By HP Security Strategist Stan Wisseman
When I got started in the computer security business at the National Computer Security Center in the early ‘80’s, we were focused on providing guidance on how best to embed security features and assurance into operating systems, databases, and networks. When firewalls were generally introduced in the mid-90’s, the corporate security model flipped to a dependence on hardening the network perimeter as a preventative control as Internet access increased. While information security practitioners continued to press for defense in-depth, many enterprise security policies assumed that there was a well defended network perimeter within which authorized users could safely access/use firm assets.
Flash forward to 2015. The network security perimeter may not be completely dead, but the demarcation line is certainly fuzzy.
The changes in the way users, third-parties, and customers access systems/applications and their need to access enterprise data remotely or whilst mobile is forcing an IT transformation. Other factors include alterations to how data is stored and moved around the IT infrastructure, ‘virtualized’ environments, and the consumption of cloud services. These factors break the “crunchy” network security perimeter model. I’m not recommending jettisoning perimeter security controls. As reflected by a recent Firemon survey, firewalls still are perceived to have value. Organizations need to maintain perimeter defenses not just for the traditional ingress monitoring, but also for egress visibility to pinpoint large-scale breaches. However, assume perimeter defenses can be by-passed.
As I cited in a previous post, baselining against cyber security frameworks is a useful exercise to help identify security control gaps in your program. Understanding the likely threats and having a means of continuously monitoring the threat landscape can also help you prioritize where best to focus your attention. That said, I think the following 5 high-level actions provide you significant ROSI towarddisrupting the attack life cycle:
- 1. Reducing your attack surface
- 2. Employing multi-factor authentication
- 3. Monitoring the environment for anomalies
- 4. Utilizing data-centric security
- 5. Participating in threat intelligence sharing
Reducing the attack surface
Once you understand that you cannot stop every attack, the next logical action to take is to reduce the number of attack vectors that a potential adversary may exploit. HP’s 2015 Cyber Risk Report shows that threat actors use both zero-day exploits along with exploits of older vulnerabilities that have been around for years. As highlighted by Mark Painter’s recent blog post, environmental hygiene can greatly reduce your exposure. If unable to patch in a timely manner, virtually patch vulnerable components. Also reflected in the Cyber Risk Report, applications are taking the brunt of many attacks. I’ve been a longtime advocate ofbuilding security into applications. Those developing and deploying applications should address security throughout the life cycle to reduce architectural and implementation related security flaws and defects. Applications will continue to be subject to attack and we must take the necessary steps to build in resilience for critical applications so they can better resist attack and rapidly recover from failures and outages—whatever their cause.
Employing multi-factor authentication
We have been exclaiming the death of simple passwords for years, yet they persist. Weak or stolen user credentials remain a primary attack vector for adversaries, which is why strong authentication must be included in the overall security plan. Multi-factor authentication is a best-practice approach to help ensure that only legitimate users are accessing your assets, wherever they are located. Ease of integration with cloud applications like GoogleApps, Box, Salesforce and Office 365 is crucial given the risks to these SaaS platforms. Cloud Access Security Brokers (CASBs) should also be considered since they can provide comprehensive visibility into cloud application usage enhanced with user identity for improved security governance.
Monitoring for anomalies
Threat actors are really good at staying nearly invisible inside your environment mapping the network, typically looking for key systems that house sensitive data and IP. Once they are in, it’s very difficult to track their lateral movement and the assets they’ve gained access to. We’ve got to use all of the tools at our disposal to connect the dots through correlation of security-related events, monitoring of suspicious network behavior, and user behavior analytics to rapidly detect bad actors. While the objective is to automate the process of distinguishing normal from abnormal behavior, security teams will still need staff who can think outside the box so that they can flag deviant behavior — also known as the “Hunt team.”
Utilizing data-centric security
We need to be smart about which data matters and apply consistent protections on sensitive data no matter where it resides with minimal impact to business operations. HP’s Cindy Cullen provides a good summary of full lifecycle data protection requirements in her CIO Forum post. Historic security measures can be effective at helping to secure “normal” data but securing distributed data repositories can be challenging. Since data is in SaaS solutions, on mobile devices, and with third parties, I recommend using a data-centric protection scheme wherever possible. For example, leveraging Format-Preserving Encryption (FPE) allows encryption ‘in place’ in databases and applications without significant IT impact while preventing the threat agent’s use of the data even if they gain access to it.
We also need to gain increased visibility into data flows with our cloud service providers and ensure that data protections are consistently applied. HP recently partnered with Adallom which will enable you to keep control of your data wherever it goes with policies and protection that follow your assets even as they are downloaded to unmanaged devices.
Participating in Threat Intelligence sharing
We are faced with numerous attack vectors and increasingly targeted attacks. Many times we are reactive to an event vs. proactive. We need to collaborate just like our adversaries are doing and share threat intelligence within trusted communities.
In this post, I have primarily highlighted five technology-based security controls to mitigate the illusion of an effective network security perimeter. However, to create a reasonable level of assurance, your security model must consider not only the technology, but also the people and processes factors as well.
Learn more about HP Enterprise Security.
from cyber security caucus http://ift.tt/1eG5ZWt
via IFTTT
No comments:
Post a Comment