cybersecurity risk management

The Perimeter Is Dead: Security Without Boundaries

Cloud computing, mobility, and the Internet of Things (IoT) have dramatically changed business. These technologies have introduced a level of innovation and disruption that would have been unimaginable only a few years ago. However, there’s a downside to all of the connectivity: It has significantly ratcheted up cybersecurity risks. Said Paul Calatayud, chief security officer, Americas, for Palo Alto Networks: “The perimeter has disappeared. It’s no longer about protecting boundaries, it’s about protecting data.”

To be sure, many of the security methods and techniques that have been effective in the past are no longer helpful. This means that investments organizations have made in legacy cyber-security tools and technology now produce limited results–and inconsistent protection. “It’s a very different landscape. As the attack surface has grown, the number and severity of risks have multiplied,” stated Debbie Krupitzer, leader of Industry 4.0 for business and IT consulting firm Capgemini.

How can an organization maximize cybersecurity and improve data protection in a world where systems are so deeply intertwined and interconnected? Although there are no simple answers or cookie-cutter solutions, one thing is clear: “As perimeters change, organizations must approach data protection and risk entirely differently,” Calatayud said.

Beyond the firewall

The tools and technologies used to protect organizations from hacks and attacks weren’t designed for today’s challenging business and IT environments. Firewalls, intrusion-detection systems, malware protection, and simple whitelists and blacklists worked relatively well when organizations had few entry points for user access—and limited data to manage. However, data now streams in from sensors, phones, point of sale (POS) terminals, e-mail systems, and many other sources—with more to come. In addition, software now allows organizations to easily share data across partners and supply chains. “There’s simply no way to protect an enterprise using a traditional cybersecurity approach,” Calatayud explained.

Adding to the grief: Cybersecurity isn’t getting any simpler. Attacks now come from any and all directions—hackers, hacktivists, cybercriminals, nation states, insiders, and many more. It’s not unusual for intruders to lurk in systems for weeks or months before being detected. With stolen credentials, social engineering, or malware, they might grab data, steal money, or shut down systems. Accenture and Ponemon Institute’s 2017 Cost of Cybercrime Study found that the average annualized cost of cybersecurity is $11.7 million, and the price tag is rising by 22.7 percent per year. Meanwhile, breaches are growing at an annual rate of 27.4 percent.

The bottom line is that it is no longer practical to rely on an approach based on physical objects and systems–and matching code signatures with activities and events. Even so-called ” defense-in-depth ” and “multilayered” security aren’t equipped to deal with today’s sophisticated attack methods. The growing frequency and scale of attacks along with today’s connected environment are forcing organizations to rethink everything from network configuration to the methods used to detect attacks and prevent breaches.

Secure horizons

Given all that, adapting to a world where there are no perimeters is paramount. According to research from Gartner, enterprises and governments will fail to protect 75 percent of sensitive data by 2020. Meanwhile, the Accenture/Ponemon Institute study found that the average time to resolve a malicious insider attack has reached 50 days, while the time to resolve a ransomware attack is up to 23 days. The upshot? “Organizations that don’t reevaluate their cybersecurity program are at risk,” Calatayud says.

Here are a few ways to address the challenge:

  • Adopt a data-centric approach. Organizations must shift their cybersecurity focus from systems to data. After all, it’s the data that has value—though not all data has equal value. This translates into a need for strong data governance, tools to tackle data discovery and classification, and appropriate methods to store and protect data. This also determines which security tools to use. Key areas include authentication, network architecture, and design and encryption. “When you know what data is valuable and what it’s worth, you can design controls and protections accordingly,” Krupitzer said.
  • Improve authentication. One of the simplest but most effective ways to combat cyber-crime is to use multifactor authentication—and adapt it to fit the circumstances. In some cases, a simple login could suffice, but “an organization might require three or four layers of authentication or approvals for certain actions or transactions,” Krupitzer explained. These could include text codes, rolling codes, biometric methods, and in-person and multi-person approvals for large financial transactions. “Slowing things down a bit is preferable to losing millions of dollars,” she added.
  • Use more advanced security techniques. Several emerging technologies offer promise for swatting down intruders and thieves. These include user and network behavioral analysis, multifactor biometric authentication, blockchain, and machine learning methods. “You have to look for ways to automate activities and tasks,” explained Paul Hill, a senior consultant at SystemExperts Corp., an independent security consulting firm. “You can’t shut down a set of IP addresses every time an attack occurs without interfering with the business.”
  • Promote education and training. A huge number of breaches occur because employees fail to spot social engineering attacks. They click on links, compromise their credentials, and infect a system. In addition, many employees don’t understand what constitutes secure data-handling methods for devices, files, cloud services, and USB sticks. Investments in training typically reduce risk. This includes awareness programs, notifying end users of policy violations and conducting drills—with fake but realistic looking emails—to identifying employees who are vulnerable to social engineering and providing a “teachable moment.”

Adopt a zero-trust approach. John Kindervag, Field CTO at Palo Alto Networks, pointed out that organization’s typically trust internal networks and mistrust external networks. Yet, in a zero-perimeter world, all networks represent risk. “We’ve injected this concept of trust into digital systems and it should have never been there,” he explained. A zero-trust environment, as the name implies, approaches security from the standpoint that anyone or anything could be a threat. This changes the focus to business outcomes, designing systems based on data value and protection requirements, better managing access, and inspecting and logging all traffic. “It’s about examining information about the device, its current state, and who is using it,” he concluded.