In this article, John Maddison highlights on the need to STOP THREATS by getting back to the bare basics of dealing with threats, especially the basics that we so often ignore, but which are necessary and are at the core of every threat stopping journey
Over the past year there have been a large number of high profile security breaches. Millions of organizations have been impacted. Tens of millions of names along with personally identifiable information has been stolen. Billions of dollars in damages have resulted. It’s almost like we haven’t been investing more time and money into cybersecurity than ever.
But we have. So what’s going wrong?
The majority of these breaches have one thing in common. IT teams are failing to practice basic security hygiene. Cyber-criminals target known vulnerabilities because they know that most organizations will have failed to patch or replace their vulnerable devices. WannaCry targeted a vulnerability for which a patch had been available for months. Shame on them. But Petya followed a month later and targeted the exact same vulnerability. And millions of devices were still affected. So, shame on us.
Of course, it’s easy to point a finger. But there are reasons why performing the basics has gotten away from us. Here are a few:
Networks have gotten really complicated. IT teams used to have a pretty good handle on the network. But you can only add so many new ecosystems to a networked environment before your IT team is stretched to the breaking point. SDN, IoT, private clouds, multi-cloud, shadow IT, and the list goes on. The amount of time in the day just spent on digital transformation activities has eaten away at any time that used to be available for things like patching devices.
To stop threats know that visibility has diminished. Dynamic scalability is really a wonderful thing. But when devices can exist on your network for only minutes, simply configuring and coordinating the application and removal of policies – especially across multiple hypervisors – can eat up a lot of IT resources. So maintaining a working inventory of things that need to be patched or updated in such an environment can be really hard. Add thousands or millions of new IoT devices, the ongoing challenge of BYOD, multiple cloud environments, and bringing OT online, and it’s easy to miss that device in the corner that desperately needs an update. But cyber-criminals only need to compromise one device if it’s the right place.
To stop threats know that visibility isn’t just about tracking devices. We need to know what devices and resources applications can touch, where the data lives, who has access, and where the workflows go. Add offline devices, cloud based software and storage services, and increasingly, multiple cloud-based infrastructures, and keeping track of everything can be a full time job. But if you’re like most organizations, you didn’t get new IT budget to hire an engineer to do that. And even if you did get budget for additional security staff, they were probably assigned the task of just keeping the network from burning down.
Part of the challenge is that we keep reinventing the wheel. And it wasn’t a particularly good wheel to begin with. Our approach to security has historically involved buying whatever cool new security tool was available to plug the security hole of the day, wherever it happened to be. Which means that we have deployed dozens of tools from a variety of vendors in our networks. And these tools don’t talk to each other or share information. Instead, IT teams manage them through an average of about fourteen different security consoles, which makes things like threat correlation nearly impossible. And then, when we add a new environment, like SDN or the cloud, we start all over again, and many times with different security vendors.
How are your IT teams supposed to keep up with that? Of course, cyber-criminals love it. Over the past few years, the time between a breach and the execution of an attack – stealing information, encrypting data, what-have-you – has dropped from thirty minutes to less than ten. But the time it takes to discover advanced threats, primarily because of the complicated nature of our networks and the failure of security devices to collaborate, has grown to be measured in weeks or months. And many of these attacks aren’t ever found. They just sit there like a parasite, evading detection, and sucking the life out of your organization.
It doesn’t have to be like this. Here are six things every organization needs to consider when approaching security, especially during the chaos and time pressures of a network undergoing digital transformation.
1. Assume you will be compromised.
Really. Constantly asking the question, “so, what happens when our network is breached?” can dramatically change how you approach securing your environment. And it should start by engineering as much risk out of your network as possible before you deploy even the first security device.
2. Complexity requires simplicity.
Don’t make the mistake of trying to secure increasingly complicated network environments with equally complex security solutions. Standardize on a few vendors, especially those who can – as much as possible – allow you to manage different devices through a single, common interface. And for things you need that fall outside of that, look for open standards and APIs that allow them to leverage your existing management and orchestration tools.
3. Implement inventory and IoC controls to stop threats.
Get a tool that can track all of your devices everywhere – even those that only exist for a few minutes. This tool needs to not only see and keep an inventory of every device on your network, but it should also be able to identify and rank indicators of compromise so you can make sure things are getting patched, updated, or replaced.
4. Integration is king.
Advanced threats often need lots of data to be discovered, from sensors to sandboxes. When a device discovers a new attack or breach, it needs to let other devices know. And not just the other firewalls from the same vendor. Everything needs to know – your web application firewalls, your IPS devices, your email and web security gateways, your wireless access points, and your endpoint clients. You need to be able to raise the shields immediately.
5. Correlation saves networks.
Not only does threat intelligence need to be shared, your network needs to be able to do something about it. And once a security event is found, your network needs to able to respond in a holistic, coordinated fashion. Compromised devices need to be isolated from the network. All security devices need to be looking for the same thing. Network segmentation needs to scan for the lateral movement of malware. Your security needs to operate like a single, integrated system.
6. Automate your response to stop threats.
As much as possible, the network should be able to respond to an attack or vulnerability without human intervention. Patches should be applied, un-patchable or compromised systems should be quarantined, security rules should be updated, and systems should be hardened without relying on human beings. Adding things like machine learning and AI allows the network to make autonomous decisions as close to the point of compromise as possible. The goal is to reduce that gap between detection and response as much as possible, and that means making decisions at digital speeds.
Of course, this sounds easier said than done. But it can be done. In fact, more and more organizations are doing it. They start with lots of planning. And the best place to start is by designing and deploying a security fabric that dynamically spans the entire distributed network, even into the multi-cloud. Such an approach enables integration, correlation, and automation, even across the most distributed and complex environments.
By John Maddison