August 13, 2008, 8:08 PM — This Best Practice is part of a collection of advice provided by information technology professionals on how they have solved various challenges, and addressed IT priorities within their organizations.
Company: FN Manufacturing
Makers of M16 assault rifles, FN Manufacturing still faced a common IT challenge: managing laptops. Employees frequently travel for work, and they take along laptops containing sensitive data. As more and more employees rely on laptops as their main workplace computer, volumes of information that used to remain in the office are increasingly put at risk.
As with many security problems, laptops pose the dilemma of balancing productivity and risk. Of course, traveling employees are far more productive if they have workplace applications and information at their disposal. However, what is good for productivity is often bad for security. Laptops that travel are exposed to more risks. They get left behind in taxis, airplane cabins, restaurants and coffee shops, and every now and again they are exposed to hackers when they connect to poorly secured public networks. Another emerging risk is that of the targeted attack. More and more phishing attacks focus on specific individuals and companies, rather than simply casting a wide net and seeing what turns up.
It is critical for traveling laptops to have the same level of security as PCs within the workplace; otherwise the data on those laptops is at risk. According to the U.S. Commerce Department, intellectual property theft costs U.S. business about $250 billion each year, while also slashing nearly 750,000 jobs from the U.S. economy.
FN Manufacturing, LLC, knew that it needed to address this problem. The company is a precision machining manufacturer specializing in the production of small firearms. Located in Columbia, SC, the company supplies arms to the U.S. military and law enforcement.
At first glance, FN Manufacturing doesnt seem to be a prime candidate for a new class of data security. After all, they dont have large consumer databases, such as those common at healthcare, financial, and retail organizations, and while any military information can be considered sensitive, the weapons they supply are fairly standard.
However, in the manufacturing sector, as in much of the twenty-first century U.S. economy, information is the lifeblood of the business, and a data breach could bring serious trouble.
There is a lot of sensitive data on our laptops, said Olivier Vanderstraeten, FN Manufacturings network security systems manager. Besides the employees own personal information, there are often product drawings and schematics. These are highly confidential.
Often times, it may not even necessarily be the design of the product that is sensitive, but the way it is made. The machining process itself could be confidential, and in an industry that relies so completely on a single customer the U.S. military even slight incremental advantages are critical. Losing information to a competitor, who could then outflank and perhaps under-bid you, could be a disaster.
Another highly sensitive type of information is customer information. This isnt the privacy related information involved in most breaches, but the kind of customer data critical to ongoing supplier-buyer relationships. Contract specifics, contact lists, deal terms, and even the due dates for contracts are all details best kept in-house.
Initially, FN Manufacturing responded to the problem with personal firewalls. These do a pretty good job of protecting against inbound threats, but they do have problems. For starters, losing sensitive information is often an outbound issue. If someone is intercepting packets as they travel over a poorly secured wireless network, the personal firewall is none the wiser.
Next, there are configuration and compatibility issues. With Windows machines and the accompanying Windows firewall issues often arise. When Windows updates, it occasionally turns the Windows firewall back on, which can then conflict with third-party firewalls. In-house, this isnt a huge problem. IT takes care of it, but for users on the road, they can be unprotected and not know it.
This compatibility problem foreshadows an even bigger issue: remote manageability. FN Manufacturing had to install these traditional personal firewalls on a machine-by-machine basis. Afterwards, patching and updating the machines was itself a labor-intensive process.
Yet, an even larger problem occurred when the machines re-entered the corporate network.
In the past, our security system didnt verify laptops as they re-entered the corporate network, Vanderstraeten said. With 60+ laptops coming in and out of FN Manufacturing, this was no small problem. We had to hope that the antivirus and firewall werent disabled and were doing their jobs.
Solution: SkyRecon Systems' StormShield Security Suite
FN Manufacturing began researching better security options. As FN Manufacturing realized that anti-virus and personal firewalls are simply not enough to protect their mobile workers while they are traveling, they considered various vendors, including Cisco, before selecting StormShield from SkyRecon Systems.
StormShield offers integrated system and data protection in a single product. Relying on behaviors rather than signatures or heuristics approaches that are becoming more and more vulnerable to exploits StormShield protects data where it is most at risk: on the endpoints. StormShield provides integrated device control, data encryption, application control, host-based intrusion prevention (HIPS), system firewall, wireless security, and Network Access Control (NAC). Its client-side agent also provides zero-day protection without the need for signature or rule updates all using only a few megabytes of memory, a fraction of the size of competing products in the market.
Now, were not so worried about where those laptops go and what they do when theyre away from the office, Vanderstraeten said. StormShield gives us the ability to set dynamic policies, such as prohibiting connections to ad-hoc networks, so we know we can trust that users are protected where they are most vulnerable outside of our corporate network.
