Part 1 of this 2-part series can be found here.
The growing complexity of today’s networks and the growing sophistication of today’s threats has outpaced the ability of most traditional security devices to keep up. Until now, the approach of far too many IT teams has been to simply throw more money at the problem by adding yet another device into their security wiring closet. Billions have been spent on this approach every year for decades, and we really don’t have much to show for it. If cybersecurity is an arms race, the good guys aren’t winning.
Instead, security professionals can take a handful of simple, basic steps to better protect their networks.
First, it’s worth noting that 90 percent of all organization face attacks on application vulnerabilities that are at least three years old. 60 percent of these attacks target vulnerabilities that are ten years old. And they continue to be successful – so much so that we have seen cybercriminals switch development resources from new ways to break into networks to more sophisticated tools to use once they get inside. Because for many of these attackers, the assumption is that they are going to get in.
Part of the reason is that many organizations are reluctant to patch old vulnerabilities or replace outdated devices because they fear breaking critical services and processes they depend on. And in today’s digital economy, where data is money, being offline for even a short time can drive consumers to look elsewhere for the services they demand. And because networks are evolving so rapidly, many organizations have simply lost track of the devices in their network.
If a device is too critical to take offline, then network segmentation has to be in place so that if a device is compromised its impact is restricted to a small segment of the network. Next, redundancies need to be built so that traffic can flow around it while it is being updated. And automated inventory controls need to be in place to identify and list all of the exposed devices in your network. But the fact is that patching can no longer be ignored. You might as well put out a welcome mat and a digital arrow saying, “valuable data this way.”
Another problem is that not only do attacks often manage to hide inside networks for months before detonating, but the really good ones learn what normal behavior looks like in the network so that when they do detonate they are able to mimic network traffic in order to avoid detection. One of the keys to addressing this sort of sophistication moving forward is a marriage of threat intelligence and detection. Businesses need advanced threat intelligence – products like security information and event management (SIEM) tools that can collect and correlate traffic from a variety of devices collected from across the network to identify and deal with advanced threats. Even the best malware has to eventually either modify rules or extract large volumes of data. And that can be detected. It just sometimes requires aggregating and tracking threat intelligence to discover and investigate anomalies.
More and more, a critical component to a robust defense is automation. Cybercriminals are increasingly developing and deploying automated attacks in order to scale attacks more effectively and to reduce the amount of direct hand holding that many traditional attacks require. To effectively compete against this sort of strategy, we need to fight automation with automation.
Threats are evolving so quickly on the black hat side that the only way to combat them is through automated and intelligent defense layers that can quickly identify new and existing threats and then make decisions to mitigate them. I call this type of cybersecurity defense “actionable intelligence.” It requires deploying interconnected security solutions everywhere across your expanded network, including deep into the cloud, The goal is to create a security solution that is able to see and identify the stages of a threat and then make a decision on its own. Such an expert system is able to identify and block attacks at network speeds so that we don’t have to rely on humans, who often miss too much and respond far too slowly, to take action.
This may require rethinking – and even retooling – your security infrastructure. To start, devices need to be able to see each other and share threat intelligence. This means that isolated security devices and platforms will need to be replaced with tools that use common operating systems or management consoles, and that are built around open standards, so they can become an integral part of an integrated and intelligent security fabric.
This intelligence needs to be correlated and processed in order to detect highly distributed attacks that might otherwise go undetected. This requires combining traditional security tools such as firewalls, intrusion prevention systems, and secure gateways for email and web traffic with advanced threat prevention tools such as sandboxes in order to detect advanced and previously unseen threats.
Once a threat has been discovered, that intelligence needs to be converted into actionable rules and policies that can be automatically be distributed back across the network to drive a coordinated response. Firewall rules and IPS signatures need to be updated. Secure gateways and endpoint clients need to be hardened. Rogue and infected devices need to be identified, and network segmentation needs to dynamically isolate all compromised devices to stop the spread of infection. Forensic analysis needs to be launched to detect the point of compromise and seal that breach. And remediation needs to begin so that quarantined devices can be brought back online as soon as possible.
And all of this needs to happen automatically, everywhere and at the same time across the entire distributed network. This includes physical and virtual environments, distributed data centers, remote offices, IoT and mobile endpoint devices, and even deep into the multi-cloud, including everything from complex infrastructure solutions to simple cloud-based services.
Actionable intelligence combined with expert systems empowered with automated processes that enable autonomous decision-making is the future of cybersecurity. Organizations that adopt and transition to such an approach will thrive during our society’s digital transformation. The majority of those who don’t make these changes aren’t likely to survive. It’s really as simple as that.
Original article published in CSO and can be found here.