Recent reports of large data breaches are alarming for everyone. Customers worry about the implications of having their financial and personal information hijacked. The organizations that were compromised worry about both the near-term and the long-term effects on their business. And other organizations worry if they will be next. Two things are certain, though. The cost of a data breach is going to be really expensive, and it’s not going to be the last time it happens.
The big question everyone is asking is, what do I do about this?
For consumers, if you have shopped at any of the retailers affected, either online or in person, the first thing to do, right now, is to call your bank or card issuer and replace your credit cards. This will be a pain if you have your card tied to automatic payments of other things. You need to do it anyway. The next thing to do is to go online and change your password. If you use the same password for lots of different accounts, change those, too. And finally, begin monitoring your information at the major credit reporting agencies and immediately report anything that doesn’t look right. You can find more details on how to respond to data theft here.
In addition to those people that were individually affected, the question being asked in board rooms across the country today is what can organizations do - right now - to make sure this doesn’t happen to them?
Many existing security solutions do not adequately protect new, digital networks. To ensure you are able to protect your organization, you need to establish a network and security baseline that you can work from. This includes three key elements:
A thorough risk assessment helps ensure you are focused on protecting and monitoring what’s critical to your business. For many reasons, today’s complex networks mean you may not be able to protect and monitor everything. Instead, you will need to focus your efforts on those risks that have the greatest impact to your business by constantly aligning security initiatives to business objectives.
Network architectures and designs usually start off good, but over time that network grows in size and complexity, either making security solutions less effective, or more complex. Either way, you often end up with network blind spots, limited asset protection that does not meet your security requirements, or worse, unprotected assets. To fully understand your strengths and weaknesses, it’s important to identify those and apply visibility and control.
You also need to assess the available attack paths to your critical data, including chaining vulnerabilities. This may help you prioritize which vulnerabilities to address first. There are a variety of frameworks available to guide you, such as ISO, CIS Critical Security Controls (SANS Top 20), and the NIST Cyber Security Framework.
Networks are growing rapidly and increasingly span a variety of ecosystems, from virtualized data centers to multi-cloud environments. Combined with the growing number of endpoint devices attached to the network and the explosion in IoT devices, establishing and maintaining an accurate inventory of devices can be challenging. Complex environments also don’t always provide clear centralized visibility into their constantly shifting infrastructure.
Given the ongoing volume of successful data breaches, this isn’t optional. You may need to invest in tools that see across your network to identify devices, operating systems, and patch levels. In a large environment, you also need to tie this information to good threat intelligence so you can see and prioritize your highest risks.
Once you have your baseline visibility and control strategy in place, you need to deploy solutions and strategies that can actively protect your critical data and resources from theft and compromise. Here are seven critical strategies every organization needs to consider:
We have been watching attacks successfully target vulnerabilities for which patches were readily available for the past couple of years. While new attacks are a real risk, most breaches are actually caused by attacks that have been around for weeks, months, or sometimes even years. In fact, the vast majority of attacks target vulnerabilities for which a patch has been available for at least three years, with some as much as ten years old.
It is imperative that every organization begins patching every inventoried device immediately, followed by establishing of a formal patching and updating protocol. Next, after ensuring that the devices you control are patched, you need to make sure that those devices that you don’t control are properly segmented, quarantined, or denied access. You also need to identify and either replace or remove those systems that can’t be patched or protected. And ideally, this entire process needs to be automated, tracked, and measured.
Advanced threat intelligence enables organizations to shrink the time to detect threats and close the gap between detection and response. This starts by leveraging the threat intelligence already being gathered across your network, which also requires security tools designed to share and correlate information and take coordinated action.
Local intelligence alone isn’t enough. You also need threat feeds that keep you up to date with the latest threat trends and exploits being detected across the globe. Converting this data into actionable intelligence that can be cross-correlated with your local intelligence and infrastructure may require security information and event management (SIEM) and web application firewall (WAF) technologies that can consume data, convert it into actionable policies, and even automatically apply it to protecting your network.
Of course, distributed, highly elastic networks are constantly in flux. SIEM tools allow you to aggregate data from across your network, tie it to local and global threat intelligence feeds, and then provide instant details such as indicators of compromise and security policy violations.