Once the mobile laptops return to the office, FN Manufacturing can use StormShields integrate network access control capabilities to enforce yet another set of policies. If antivirus is disabled, for instance, we have a lockout policy, he said. Users cant connect to the corporate network until IT vets that machine and makes sure it is safe.
StormShield Provides Visibility into Remote Behaviors
StormShield also sheds light on what happens when employees travel. Before, if the AV was disabled or if information was lost, no one would necessarily know what happened or even if something happened. Now, everything is logged and reported. If something happens when employees travel, we know, Vanderstraeten said. And we know what exactly happened, be it a misconfiguration, a problem with a USB key, or even a false alarm.
Another advantage of StormShield is centralization. Before, Vanderstraeten and his IT staff had to spend time on each and every laptop, installing firewalls and setting up policies.
Now, this is all done centrally over the Internet, Vanderstraeten said. Its streamlined. StormShield also serves as a policy generator. For instance, if we need to open a communications port for a new application, we do it through StormShield. Before, we had to go to every laptop to change the policy. We can also monitor the status of the endpoints centrally to see, for instance, which laptop needs a critical update.
In addition to being able to centrally manage policies, StormShield gives FN Manufacturing the ability to implement multiple policies. In a manual, laptop-by-laptop setting, flexible policies just arent feasible. IT had to establish broad umbrella policies. With StormShield, we can change policies based on user groups or context. We can have one policy for when they are in the office and another for when they are on the road, Vanderstraeten said, and StormShield manages it all. Once we set the policies, everything is taken care of.
Rules for success:
- Understanding what is important to protect and where it is at risk of compromise are fundamental components in determining how and where to apply the appropriate security measures. Starting with an implementation plan that supports threat and loss reduction while not introducing operational inefficiencies is very important. In other words, dont bite off more than one can chew. As the phases within the project are successful, more phases can then be implemented, and even more defined.
- Communication and education are also key components to a successful endpoint security project such as this. Upward communications with the management team to set expectations of what can and will be done as well as what risk they can expect to remain until the next phase of the project is implemented. Similarly, downward communications with the end users around what they can expect in terms of system usage, data management, and device control is critical to ensure a smooth transition into an operational and secure working environment.
Five classic mistakes:
The main mistake made by a number of organizations in selecting endpoint security technologies is they typically look for offerings that give them the checkbox as opposed to actually minimizing their risk level and/or improving their operational efficiencies. The 5 prime examples would be:
- Selecting whole disk encryption as opposed to file-based encryption. Whole disk encryption provides the checkbox for the audit, but does not provide the in-depth security and operationally efficiency benefits found with file-based encryption.
- Reliance on signature-based anti-malware and intrusion-prevention technologies. Behavioral-based solutions that don't require signatures or updates provide better security for unknown and zero-day attacks while reducing operational inefficiencies due to panic-patching.
- Opting to avoid implementing access control solutions i.e. network access control (NAC) solutions because they are too complex and costly. Avoidance here, however, is far worse than finding a solution that may in fact not match their initial perception of network access control in terms of how it works and what is required to make it work.
- Somewhat of a subset of the access control mistake, but worth calling out separately is non-investments in actively managing wireless security. There are solutions available that can help organizations control which wireless security protocols are approved, who can use them from which systems, and whether or not they require VPN connections when being used. These simple, yet powerful wireless security options can dramatically improve an organizations security posture with very little effort on the part of their IT and security staff.
- Selecting multiple vendors over time or opting for separate vendors to solve individual problems. The challenge here is consolidation. Data protection issues are tied to client security issues that are tied to access control issues that are tied to compliance issues that are tied to client management issues that are tied to IT operations issues. Trying to get a handle on each category separately will deliver a false sense of security and control, at best while in actuality leaving the organization at risk for downtime, compromise, and loss and oftentimes without even knowing it or knowing where to turn.
Best practice checklist:
- Perform risk-based phased project implementation
deploy the layers of protection that you need over time
- Select a vendor and solution that supports a phased project deployment and licensing
- Internal communications and end-user education set proper expectations
- Understand how IT operations and security operations can collaborate to ensure secure business transactions
- Understand that business will change, environments will change, and the threat/compliance landscape will change
Three must-ask questions:
- Can I centrally manage a single endpoint security and control policy based on the location, health, and state of the system and the user logged in to the system? Can I enforce the policy and easily remediate the endpoints as part of an integrated access control program?
- Does the endpoint security solution have a single lightweight agent that provides proactive, behavioral-based system protection, data loss prevention, access control and remediation, and the ability to provide proof of internally and externally-driven compliance?
- Does their solution allow me to deploy what I can now and easily turn on new services over time as my organization changes?
This Best Practice was provided by SkyRecon Systems.
The ideas expressed in this article are solely those of the vendor and its client, and do not necessarily reflect the opinions of ITworld.com.