NATIONAL HARBOR, Md. -- A top Gartner Inc. analyst told attendees at the research firm's annual security confab that enterprises must focus more resources toward defending against botnets and must learn to detect botnets,
John Pescatore, vice president and distinguished analyst, speaking about the enterprise threat landscape Tuesday at the Gartner Security and Risk Management Summit, said rapid changes are taking place in the way IT organizations deliver services, largely via virtualization and cloud computing, and the way businesses consume them, which create infrastructure breakage points ripe for exploit.
"Ninety percent of attacks are exploiting vulnerabilities we already knew about, by missing patches, deciding not to patch, or uses of technology in which we made the decision to deploy without putting security controls on it," Pescatore said. "Less than 1% are zero-day attacks; the other 99% are exploited configurations and unpatched machines that the simplest vulnerability scan would've found."
And since attackers have had so much success using bots to take advantage of these vulnerabilities, Pescatore said that trend is likely to continue through 2012, when the ongoing cat-and-mouse game between attackers and enterprise defenders leads to the next threat delivery breakthrough.
With IT and security resources always at a premium, Pescatore said enterprises must prioritize their defensive efforts simply by asking themselves what an attacker would want to get from them; in most cases it's personally identifiable information (PII) in the form of credit card and Social Security numbers, or sensitive intellectual property.
That reality, Pescatore said, has been borne out in recent high-profile attacks. In the Operation Aurora attacks targeting Google Inc., Adobe Inc. and numerous other companies, digital miscreants used highly targeted attacks to try to compromise sensitive internal systems, such as Google's proprietary code-management system. He also noted a sharp rise in credit card and ID theft in smaller restaurants and even college dining halls, where it's all too easy to steal PII.
"The bottom line," Pescatore said, "is the attack surface for threats is going up. There are more moving parts in the way we're consuming and delivering IT. ... There's all the opportunity for a bot to take hold."
Attendee Nicholas Brigman, a director with Reston, Va.-based IT services firm CompuCom Systems Inc., agreed with Pescatore's assessment, noting that as a managed services provider it's an ongoing struggle to fight back against malware and botnets propagated by financially driven cybercriminals.
"Most organizations have made investments in technologies like IDS, IPS, SIEM and even antivirus," Brigman said. "None of these devices are triggering alerts, and yet these organizations are still getting compromised," which highlights how many enterprises haven't spent their security budgets wisely.
Separately, Pescatore advised attendees to make careful security decisions today about virtualization and cloud computing.
Specifically regarding virtual data centers, Pescatore referenced research from vice president and Gartner fellow Neil MacDonald, suggesting that the ease with which new virtual instances can be created will incite virtualization sprawl where older, established configuration and change management processes will be bypassed. In other words, new virtual systems may or may not be borne with proper patches, adhere to existing security policy or even run the applications and services they're supposed to be running.
He said three years from now, many organizations will also have adopted hybrid cloud services and virtualized portions of their data centers. However, these technology implementations will become top targets for attackers.
"And around 2013, that starts to look like what the use of the Web for ecommerce looked like five or six years ago, when that became the opening for attacks," Pescatore said. "The decisions you're making today on how to secure and tie together multiple data centers in a private cloud … those architecture and control decisions you make today will be key to survival when these breakages occur."
In response to the current and future threat landscape, Pescatore recommended enterprises consider three groups of technology-based defenses: Web security gateways, which offer threat detection and prevention from malicious websites; NAC and application-aware firewalls to help defend against the threats posed by social media and the consumerization of IT; and website security product and services that prevent botnets from compromising websites and using them to spread malware.