Because most vulnerabilities being exploited are known, attacks targeting those vulnerabilities can be detected using signatures. Signature-based detection tools allow you to quickly look for and block any attempted infiltration, or the execution of an exploit targeting known vulnerabilities.
Signature-based tools are also an effective in complex environments, such as zero-patch network segments where IoT and other interconnected devices that cannot be updated are increasingly being adopted by organizations, even though they have been shown to be highly vulnerable to attack.
Not all threats have a recognizable signature. Sophisticated attacks can circumvent protections and evade detection. Which means you also need advanced threat protection tools like sandboxes that can detonated, disassemble, and identify zero-day malware variants, as well as correlate that data with the rest of your security infrastructure. User Entity Behavior Analytics (UEBA) tools also make it easier to identify internal security threats and find individual offenders.
This is easier said than done. Attackers also use advanced techniques such as learning and mimicking legitimate traffic patterns in order to evade detection. Security tools not only need to check and inspect data and applications looking for low-hanging malware, but also provide deep inspection and analysis looking for and correlating patterns over time in order to detect and determine malicious intent. And where possible, intelligent security systems need to be able to proactively and automatically intervene in order to thwart an attack before it has even begun.
One new trend is Content Disarm and Reconstruction (CDR) tools used for data sanitization. CDR processes incoming files, deconstructs them, and removes active content. This approach fortifies a zero-day file protection strategy by proactively removing malicious content from specific files, thereby preventing the accidental loading of attached malware and malicious executables.
Many threats no longer enter the network through traditional avenues. Web-based attacks exploit the exponential growth in applications – especially those designed to query and mine for information directly in the data center.
Because the demand for homegrown and customized web applications has grown so rapidly, many organizations simply have not have the time or resources to adequately test and harden them before deployment. An effective way to close that gap is by implementing a WAF. These security devices are specifically designed to provide deep, high performance inspection of web application traffic far beyond what is provided by traditional NGFW technology.
Because networks are in constant flux, the tradition of deploying security security devices or platforms at the edge of the network or data center is no longer adequate. Most of these traditional point security technologies also tend to operate in isolation, which means they can only see and respond to the threats that pass in front of them.
But given the nature of today’s multi-vector and intelligent threats, security solutions need to be interconnected into a single, cohesive system that can span and adapt to elastic network architectures. Dynamic integration and correlation provides real-time visibility across the entire the network, which is critical because you can’t defend against a threat you can’t see. In addition, a system of integrated, orchestrated security solutions enables organizations to proactively and intelligently fight cyberattacks as a coordinated system, wherever those threats may occur.
Begin by looking for tools designed to share intelligence using things like open APIs, common operating systems, or unified management tools. Security fabric architectures also interconnect traditionally isolated security tools, allowing them to share and correlate information. They also provides centralized orchestration, single pane of glass management, consistent policy distribution, and an automated and coordinated response to attacks. It can also dynamically harden security and access points, isolate affected devices and malware, identify vulnerable or compromised systems, and initiate forensic analysis and remediation.
Given the fluid nature of your networked ecosystems, and the wide-range of applications and data flowing across many networks, it is more important than ever that you establish and maintain effective and secure network segmentation that prevents threats from spreading horizontally across your network. Organizations can dramatically improve their security by deploying Internal Network Segmentation Firewalls and establishing macro- and micro-segmentation strategies to prevent the proliferation of threats. The goal is to create consistent policy and enforcement deep in the network, beyond the perimeter, to manage and secure the lateral movement of data and applications.
In the case where massive amounts of data are being collected and correlated in a single environment, or where interconnectivity spans multiple networked environments, it is especially critical that segmentation controls be established that can detect threats that have managed to penetrate the perimeter of one network segment and are now moving laterally across your environment. Without segmentation and detection tools in place, such threats are free to collect, corrupt, and exfiltrate data.
While the scale and frequency of today’s data breaches is alarming, the attacks organizations suffer are not unique. Far too many organizations with highly flexible and adaptable network environments still rely on isolated second-generation security solutions and strategies to protect them. However, more than ever, security today cannot be an afterthought. It requires planning, people, and processes combined with adaptive security technologies designed to dynamically scale to today’s digital networks, see and coordinate across the distributed network, and automatically respond as a single, proactive defense system to address the advanced cyberthreats targeting them.