For nearly 20 years, most organizations have taken the age old "drawbridge and moat" approach to network security. Aggregate all of the enterprise traffic through the gateway while blocking all the badness of the Internet with a Holy Grail firewall. How's that been working out for the industry?
According to the 2015 Data Security Confidence Index (DSCI) from SafeNet, there is a widening gap between the perception and the reality of network perimeter security effectiveness within the IT community. The report notes that 87% of IT decision makers felt their organization's network perimeter security systems are effective at keeping out unauthorized users. Yet at the same time, more than 1,500 data breaches led to one billion data records compromised in 2014 alone, a 49% increase in data breaches, and a 78% increase in data records stolen or lost compared to 2013. The data affirms the definition of insanity: Doing the same thing over and over again and expecting a different result.
Recent trends such as the move to virtualization, public cloud and BYOD further exacerbate the problem by dramatically expanding the network perimeter. With the prolific use of USB sticks, Wi-Fi and VPN connections that are effectively increasing the threat envelope, it is not hard to understand why the reliance alone on perimeter defense is failing enterprises.
Reading the 2015 Verizon Data Breach Investigations Report provides additional insight. In 60% of cases attackers are able to compromise an organization within minutes, yet the time it takes to discover the breach is increasing. Furthermore, 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE information was published. Reading past Verizon Breach Reports provides additional insight into perimeter defenses and their failures:
One of my favorite quotes from the Verizon Data Breach Reports is from the 2013 report: "[W]e must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of defense. Let's stop treating it like a backup plan if things go wrong, and start making it a core part of the plan."
To keep bad guys out, enterprises have to close every hole and fix every flaw. The adversary just has to find one vulnerable machine, application or user. It's no wonder that organizations keep getting breached to the tune of millions and even billions of dollars in losses. Keep in mind that big organizations with large security budgets, significant staff, best-of-breed products and high-end service providers still get breached. So how can enterprises and security professionals hope to combat today's well-funded and motivated adversaries?
First, organizations must accept that compromise is inevitable, no matter how good the network perimeter security is. Second, the industry needs to redefine just what "winning" is in the battle with the bad guys. Traditionally, enterprise security viewed winning as preventing compromise. Compromising an organization's network is but one step in the kill chain; winning for the adversary is moving laterally within the organization, finding information of value and then exfiltrating that information.
Breaking into a network is not the focus of a bad guy -- stealing the data is. Instead of trying to out gun the bad guys and focusing on only keeping them out, how about detecting adversary activity toward their goal and responding rapidly? Approaching security with these goals in mind is the only way to win this fight.
The old paradigm was that preventing compromise equaled winning. The new paradigm today is preventing adversaries' success equals winning.
If a desktop within an organization's environment was compromised with a USB stick or spear phishing email, and the bad guys then began moving laterally to other desktops searching for data of value across the LAN, would the enterprise security team be able to detect it? If data were moved from a compromised desktop within an environment to an Internet-based asset, would the security team be able to detect it? Most organizations will likely answer no to the above questions because most organizations put all of their efforts at the gateway and do not properly instrument the inside of their networks to detect lateral movement or data exfiltration. Yet lateral movement and exfiltration are perhaps some of the noisiest activities in the kill chain.
Tools of the new security paradigm include the following steps and components:
21 Dec 2015