One of the primary strategic failures of traditional security architectures is their reactive approach. Following the assembly-line model, security teams work to read data logs about events that happened to their network in the past. Since most of these teams operate in a siloed manner, these log files are routinely examined in isolation from other critical teams and thus lack important context that can be used to quickly detect and prevent an attack or data breach. Relying on a human in the middle of a network’s defenses is too slow to be effective against advanced, automated hacking tools and creative attackers.
A secondary strategic failure is a lack of attention toward’ proactive prevention. ‘Organizations often don’t do enough to reduce their attack surface, allowing certain classes of applications that are unnecessary for their business and leaving doors open on their network by using port-based policies.
This essentially allows adversaries to distribute malware and steal intellectual property through basic applications into which they have little or no visibility. We must break away from the traditional approach to security that has proven ineffective at stopping advanced attacks time and time again.
Over the last several years in particular, there has been a dramatic evolution in both the attackers and the techniques they use. By many estimates cybercrime is now a nearly half-trillion-dollar industry, and like any industry, opportunity fuels more investment and innovation. The best way to get an industry to collapse in on itself is to take away that potential for profit. Therefore, we must make it so unbelievably hard for cyber criminals to achieve their objectives that their only option is to invest more and more resources to stage a successful attack, to the point that it becomes unprofitable. Here are three strategic imperatives:
Modern networks can be a rat’s nest of systems and users cobbled together from mergers, legacy architectures, and prior acquisitions. This confusion leaves many points of entry for attackers to slip in unnoticed and reside on your network for months or even years.
A critical step to preventing advanced cyberattacks is to know your network better than the attacker does. To do this you must work at simplifying your architecture down to manageable pieces that can be controlled, watched, and defended. A key step in reducing your attack surface is to only allow network traffic and communications that are required to operate your business by utilizing technology that understands the applications, users, and content transiting your network. This seems to be common sense that any unknown traffic could also be hiding malicious activity, but often when organizations take a deep look at their traffic, they find high-risk applications that they had no idea were running on their network. Legacy approaches often only search to block what is bad, rather than allowing only what is good. This approach is also known as ‘white listing’ and will immediately reduce the scope of your security challenge by eliminating opportunities for malware to get into your network.
Another step to reducing your attack surface is to segment important components of your networks, such as data centers. As described earlier, advanced actors often seek to break into a less secure part of the network and then move laterally into more sensitive areas. By segmenting the most vital parts of a network from email or customer-facing systems, you will be building in firebreaks that can prevent the spread of a breach.
You also can’t neglect to secure the endpoint or individual user. This is the final battlefield. Originally, antivirus software contained signatures for malicious software and could, thus, catch most major infections from common threats because it knew what to look for. However, today’s attacks can include unknown malware or exploits that are essentially invisible to antivirus software. This has led to a massive decline in the effectiveness of traditional antivirus products and a rise in a new way of thinking about endpoint protection. Rather than looking for something that can’t be seen, you can reduce the endpoint attack surface by preventing the type of actions taken by exploits and malware. Stopping the type of malicious activity associated with an attack is much more effective than hunting for an attack that, by nature, is stealthy and hidden.
Finally, it seems simplistic, but as you make investments to re-architect your network and reduce your attack surface, you have to use all those investments to their fullest. Purchasing next-generation technology is useless if you don’t turn it on and configure it properly. Establishing a process for staying up to date on your security investments is one of the most critical habits to form.
2. Technology: integrate and automate controls to disrupt the cyberattack life cycle.
Don’t use yesterday’s technology to address today’s and tomorrow’s security challenges. Legacy security approaches offer individual products to be bolted on for single-feature solutions. This leaves gaps that can be broken by new methods of attack, leaving your organization at risk. However, by using an integrated cybersecurity platform that protects across your entire enterprise, your defenses can work together to identify and close gaps that would be exploited by an attacker. Communication is key to any strong defense. If your products can’t share information on what they are seeing, there is no chance to pick up clues that might aid in preventing an advanced attack.
The next step is automating prevention measures. Humans have proven time and again that we are the weakest link in security. Advanced actors are faster, more persistent, and stealthier than manual response efforts. It just takes one overlooked log file or one missed security alert to bring down an entire organization. However, if you have an integrated platform that communicates visibility across your defenses, it can also automatically act on new threats, preventing what is malicious and interrogating what is unknown.
Integration should also enable your organization’s agility and innovation. Business doesn’t stop at the elevator, as employees take laptops to work from home or use their personal mobile devices to access your corporate cloud on the road. As your data moves to enable your workforce, security should go with it. Choose a platform compatible with newer technologies such as mobile, cloud, and network virtualization.
3. People: participate in a community that shares cyberthreat information.
End users cannot be relied upon to identify every malicious URL or phishing attack. Organizations must educate their constituents about what they can do on their part to stop cyberattacks. However, beyond education, to protect against today’s truly advanced cyberthreats, we must utilize the global community to combine threat intelligence from a variety of sources to help ‘connect the dots.’ Real-time, global intelligence feeds help security teams keep pace with threat actors and easily identify new security events.
As attackers move from target to target, they leave digital fingerprints in the form of their tactics, techniques, and procedures. By analyzing this evidence and then sharing it, threat intelligence from other organizations can quickly inoculate you from new attacks as bad guys seek to move between organizations and even industries. Combined with an integrated platform that can act automatically on this intelligence, you can rapidly distribute warnings and make it impossible for attackers to strike twice. The network effect from vendors with large customer bases is extremely powerful as it builds a security ecosystem, which can organically respond to new threats.
Many organizations are even coming together to share threats as an entire sector. Recent policy from the U.S. Government has made it easier to collaborate and share cyberthreat information between companies and work together to identify and stop advanced cyber actors.
The most significant way to fill in all the gaps and truly protect an organization from advanced and targeted threats is to implement an integrated and extensible security platform that can prevent even the most challenging unknown threats across the entire attack life cycle. An IT architecture must remain secure while also providing business flexibility and enabling applications needed to run day-to-day operations. Stopping even the most advanced attacks is possible, but we have to begin with a prevention mindset.