Cyber Talk
With George Kurtz of McAfee

IT Security Source (ISS) spoke to one of the brightest minds in the computer security industry to discuss the latest issues affecting network and IT security professionals.

George Kurtz is the senior vice president of risk management at McAfee, Inc. He shared his views on the state of the computer security industry and his visions for the future.

ISS: What is the biggest security challenge facing information security managers today?
Kurtz: Being able to manage the complete risk management lifecycle, including: the creation of effective policies focusing scarce resources on managing critical assets, calculating acceptable risk threshold, proactively blocking attacks while remediation occurs, and using proven metrics to measure progress, regulatory requirements and best practices.

ISS: What are the greatest risks that companies face in protecting information assets?
Kurtz: Organizations face a deluge of information about threats and vulnerabilities -- the sheer volume of data makes it nearly impossible to determine which threats are critical and which are less relevant. Yet while every asset, vulnerability and threat competes for an administrator’s attention, they are not all equally important. Dealing with them in a haphazard, reactive way almost guarantees that the most critical security issues will not be given top priority. Successful risk management begins by identifying the most critical assets, the most urgent threats, and implementing cost effective countermeasures to mitigate the risk.

ISS: What is the information security gap and why does it matter?
Kurtz: The security gap exists today because organizations face many security challenges, including threats that are evolving and more complex, threats that are targeting tangible assets, and there is less time to defend against worms and zero-day intrusions. The business realities they face are 1) security knowledge is limited; 2) resources are constrained; 3) regulatory compliance brings pressure; and 4) the need to improve IT employee efficiency

Quite simply, the gap is growing at an alarming rate while resources -- financial and human -- are sharply decreasing.

ISS: How can an organization close the gap?
Kurtz: Organizations need to create a priority-based approach to risk management, to ensure that they are focused on protecting the most critical assets against the more severe threats and leveraging their limited resources. This would involve automating steps performed manually today, creating policies and measuring progress over time to document the ROI of the security/IT resources, and integrating with complementary technologies in which they have already invested.

ISS: Why is vulnerability assessment critical to an enterprise?
Kurtz: Vulnerability management, which includes assessment, is a critical component of the risk management lifecycle. It extends beyond merely assessing vulnerabilities and includes correlating the prioritization of assets with the threat criticality and understanding the severity of a vulnerability, the required steps to remediate the vulnerability, and the ability to assess the presence of proactive countermeasures -- like network and host intrusion prevention systems.

ISS: What are the top questions an organization should ask periodically?
Kurtz: Am I spending enough money to mitigate my security risks to an acceptable level? Where do I stand in security spending and overall security health versus best practices and my industry peers?

ISS: What are the critical steps that should be taken to reduce an organization’s risk?
Kurtz: 1) Implement effective and widely distributed security policies; 2) Have an accurate inventory of the technologies and applications that support your business; 3) Prioritize assets by business function and assign relative asset criticality values; 4) Understand the relevant threats your organization faces: 5) Quantify your risk – asset value times vulnerability impact times threat value equals risk; 6) Mitigate the risks by fixing the problem or implement blocking mechanisms to buy time during the remediation process; 7) Measure and report the results; and 8) Determine if you are in compliance with your policies

ISS: Where does patch management fit into the vulnerability assessment scheme?
Kurtz: Patch management is an essential piece of a priority-based approach to risk management, but companies cannot rely on patching as the sole means with which they mitigate vulnerabilities. Companies need to have the ability to proactively block zero-day threats for which no patch exists, or to reduce the urgency of patch mitigation through intrusion prevention solutions. This does not mean that companies won’t deploy patches, rather, having intrusion prevention tools deployed means that they can deploy tested patches in a controlled fashion on the companies own time schedule.

<< Previous Page