SAN FRANCISCO -- Dave Cullinane's chief of staff on the eBay security team is a nimble 25-year-old woman, one who at times can astound by simultaneously juggling her laptop and iPhone and pulling data from each device in perfect harmony, much to the joy of productivity mavens everywhere. For Cullinane, who isn't 25 anymore, to tell his Web 2.0-generation colleague that her favorite mobile or other consumer-oriented device isn't welcome inside the corporate walls because of security concerns would be a mistake.
"This is the fundamental way they're using the Internet," Cullinane said. "It's becoming apparent to us that's where eBay access is coming from. I have a whole bunch of stuff to do around [consumerization]."
Companies are probably more eager to leverage consumer tools, such as social media for marketing and customer outreach, but mobile applications are also big business drivers. Cullinane said an eight-month old eBay iPhone application has already generated $50 million in revenue. The mobile app was a no-brainer for eBay, especially after seeing a statistic that 48% of AT&T traffic comes from the iPhone. EBay responded with a simple application that customers loved, Cullinane said, adding that now he must up the ante around managing risks introduced by it.
"I need to sit with the folks at Apple and have discussions around the risks this presents; what is the new threat scenario, how to talk to the business to make maximum use of this technology, and how to build something secure enough to use in an efficient manner," he said.
For Stacey Halota, CISO of the Washington Post Company, social media and devices, such as the Kindle book and document reader, present similar risk profiles to her enterprise. The Washington Post Co. is more than the franchise newspaper; it consists of 12 decentralized major media businesses, several smaller ventures and a global workforce of 35,000. Not only does Halota have to deal with a new interactive way customers receive her product, but she has to contend with the need to market products over social networks -- all without a centralized data center. The key for her, and most enterprises in her situation, is gaining a high-level view of the company's business processes in order to best assess risk. She does so with an enterprise GRC tool, which maps information assets to business processes, giving her a dashboard view of assets and helping her prioritize response and remediation.
Halota said her company has migrated away from traditional methods of acceptable usage policies. "We found it useful to look at patterns of data," she said. "One of the things I look at to shape policies to make them useful and enforceable, is to look at how information is used by monitoring it with tools and doing user interviews."
Also in her arsenal is network behavior anomaly detection, which tells her how people are using data. The NBAD technology watches the data enter and leave the network, and feeds it into a dashboard view.
"We allow Facebook and other similar technologies. This gives me another baseline of what's normal here, and we get alerts if something is not normal. If something is not patched or getting antivirus signatures, NBAD gives you a window as to why."
Monitoring tools such as NBAD help security organizations enforce policies, which are the building block controls for any new business initiative, such as the enablement of consumer technologies in the enterprise. The State Department isn't immune to the craving for social media and consumer tools. Being a stodgy government agency, a strict policy is the first building block to ward off risks introduced over the Web and even via USB drives used by diplomats, for example, exchanging data overseas with colleagues or counterparts.
Lukas said he's keeping these risks in check by leveraging the agency's cybercrime analysis and intelligence capabilities to examine the full scope of threats to the State Department, and melding those with a technical analysis team well versed in malware, reverse engineering and packet analysis. Finally, Lukas said his Red Cell team of penetration testers conducts full-scope tests against State Department systems and networks.
"How do we do risk management? The state department set up continuous monitoring for vulnerabilities, compliance and configuration issues," Lukas explained. "The analysis gives us a score for our presence at 280 posts worldwide. If Paris gets a B, and Berlin a C, they immediately know where to tune according to the risks we see. If we see USB keys used for exploits and systems vulnerable to exploits, we tune the scores up or down based on what we're seeing. With Facebook, we take those users and create a special category in threat scoring; if we have 50 people authorized for diplomacy creation, we can increase the risk score for their machines. If a decision maker sees a vulnerable system, it rises up and we take mitigation action."
In the end, the introduction of consumer-based products into the enterprise isn't much different than any other application that improves productivity and efficiency; those too are often rushed to market without security in mind.
"The challenge is balancing the needs of the business against security," Halota said. "You need to get your hands around the risk."