To prevent a targeted cyberattack, it's not enough anymore to keep the network secure through patching and updates....
Network segmentation and continuous network monitoring are essential too.
Enterprise networks no longer consist of just desktop computers and a few local area network servers; now it includes employees' laptops, smart phones, tablets and other mobiles devices, plus file, data, and mail servers, kiosks, supervisory control and data acquisition systems, and so on. Many networks extend into the cloud and virtual environments and interact with third-party systems and the internet of things.
As recent data breaches show, enterprise IT pros are failing to secure all these endpoints; too many still believe that they can trust their internal networks and users. Their defenses focus on trying to prevent an external, targeted cyberattack. Firewalls, email filtering, antivirus software (AV) and VPNs are still the four most widely deployed security technologies, yet hackers still routinely compromise endpoints sitting on even the mostly heavily protected networks. Cybercriminals are creating new malware and attack techniques faster than endpoint security solutions can be updated.
Patching and updating are not enough
Ensuring devices and endpoints are patched and running up-to-date AV software will always be a key way to defend against a targeted cyberattack, but given the myriad variety of devices, applications and users that an enterprise has to support, it has to be just one of many. Preventive technologies not only miss too many targeted attacks, they don't have the ability to identify and remediate ongoing exploits. Security teams need a strategy that can protect key resources and data even when perimeter defenses have been breached and the network compromised.
Network segmentation can greatly improve the protection of data held on today's more open networks by limiting the scope of a targeted cyberattack. Segmenting internal networks allows access to critical information to be restricted to only those individuals or applications that have a valid and trusted requirement to access it. It also means that additional security controls can be deployed only on segments that warrant them, reducing unnecessary costs while ensuring sensitive areas are well protected.
Segmentation can limit an attacker's ability to move around a network, but without the ability to discover a targeted cyberattack, many organizations will only learn of a successful infiltration after valuable data has been stolen. Once an attacker has breached a network's preventive defenses, they are very good at reducing the footprint of their activities in order to evade detection.
Continuous network monitoring also essential
To detect a sophisticated and targeted cyberattack, enterprises need to continuously monitor network activity and actively search for unusual behavior. For an attacker to extract data, at some point they have to act differently to a genuine and trustworthy user, so monitoring systems that learn behavior patterns of users, devices, and services can spot actions that are out of character and indicate a possible attack. For example, the Anthem breach could have been picked up fairly early on because the attackers submitted database queries remotely to obtain the PII records -- certainly unusual behavior.
Of course, for continuous network monitoring tools to pick up on malicious activity there has to a baseline of what´s normal, across activities that span multiple environments. IBM's InfoSphere Guardium, Splunk Cloud or Solutionary's cloud-based ActiveGuard Security and Compliance platform are a few products that can create a baseline and provide a unified view of on-premises and cloud activity, generating alerts when an activity falls outside of an expected bandwidth.
Automation is an essential part of future security
The attack surface of a modern enterprise is too great for prevention-based technologies to ever be 100% effective, yet so many organizations assume they are and tend to base their and spending on these technologies. While prevention technologies are important, enterprises desperately need to deploy tools that can automatically detect and respond to a targeted cyberattack. This proactive approach can reduce the time between the initial compromise and its discovery and remediation, thus reducing the extent of the damage.