The security threats that we face today are complex and sophisticated and are designed to do real harm—stealing data, recruiting computers into botnets and committing fraud. Much of our business and personal lives rely on use of computers, and internet access and electronic messaging systems are considered by many to be essential. But such systems are prime vectors of attack.
More organisations and individuals have installed some level of protection on their computing devices. Most have anti-virus; firewalls are commonplace; and most have some level of email security in place—whether this is administered in-house in an organisation or provided by a service provider such as an ISP that filters spam on behalf of its customers.
However, the use of web security tools is far from ubiquitous—yet this is a prime delivery mechanism for malware and other exploits. According to press reports, it is estimated that one in five posts on popular social networking site Facebook is malicious and the Internet Crime Complaint Center estimates that victims of internet-related crimes lost US$559 million in 2009, up 110% over the previous year.
However, it is not only those without web security controls that are putting themselves at risk. Rather, many of the controls that have been deployed for electronic communications are based on outdated technology that is not up to the job of protecting against the complex threats seen today.
Many such controls are based on the use of signatures that identify known viruses contained in messages, but this method only enables detection of existing malware. No protection can be provided against zero-day threats that can just be variants of existing malware, but that can still evade signature detection. For example, more than 10,000 variants of the Koobface worm that affects social networking sites are being detected every month.
Given the nature and extent of the threats that we face today—as well as the cost of clearing up after a security incident has occurred which, according to a survey undertaken during Infosec in London in April 2010 can amount to anywhere from £280,000 to £690,000 for a large organisation—it is time for all organisations to reassess the effectiveness of the security controls that they have in place. Those based on outdated technology should be retired and any gaps in protection, such as web security should be closed.
When assessing options, a prime candidate to be considered is the use of cloud-based services where the software needed is delivered as a service. The use of such services has many advantages over in-house deployments. The level of protection that can be provided is higher than many traditional security controls as the service is provided by vendors that offer tools that are designed to be truly integrated so that uniform protection can be provided against threats to email communications and web usage—helping to defend against the blended threats being seen today.
Most providers are also in a better position to defend their customers against new, previously unseen threats as they maintain resources that constantly research traffic patterns and new threats seen where the threats are emanating from—in the cloud.
They also deploy advanced detection techniques such as heuristics that look for behaviour patterns associated with malicious exploits so that countermeasures can be developed. Those countermeasures can then be pushed out to all customers simultaneously to provide protection against the latest threats before those threats can reach networks and requiring no action to be taken on the part of the user to keep their protection up to date.
There are also cost benefits of using such services, including the lower and more predictable cost of subscribing to a service on a monthly basis versus the cost of purchasing software licences and the hardware needed to support the deployment, plus the cost of maintaining the system and keeping all devices up to date with the latest protection.
Lower capital expenditures are a bonus for any organisation as many are operating with tight budgets and the fact that the service is outsourced to a service provider that manages it on behalf of the organisation, there is no need to hire, train and retain resources for administering and managing the system themselves. This makes the use of such services suited to and affordable for organisations of all sizes—from the smallest micro firm to a large, geographically distributed multinational.