Enterprise security remains a balancing act

The sheer size and complexity of today’s largest enterprise businesses makes it nearly impossible for such organizations to keep up with the rate of change in IT security, requiring a top-down strategy that prioritizes risk and accepts the limitations of available technologies, according to a top executive at financial services giant Morgan Stanley.

Presenting to the assembled crowd at the ongoing Usenix Security Symposium in Boston on Thursday, Jerry Brady, global head of IT security at Morgan Stanley, painted a bleak picture of the situation faced by large enterprises in trying to balance defense of their computing systems with keeping operations up and running to support business activities.

From the challenge of finding software developers who understand the security implications of their work to studying the geopolitical forces at play in all of the corners of the world in which Morgan Stanley does business, Brady said that his company’s efforts to lock down IT systems are almost constantly in flux.

Only through the adoption of high-level policies and controls aimed at fostering flexible security practices across the organization and via more aggressive sharing of information about threats with other businesses — and law enforcement agencies — can large companies effectively improve their protection and continue to do business as usual, he said.

Keeping up with all the product security patches issued by mainstream IT providers and adopting all the latest systems defense technologies are impractical tactics for companies like Morgan Stanley, which employs roughly 70,000 people worldwide and controls roughly 100,000 different computing devices, Brady said.

Establishing a strategy that involves near constant refining of security policies, includes heavy amounts of research into emerging threats, and is built around assessment of how any IT work might impact business operations is the key to balancing the entire equation, he said.

At the end of the day, the notion of making an enterprise completely secure from attack is impossible to achieve based on the scale and diversity of the systems employed by such companies and the multitude of threats they are dealing with, according to the executive.

“Depending on the theater of operation or part of the company you’re looking at, you will find incredible degrees of variety in terms of the security that’s being required,” said Brady. “We try to pull this together into something that works by using a policy-driven, versus technology-driven, approach that establishes security controls that people can localize.”

Adding another degree of complexity to the issue is the near constant rate of mergers and acquisitions carried out by companies like Morgan Stanley with each individual firm bringing their own specific IT footprint into the larger picture, including whatever technologies they have chosen to use, said the executive.

The notion of patching every Windows system in the company after Microsoft issues its monthly Patch Tuesday security bulletins is impractical for reasons related to asset logistics as well as the need to keep IT systems up and running to support Morgan Stanley’s internal users, partners, and customers, he said.

“All of these factors are what turns this into a centralized risk management process where we also look at the area of the world and specific operational risk in making decisions about managing security,” Brady said. “Issues of uptime make it so that we don’t have realistic windows for patch management; it’s unlikely that we’re ever going to get a window to manage security like the manufacturers thought we were.”

Local solutions for global businesses

All of the various data privacy regulations that the financial services firm faces around the globe are yet another reason why the company has to create broad security policies that can be tailored for local environments.

While many countries have national policies for protecting customer or financial data, for instance, the United States has decided to let each state handle the issue on their own for now, making it even more important to take a top-down process-driven approach, Brady said.

In some cases, the company finds itself at odds with malicious efforts being carried out by the foreign governments themselves, particularly in the Far East, he said.

“Sometimes the threats are coming form the governments themselves in different parts of the world, whereas in North America, our retail organizations are dealing with specific types of attacks like pump-and-dump schemes,” said Brady. “As such, the controls need to be very different, but it all comes together in a model where we take into account information security, data security, regional risk, and physical security in one big picture that can be difficult to coordinate, but we try to do so through strong process and procedures.”

For instance, while the top security priority in one nation may be preventing sophisticated hackers from breaking into the company’s electronic trading systems to steal the unique algorithms used to maximize returns for its customers, in another location, the biggest fear might be attackers who might attempt to break into physical offices to steal hardware or sensitive records.

One of the biggest issues facing financial services companies today is the matter of protecting their internally-developed business applications, which for decades have been built with time-to-market issues considered first and security considered only after they go live, the executive admitted.

However, Morgan Stanley feels that the best way to address the problem is to aggressively re-train its developers and build secure coding processes into its software development lifecycle in a comprehensive manner — rather than investing heavily in all the code and applications security testing products that are currently being brought to market, he said.

Brady contends that one of the most effective weapons that enterprises have gained in the past few years that is helping to manage the overarching security issue is a greater sense of cooperation between businesses — particularly those in the financial services arena — as well as law enforcement agencies in sharing information about new attacks or adversaries.

Whereas only several years ago companies were reluctant to share details of what they were experiencing, businesses have learned that they can help themselves by aiding each other, the security expert said.

“The people who want to harm us drive a lot about how we think of security awareness. We do a lot of monitoring and threat intelligence to tell who our adversaries are today and who they will be tomorrow,” said Brady. “As such a large company, we can’t really make infrastructure adjustments quickly, so, we need to understand a lot about the people who want to hurt us and do long-term planning.”

“Understanding the underground requires a lot of work with law enforcement and our competitors, and historically this hasn’t worked out too well,” he said. “But over the last several years we’ve started sharing data in real-time, and if one of us gets attacked, the rest of us know the details quickly; this sort of an approach is so much more effective than one that is directed by the use of technology.”