Minerva Studio - Fotolia
For years, a fundamental tenant of enterprise information security programs has been the oft-touted defense-in-depth security model, deploying multiple layers of security products, processes and controls to avoid a single point of failure.
However, new research warns that even when the best security products are selected, attackers will still find success.
A recently released report by infosec testing and advisory firm NSS Labs Inc. divulged just how many attacks may slip through the best-crafted defense-in-depth deployment. The security effectiveness of the intrusion prevention system (IPS) products in its 2013 test averaged out to 94%, factoring in exploit block rates, antievasion capabilities and more. In a similar text for next-generation firewalls (NGFWs), the product with the highest score achieved 98.5% effectiveness, with most crossing the 90% threshold.
Those numbers would seemingly indicate that by deploying the most effective IPS and NGFW products, an organization could stop nearly every attack it is likely to experience. But according to report co-author Chris Morales, practice manager, architecture and infrastructure for Austin-based NSS Labs, in practice the attacks that slip past one security product are likely to slip past another, effectively leaving sizable gaps in a security stack.
Some of those attacks do fall under the category of sophisticated zero-day attacks like those that reportedly struck financial giant JP Morgan recently, though Morales cautioned that the recent iCloud security incident, in which attackers seemingly guessed the usernames and passwords of celebrities, showed that unsophisticated attacks can cause problems too.
"What we've found is that we can't actually achieve what we consider a 100% effectiveness rate for a security stack," said Morales, "and that's a problem [when] it only takes one attack to get through to cause damage."
Outbound traffic monitoring trumps adding more products
Morales emphasized that despite the flaws in even the best-layered security stacks, companies shouldn't toss out the strategy altogether. Rather, companies should accept that the right combination of products and focus on what is most likely to slip through the net.
To do that, Morales said that enterprises must transition away from a malware-prevention mentality and put more effort into proactive incident response capabilities, a move that he said has been made within Fortune 500 circles but has yet to become widespread. The most effective way to plug the holes left by defense in depth, he added, is to closely monitor outbound traffic for signs of malicious activity, particularly hosts connecting to known botnets.
Morales pointed to the last year's Target Corp. data breach as the perfect example of why outbound traffic monitoring should now be considered vital. Attackers were initially able to breach Target's network by first compromising an HVAC vendor that was working at certain stores, he said, but at that point, the retailer had not incurred any real damage.
It was only after attackers had made several hops through Target's environment, gained access to payment systems and extracted troves of card data, that the situation became problematic for the company. Despite missing numerous indicators of malicious activity on its network, Morales said, the company could have mitigated the threat simply by monitoring outbound traffic and spotting sensitive data leaving its environment.
"Malware creates an entry into the network," said Morales, "but it doesn't guarantee an exit."
Defense-in-depth: Security products that work
Morales said there are a variety of products that can be deployed that could help other enterprises avoid a Target-like breach event. To spot an initial breach, he said products from Damballa Inc., FireEye Inc., Sourcefire (now part of Cisco Systems Inc.) and more could all be used to good effect. Products like RSA's NetWitness network data monitoring and analysis appliance are better for internal monitoring efforts, so an organization can spot unusual activity like one host making contact with another host without reason. The big data tool Splunk can also be used to collect all kinds of information from a network to spot anomalous behavior.
A number of vendors, such as FireEye, Damballa and Fidelis Cybersecurity Solutions, also include botnet detection capabilities in various products that can help with outbound monitoring efforts, Morales said. But most importantly, he urged enterprises to accept the reality that they are likely to be breached regardless of what products they put in place, and to put more time and energy toward paying attention to what's actually happening on the network.
"To be fair to companies, the industry was just telling people to buy our tools and you'll be good. So they followed along," said Morales. "I contend you have to start assuming a breach every day when you walk into the door, and say 'Yeah, somebody is probably in today, and I'm going to go find them,' whether you know about it or not."
Learn how to do defense-in-depth security right.
Thinking about deploying advanced threat detection products? Be aware of potential pitfalls before you do.