For nearly 20 years, most organizations have taken the age old "drawbridge and moat" approach to network security. ...
Aggregate all of the enterprise traffic through the gateway while blocking all the badness of the Internet with a Holy Grail firewall. How's that been working out for the industry?
According to the 2015 Data Security Confidence Index (DSCI) from SafeNet, there is a widening gap between the perception and the reality of network perimeter security effectiveness within the IT community. The report notes that 87% of IT decision makers felt their organization's network perimeter security systems are effective at keeping out unauthorized users. Yet at the same time, more than 1,500 data breaches led to one billion data records compromised in 2014 alone, a 49% increase in data breaches, and a 78% increase in data records stolen or lost compared to 2013. The data affirms the definition of insanity: Doing the same thing over and over again and expecting a different result.
Recent trends such as the move to virtualization, public cloud and BYOD further exacerbate the problem by dramatically expanding the network perimeter. With the prolific use of USB sticks, Wi-Fi and VPN connections that are effectively increasing the threat envelope, it is not hard to understand why the reliance alone on perimeter defense is failing enterprises.
Reading the 2015 Verizon Data Breach Investigations Report provides additional insight. In 60% of cases attackers are able to compromise an organization within minutes, yet the time it takes to discover the breach is increasing. Furthermore, 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE information was published. Reading past Verizon Breach Reports provides additional insight into perimeter defenses and their failures:
- 62% of organizations took months to discover compromise.
- End users were more effective at detecting compromises than network intrusion detection systems, hosted-based intrusion detection systems and log review combined.
- Don't get too excited about security awareness efforts; end users were responsible for only 4% of detects.
- Managed security service providers discovered less than 1% of breaches.
One of my favorite quotes from the Verizon Data Breach Reports is from the 2013 report: "[W]e must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of defense. Let's stop treating it like a backup plan if things go wrong, and start making it a core part of the plan."
Why network perimeter security is a losing battle
To keep bad guys out, enterprises have to close every hole and fix every flaw. The adversary just has to find one vulnerable machine, application or user. It's no wonder that organizations keep getting breached to the tune of millions and even billions of dollars in losses. Keep in mind that big organizations with large security budgets, significant staff, best-of-breed products and high-end service providers still get breached. So how can enterprises and security professionals hope to combat today's well-funded and motivated adversaries?
First, organizations must accept that compromise is inevitable, no matter how good the network perimeter security is. Second, the industry needs to redefine just what "winning" is in the battle with the bad guys. Traditionally, enterprise security viewed winning as preventing compromise. Compromising an organization's network is but one step in the kill chain; winning for the adversary is moving laterally within the organization, finding information of value and then exfiltrating that information.
Breaking into a network is not the focus of a bad guy -- stealing the data is. Instead of trying to out gun the bad guys and focusing on only keeping them out, how about detecting adversary activity toward their goal and responding rapidly? Approaching security with these goals in mind is the only way to win this fight.
The old paradigm was that preventing compromise equaled winning. The new paradigm today is preventing adversaries' success equals winning.
Prevention is ideal; detection is a must
If a desktop within an organization's environment was compromised with a USB stick or spear phishing email, and the bad guys then began moving laterally to other desktops searching for data of value across the LAN, would the enterprise security team be able to detect it? If data were moved from a compromised desktop within an environment to an Internet-based asset, would the security team be able to detect it? Most organizations will likely answer no to the above questions because most organizations put all of their efforts at the gateway and do not properly instrument the inside of their networks to detect lateral movement or data exfiltration. Yet lateral movement and exfiltration are perhaps some of the noisiest activities in the kill chain.
Tools of the new security paradigm include the following steps and components:
- A "defensible security architecture": Richard Bejtlich, chief security strategist at FireEye, introduced the concept of defensible network architecture in his book, The Tao of Network Security Monitoring. According to Bejtlich, such architectures must be monitored, inventoried and controlled, and should include asset owners and stakeholders to develop proper policies and procedures for the network. Also, the architecture should be minimized for a reduced attack surface, assessed regularly for vulnerabilities and kept current with the required updates and patches.
- Network security monitoring: This is not simply an intrusion detection system (IDS). It would include event data, session data, full content capture and statistical data. Network security monitoring provides more than just an IDS alert; it includes the necessary background and metadata to make independent decisions regarding intrusions.
- Continuous security monitoring: Security and network administrators should retain log data for 12 months, rotate logs every 15 to 60 minutes and transfer logs to the log management infrastructure every five minutes. In addition, they should automatically analyze logs six times a day. Perform integrity checks on rotated logs and encrypt those rotated logs.
- Adoption of Indicators of Compromise (IOC): Through the efforts of U.S. CERT and others such as Mandiant and its OpenIOC effort, frameworks for collecting and sharing IOC are rapidly emerging. Enterprise security teams should take advantage of them. By using the defined schema, the rapid and widespread dissemination of real attack data can effectively be achieved. Security products are now beginning to utilize this data to literally hunt for compromise within an environment
Learn more about how the network perimeter is changing and how enterprises must adapt
Explore the ways enterprises can improve network perimeter security in a perimeterless world