Usage Vs Effectiveness Of Security Controls: Overcoming The Discord

Security Control

In the past year alone, growing instances of cyber threats have dawned a dangerous new era in IT security. Between Snowden’s NSA leaks, the 2013 Holiday Hack Attack and the recent Heartbleed bug, endpoint security has become a major concern for organisations everywhere.

However, while it certainly is top of mind, good intentions don’t always translate into action, as demonstrated in a recent study by Ponemon. Improving security is a goal that most organisations strive for, but many continue to struggle when it comes to developing effective strategies for endpoint protection.

Avecto compared the Ponemon research findings to the Australian Department of Defence’s (ADoD) Top 35 Mitigation Strategies report, which ranks security solutions based on their effectiveness. The ADoD study is based on real world attacks, including responding to serious cyber intrusions, vulnerability assessments and penetration testing for Australian government agencies.

The findings show a substantial difference between the strategies that IT departments believe to be effective, and those which actually measure up in practice. And the same recommendations are made by the UK Government, SANS Institute, Council on Cyber Security to name just a few.

Effectiveness & Usage Are Detached

So what’s the disconnect here? It likely boils down to the organization’s security toolkit and what solutions IT is choosing to use, despite their effectiveness. For instance, when it comes to preventing cyber intrusions, research shows that the mitigation control with the highest usage rate is antivirus (AV) software, with virtually all organizations (92% of them, at least) using it today.

But despite its widespread popularity, AV’s effectiveness is much less impressive. In fact, it was ranked as one of the least effective technology-based security controls.; rated as the 30th most effective strategy by the Australian Government. Yet for IT departments, it is still viewed as essential.

The Role Of The Deployment Process

The inconsistencies here between the effectiveness of a tool and its actual usage rate can be explained by the nature of its deployment process. If you look at the technologies that IT professionals are implementing first, rather than deploying proactive and in-depth solutions, they appear to be focusing on reactive technologies (like AV) that are perceived to be much easier to implement, when in reality that is not the case. It may appear the most painless route to building an organization’s security architecture, but it’s certainly not the most effective and doesn’t pay off in the long run.

This is a mindset that absolutely must be changed if the IT function has a fighting chance of effectively securing the endpoint. First-gen technology simply isn’t suitable to use in defense against next-gen attacks. This is not to say that that any layers should be completely eliminated – it’s more that they should not be used in isolation, and should instead be integrated with an approach that comprises more proactive measures as well.

Why Admin Rights Require Proactive Control

Administrative rights are emerging as one of the biggest threats to IT security today, given that malware not only requires admin rights, but actually targets them to bury deep into systems, propagate to other machines and ultimately wreak havoc on an entire corporate network. The research shows that the provisioning of administrator rights is actually on the rise, which is giving more power to employees than ever before, enabling them unchecked control that could open up the organisation to significant vulnerabilities.

42% of organisations revealed that the number of staff with admin privileges increased from last year due to growing demand from employees – many of whom are tech savvy Gen-Yers, requiring more and more admin privileges as they integrate cloud and mobile applications into their workflows. This risk increases with the use of applications used for both social and commercial purposes. An example of this is Twitter’s TweetDeck tool, which recently experienced a security vulnerability causing the service to be temporarily suspended.

Not only are admin rights increasingly being provided to users, they’re not being tracked as closely as they should be, with almost a quarter of organisations unable to determine the number of users they have running with admin rights. While we know that removing admin rights can significantly reduce the attack vector on the endpoint, many organisations just don’t understand the full impact that this can have. A recent study of Microsoft’s Patch Tuesday bulletins in 2013 revealed that of the 147 vulnerabilities with a Critical rating, 92% can be mitigated by removing administrator rights.

So, Why Is Usage Slow To Pick Up?

Clearly, limiting admin rights on a corporate network has great potential for securing an organisation against vulnerabilities. It is rated within the top 5 strategies by the Council on Cyber Security and the ADoD. Yet, only 42% of companies have technology in place to minimise the number of users with admin rights.

Many would argue that locking down admin accounts has a negative impact on productivity, and it’s certainly a valid concern, given that users require admin rights to perform even the simplest tasks on their systems. Figuring out how to limit admin rights, without limiting productivity, is likely what creates a sense of perceived difficulty and frustration with technology that limits admin privileges.

Overcoming The Discord

But there are solutions out there that can ease this tension, by striking that elusive balance between security and productivity. Least privilege management is a proactive approach that ensures admin rights are limited to those necessary for the scope of users’ job roles. It’s a policy-driven method that runs in the background as employees work, assigning privileges directly to applications instead of users, and elevating them only when needed.

Proactive measures like limiting admin rights rank high on effectiveness, but their usage rates could definitely use a boost. As more organisations come to realise the benefits of an approach like least privilege management, and its potential to ease the deployment of these kinds of technologies, they can begin to overcome this disconnect between effectiveness and usage. Only when this is resolved can organisations confidently begin to build a sound and cohesive strategy for overall endpoint defence.

Andrew is Vice President Global Professional Services at Avecto, responsible for providing their strategic global direction for Pre/Post Sales, IT and Technical Support. His background in IT infrastructure is underpinned by a wealth of knowledge which encompasses the architecting of enterprise class solutions. Prior to joining Avecto, Andrew worked for a leading RFID systems integrator, where he held a number of senior roles including Head of Solutions Architecture and Consultancy Services. Andrew holds a BSc honours degree in Computer Science along with a number of industry recognized qualifications, including Microsoft MCSE, MCSA, MCP and ITIL certifications.