Being responsible for vertical initiatives at Palo Alto Networks, a recent article in the San Francisco Chronicle caught my eye: Hackers break into networks of 3 big medical device makers.
The article is related to a breach that took place back in August 2013, and it sheds light on a new target for cybercriminals. What made the news at the time was that thousands of patient records were compromised, but the hackers’ underlying target was potentially the companies’ intellectual property.
Intellectual property is the crown jewel of many high-tech companies regardless of the type of products they develop. Most at risk of cyberattacks are the innovative companies pursuing disruptive technologies behind markets potentially worth billions of dollars.
These companies – and really, any companies safeguarding intellectual property – should focus on the following, especially during the R&D process.
- Protect your Intellectual Property throughout your R&D process and your supply chain: High-tech companies that create devices or equipment with embedded software often rely on outsourcing partners and facilities around the world to bring their products to life. All Internet gateways to your business partners should be carefully gated. Users, applications and content that can be exchanged between you and your business partners should be clearly defined while everything else should be blocked. This is the best approach to tightly enforce control.
- Treat applications and systems that support R&D as highly sensitive assets: Software development tools often carry with them specification documents, source code and other valuable assets. You should identify and document all development tools used by your R&D teams – source code versioning, issue tracking systems, repositories that store requirements and specifications and so on – as well as which ones are used to exchange data with partners and the format of the files exchanged.
We can help you achieve the above. With Palo Alto Networks, you can segment your network and define zones of different trust levels. It’s easy to define security policies that tightly control and allow or block traffic between the various zones based on applications, users and content.
For example, if you know that only five specific development tools should be used to support the exchange of product information between your team and your business partners, then block everything except those five applications. (Note that Palo Alto Networks already has App-IDs for most commonly used software development tools: IBM Clearquest, IBM Clearcase, Jira, Git, Subversion, Bugzilla, Perforce and so on.)
You can also limit the types of files exchanged to what you know is applicable to your business and therefore limit the circulation of files that might carry malware. Finally, you can combine the above application- and content- based controls with users, user profiles or user groups to enforce a more granular level of access where some users might have only read-only capabilities or only access to specific functions within the authorized applications.
Safeguarding your intellectual property is tricky business, but it doesn’t have to be.