on the door, but users have to decide whether to open it or not."
Another human-related security issue for businesses is authenticating customers. George Tubin of TowerGroup mentioned that financial institutions are working to implement new authentication and fraud protection measures to comply with regulations that went into effect at the end of 2006. He noted that the Internet is very important for financial institutions because it promises a much cheaper and easier point of contact with customers—for example, for institutions to introduce new products and customers to manage their accounts. However, in the last year, financial institutions have had to communicate to users that they won't ask for personal info in email and they've quit putting links to their Web sites in messages. Clearly, the possibility of fraud has dealt a big blow to online banking and consumer confidence in it.
Companies are also focusing on their internal users and checking user computers before allowing them on corporate networks. Jaquith mentioned "the rise of the suspicious business" and surveillance of employees as being a trend. He also spoke of the blending of consumer and enterprise equipment (as in people taking their personal laptops to work) as being a challenge for companies. Both Richard Palmer of Cisco Systems and Ben Fathi of Microsoft on the executive panel mentioned access control and enforcing policies as being a hot area for businesses right now—not too surprising given Cisco's Network Access Control (NAC) and Microsoft's Network Access Protection (NAP) initiatives.
We all realize that data protection is another hot area, particularly with The TJX Companies data breach in the news right now. Jaquith likened the necessity of storing customers' personal information to asbestos or lead in its potential toxicity for businesses. I'm not sure there's an exact parallel here—customer data isn't a problem you can pay someone once to clean up—but I see his point, and it makes for a good quote.
The panel of security company executives, called "CEO Panel: A View from the Top," was actually a misnomer, as Coviello pointed out. A year ago, he was CEO of RSA and his fellow panelist, Tom Noonan, was CEO of Internet Security Systems (ISS). Now those companies are owned by EMC and IBM, respectively, and Noonan is general manager of IBM ISS. "There are no CEOs at this table," Coviello joked. He also said that EMC would be acquiring more security companies to broaden its portfolio and that security needed to be integrated into the IT infrastructure rather than being a standalone industry.
Others on the executive panel agreed that there would be more consolidation of security companies and that security integration was necessary and coming. Noonan also emphasized that companies are beginning to challenge the expense and complexity of security and consider security outsourcing and services as an alternative to trying to manage many disparate security products.