A data-driven approach to security provides a more accurate picture of threats and exposures, so VARs know what protection is most effective and where to employ it.
By Erik Sherman
Cyber break-ins at large corporations may get public attention, but SMBs can also be targets. For example, the FBI identified 20 incidents between March 2010 and April 2011 in which small and midsize businesses found their banking credentials compromised and money wired to Chinese firms.
But instead of rushing to sell security products to their clients, channel professionals should try data-driven security to better design and tune protection. This approach uses the information that exists in an infrastructure “to build a more realistic, current, and accurate picture of both threats and exposures,” says Scott Crawford, managing research director for analyst firm Enterprise Management Associates. Data can tell channel pros what protection will be most effective and where to best employ it.
A data-centric analytical approach is important because companies often assume they know what their greatest security dangers are, even though they don’t. “We’ve had examples where a company was very concerned about external threats,” says Ken Hammond, director of North American channel sales for Columbia, Md.-based security software vendor Sourcefire Inc. And yet when a reseller runs an analytic report, the real problems are internal, like unauthorized USB drives. “There are things going on in the company that they weren’t aware of,” Hammond notes.
Data-driven security starts with a thorough risk analysis, says Jeff Laurinaitis, sales director at RKON Technologies in Chicago. “Most SMB customers don’t have a real robust IT staff or a lot of headcount, especially in security,” he says. As a result, they rarely undertake such an analysis and often blindly throw money at the problem. “If you don’t have visibility into the problem and you haven’t put together a comprehensive strategy, you can lock it down like Fort Knox, but at what cost?”
Instead, channel pros must try to understand what clients most need to protect. For one company, it may be marketing plans for a new product launch. Another might find a money-saving production process more important. Understanding the business drivers enables a real discussion between VAR and client about what it would take to achieve the company’s goals.
Security vendors often rely on fear to sell their products. A data-driven approach moves beyond the emotion and forces a rational analysis of what a company actually needs. One simplistic example is that a company with servers running Linux isn’t concerned with Windows-based attacks and so doesn’t need software that focuses on Microsoft software.
More important, data can illuminate patterns that provide vital insight. “That is the key element,” says Dr. Cedric Jeannot, founder and president of Waterloo, Ontario-based vendor I Think Security. “Security is so complex that you’re never going to [cover all the bases], because there are so many things you can take into account.” Data helps uncover the realistic weaknesses rather than theoretical ones.
Jeannot uses a three-tiered approach: Identify potential risks, price the consequences of the risk in financial terms to the company, and then use the infrastructure data to see how attacks occurred and how to protect the business in the future.
Details that might seem trivial can enable important deductions. For example, if a company does business in the United States, traffic from China should look suspicious. Rand Callahan, CEO of San Luis Obispo, Calif.-based IT services company Venture Tech Consulting, says access control lists can provide critical insight into who has access to information and whether someone accidentally opened resources to potential misuse from outsiders.
Even coarse metadata, such as whether given information should be public or restricted, can help add perspective. “Information classification matrixes enable us to classify data [as] public, internal, confidential, or restricted, so we know what needs to be encrypted or stored in a secure environment,” says Callahan.
By combining risk management and analysis with the data from the infrastructure, channel pros can help clients decide which resources are in greatest need of protection, the vulnerabilities they most likely face, and how to best structure a security solution.†
