The insurance industry is continuing to leverage Web technologies to drive business in several ways:

• Reach new markets through social media and price shopping applications
• Enhance customer experiences through Web claims and multifunction mobile applications
• Increase process efficiencies on backend systems allowing customers to input information updates, policy changes and more.

The speed of this new business technology is not without risk and is drawing the attention of cyber criminals. There is no need to repeat headlines reporting data breaches; the risks we all face are well known.  What is not well known is what to do about it.

As motivations for cyber intrusion move from “script kiddies” to organized crime, so have the targets moved further into our systems. When once we protected networks, today we protect data.  The key to getting to that data is primarily though the applications themselves. Application security still remains a tactical matter rather than a strategic concern.  Studies have shown that 80 percent of Internet vulnerabilities are found in Web applications, and 49 percent of Web applications contain vulnerabilities of a high risk level—most of which are due to misconfigurations or programming errors. 

There is a common misconception that having an updated firewall and anti-virus software is enough protection. Although a firewall will stop bad traffic from coming into the network, today’s threats are far more sophisticated and imbed the attack to flow within the rules of the firewall. Much of today’s malware gets into a network through the front door on portable storage, such as a thumb drive, or when syncing a mobile device, thus circumventing the firewall. This malware will often “phone home” to connect back to a command and control server to attach itself to a botnet. Such traffic originates inside the network so the firewall allows it. Conversely, without a firewall, a network would literally be compromised in a matter of seconds, so they are required—but they’re not enough.

Today’s enterprise network is a target-rich environment and requires a layered approach. By layers we do not necessarily mean placing technology at various stages in the enterprise; rather we are referring to a four-layer strategic model. In this strategic “stack,” we start at the bottom and work our way up; each layer providing the groundwork to the layer above. Likewise, higher layers depend on information from below.   

• Layer 4: Industry and Government
• Layer 3: Intelligence
• Layer 2: Integrated Security Overlay
• Layer 1:  Assured system content

This strategy can be applied to protect the overall enterprise but these descriptions focus specifically on securing Web applications:

Layer 1: Assured System Content. This layer focuses on technology assets and the people who create them. The first step is building security into the development life cycle of application code by implementing standards and policies as well as regular testing through the cycle. This layer should ensure the content of applications through the proper training of developers, architects, product managers and even executives on integrating security within each specific role.

Layer 2: Integrated Security Overlay. Web application firewalls and monitoring databases for transactions not within normal operating margins are a few of the activities at this layer. Scanning agents can continually look for anomalies to report to a control center where administrators can take evasive actions. This layer relies on Layer 1 in that the applications have been built properly, providing confidence in the definition of “normal.”

Layer 3: Intelligence. An advanced persistent threat (APT) is a multivector attack which requires defenses to not be autonomous and isolated. Such a threat will simultaneously challenge many levels of Layer 2 systems, which are continuously gathering information about the domain of protection. All of the information from these devices must be aggregated into one location to create a source of actionable intelligence.  Such intelligence can detect and defeat multifactor attack. 

Layer 4: Industry and Government. Attacks are often larger than a single enterprise and can span an entire industry. Adversaries are aligning against us; therefore, we must align ourselves to share what we know. Information from Layer 3 must be shared. Many insurance companies are part the Financial Services Information Sharing and Analysis Center (fsisac.com) and InfraGard. These organizations provide a means to share anonymous yet actionable intelligence with law enforcement, federal agencies and even competitors for the purpose of pattern matching and early warning. Knowing about a threat before it affects enterprises is the best defense. 

Implementing security strategy does not have to be expensive. Studies have shown that “breach avoidance” is actually not the primary financial benefit. Organizations that follow strategies such as the security stack can save money by more efficient processes, reduced time to market for applications and reduced compliance and remediation costs.