Many organizations, both large and small, can't seem to justify spending on expensive security projects. But Robert Bigman, current president of 2BSecure and former CISO of the CIA, explains that organizations operating under the assumption that security tools come with a hefty price tag have it all wrong.
Security architecture doesn't need to break the bank in order to prevent breaches and win the war against cybercriminals, Bigman said. In this video from the 2013 ISSA International Conference in Nashville, Tenn., Bigman discusses low-cost architecture tools and shares how to improve network security with minimal impact on performance and capability.
It's very difficult to convince a company to invest in security. Why might companies not need a lot of money for security?
Robert Bigman: What I do is help companies understand that if you really want to win the war against cybercriminals and the nation-state-sponsored cyberhackers, you do it through architecture. You don't do it by buying this product and that product, layering products on top of products and buying more products every year, then still wonder why people are getting in.
They're getting in, frankly, because the computer systems that everyone uses are merely Microsoft Windows or Cisco networking solutions, and are basically all full of holes. There's not a whole lot you can do by layering software on top of other software to maintain security.
The way to do it is by using architecture in such a way that you isolate your enterprise network and very, very sensitive data from the Internet. This makes it very difficult, if not impossible for the bad guys to get to it. It can be done with pennies on the dollar. It's very inexpensive, and it gives you a much higher degree of security than anything you can do by buying products.
Why aren't companies considering this less-expensive approach?
Bigman: The reason is because it's not easy. Companies have to change their culture, change the way users use the Internet, change the way their network works. A lot of people don't like to perturb the natural order of how people are working. People in information security business are loath to want to make themselves look bad by changing the architecture to improve security.
What I've seen in a couple companies I worked with is there's some initial resistance. In fact, there is a lot of initial resistance to changing the architecture of your corporate network. But it tends to follow the classic bell curve, and over time people accept it.
Basically, it doesn't take long for people to understand why you're doing it. People are very flexible. They get to learn new habits, learn how to use new systems, and over time it becomes a second nature. You've now improved the security of your network dramatically with very little cost, and with very little impact to the performance and ability of your network.
What free security tools should CISOs be considering or using?
Bigman: In addition to architecture, which is No. 1, you really have to spend your time looking at the open source market for shareware and freeware tools, and there are thousands of them out there. You want to look for ones that have a lot of experience, ones where people are actually using them. There are thousands of reviews and chat rooms and sessions where you can talk to people and find out, really, how CISOs or other people have used a lot of these tools.
The ones that save really big dollars are things like security information evaluation products. A lot of people buy HP ArcSight Security Intelligence, a very popular product for doing SIEM[security information and event management] collection, data collection and security audit analysis. There are tools out there right now you can download for free. An example would be AlienVault. It's not 100% feature-rich as ArcSight is and some of the others that you have to pay big dollars for, but it's about 70% to 80% of what you need.
If you're a medium or even if you're a large-sized company using tactical logging analysis of events that are occurring on your network, something like AlienVault is very, very useful and probably fits the bill. You can save yourself, given the size of your organization, anywhere from a million to a million-and-a-half dollars right there.
In addition to audit trail collection, there are shareware authentication tools that plug right into Windows, Unix and Linux that are as good as the commercial tools that you buy from RSA and some of the others, and provide a high degree of authentication security.
There are encryption products for those who want to encrypt data. Again, you could go out and buy any number of encryption tools, but if you're looking to conduct native data encryption of data and storage or data in transit, you can either use the native capability that comes with Windows -- which a lot of people don't use, but should -- or you can look at one of the shareware products. Freeware PGP[Pretty Good Privacy] is a good example for that, a tool that incorporates email security. For media encryption, last I checked, there are at least a dozen shareware encryption technology products.