WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
The perfect IT security solution is one that makes an enterprise completely secure and "unhackable," where no unauthorized parties can get onto the network, access confidential data, deny service to legitimate users, or otherwise carry out any malicious or unwanted activities.
Unfortunately, there's no such thing as total or complete security. In part that's because there will always be a malicious actor such as a nation state with more resources to devote to hacking than an enterprise can devote to defending itself, according to James Lewis, a cybersecurity expert at the Washington, D.C.-based Center for Strategic and International Studies (CSIS). "It is simply not possible to beat these hackers," Lewis says. "Government-backed hackers simply won't give up. They will keep trying until they succeed."
And that means that IT security ultimately boils down to security risk management: using the available IT security budget to build not a total or complete security system, but an optimal one that minimizes the chances that a damaging security breach can occur – and can minimize the damage if a breach does occur.
So given the current state of security technology, how do you develop an optimal security posture within the constraints of a normal security budget – which is, on average, about 5.6% of the total IT budget in most organizations (source: Gartner)?
The precise makeup of an optimal IT security posture will vary from company to company, but here are some general guidelines.
Know what you have to defend
The first step in building the best possible security solution is to understand exactly what IT infrastructure you have to defend. "The smartest thing is to do a comprehensive asset inventory and network definition exercise so you know every device and technology you have and where your network extends to," said Chase Cunningham, a security and risk expert at Forrester Research. "Only then can you decide exactly what it is you want to defend."
Decide what needs protecting
A typical enterprise IT infrastructure will include one or more networks, servers, desktop and mobile endpoints, applications, data, and perhaps even external Internet of Things (IoT) devices. "What you need to do is figure out what is required to defend this with the minimum investment," said Cunningham. He believes that the best starting point is a vulnerability and patch management system. "If you can't patch, then you can't defend and you can forget anything else," he said. "Ultimately, if you suck at patch management, you suck at security."
Of course, it takes much more than a vulnerability and patch management system to secure networks, devices and applications - not least because they can do nothing against zero-day attacks using previously unknown vulnerabilities.
So the next step then is to defend the network perimeter, using identity and access management systems, which are intended to restrict network access to authorized users and to restrict those users to the resources that they are authorized to use.
These are best used in conjunction with multi-factor authentication systems, which use a one-time password (generated by a portable hardware device or smartphone software, or sent to a cell phone by SMS), a biometric measurement such as a fingerprint or voice print, or some other second factor in addition to a standard password.
These can be reinforced using a network access control system, which restricts network access to authorized endpoints with prescribed security configurations (such as running an up-to-date anti-virus product).
Find and protect your data
The next step, according to Cunningham, is to identify your organization's valuable or confidential data, or data that needs to be secured for regulatory compliance reasons, and take steps to defend it. "It is very simple: find your data, value it, and keep it safe," he said.
Although it is tempting to start with technical solutions, it is important to remember that a high proportion of data breaches are the result of social engineering or phishing attacks: Verizon's data breach investigation team reported recently that 90% of data breaches have a social engineering or phishing component to them. These allow hackers to bypass security systems by tricking employees into giving them passwords or other information that they need to breach the IT infrastructure.
That means that staff training to raise awareness in phishing and social engineering dangers and to reduce the risk of falling victim to such attacks is vital. These can be complemented by anti-phishing training tools, which are designed to keep employees' awareness of the risks of phishing emails high. They work by sending out fake phishing emails to employees from time to time to see whether they can be enticed into clicking on malicious links. Employees that do so can then be given more training to help them avoid real phishing emails in the future.
But the basic technical solutions include a comprehensive, centrally managed endpoint security system that includes anti-malware software (and ideally specific measures to stop ransomware). These often also bundle other specific data protection solutions such as encryption and data loss prevention.
Data loss protection is often underestimated, but it can be very effective at countering insider threats. For example, a good data loss prevention system should be able to prevent an employee who is leaving the company from downloading confidential data, customer lists and other valuable data onto a USB stick and taking it with them to their next employer.
A relatively new area of concern for IT security professionals (thanks to the rise of Bring Your Own Device, or BYOD) is the use of employee-owned devices on the network, and some form of BYOD security system is vital.
Ideally, this would take the form of a comprehensive enterprise mobility management (EMM) system that can manage both corporate and employee-owned mobile devices (including laptops, tablets and smartphones). EMMs go beyond mobile device management (MDM) solutions by controlling access to corporate networks and applications, ensuring that devices are locked with strong passwords when not in use, encrypting any corporate data stored on them, and carrying out remote data wipes in case the devices are lost or stolen, among other control and visibility features.
Internet of Things (IoT) security
One more area that is worth mentioning because it is becoming increasingly important is IoT security. IoT endpoints (or "things") are generally used as data collection points. This data is then sent over a network to an IoT platform ingestion point where the data is collected, processed and used in real time or stored.
IoT security systems carry out a range of functions, such as detecting when IoT devices are tampered with and encrypting collected data both in motion and at rest on a dedicated IoT platform.
Enterprises are increasingly making use of cloud services outside the corporate network, and any that use need some way of ensuring that they can be used securely and that data stored in the cloud is safe. One way to reduce the risk introduced by cloud services is to use a cloud access security broker (CASB) which can set policy, monitor behavior, and manage risk across the entire set of enterprise cloud services being consumed.
Examples of security policies enforced by a CASB include authentication, single sign on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection and prevention.
A CASB vendor also gives enterprises visibility into authorized and non-authorized cloud usage. It can intercept and monitor data traffic between the corporate network and cloud platform, assist with compliance issues, offer data security policy enforcement, and prevent unauthorized devices, users, and apps from accessing cloud services.
Distributed Denial of Service (DDoS) attacks
About 80% of organizations faced DDoS attacks in 2016, according to Neustar, and successful attacks cost the victim an average of $2 million. 45% of attacks are now more than 10 Gbps and 15% are now more than 50Gbps, so it is now impossible for most organizations to cope with these attacks using their own network resources.
For that reason, it is important to have a DDoS mitigation plan and service in place with a clear process for contacting the service to start mitigation in case of an attack.
DDoS mitigation services are usually run from the cloud, and mitigation generally involves diverting all traffic (including malicious traffic) to the service, where it is scrubbed. Legitimate traffic can then be forwarded to the intended destination servers.
The big picture: firewalls, threats and SIEM
What's not been mentioned yet are the big-ticket items that may consume a large part of a security budget and are mainstays of a corporate security posture. These include a standard network firewall, or as is increasingly common, a next generation firewall (NGFW). An NGFW goes beyond blocking ports or protocols to perform stateful packet inspection right down to the application layer, allowing the device to block packets that are not matched to known active connections, to block unwanted application traffic (rather than traffic on specific ports) and to close network ports all the time unless they are actually in use, which provides some protection against port scanning.
Increasingly NGFWs include intrusion prevention and detection functionality, although these may also be purchased as standalone products.
In many cases, intrusion prevention and endpoint protection systems rely on the availability of threat intelligence feeds that provide information about emerging threats, such as signature activity that can indicate a particular threat is present.
Application firewalls are also often necessary if your company operates internet-facing applications. An application firewall monitors incoming traffic to block certain types of content, including attempts to carry out SQL injection attacks using deliberately malformed queries.
One final big ticket item that is becoming increasingly important is a security information and event management (SIEM) system, which can monitor logs from network hardware and software to spot security threats, detect and prevent breaches, and provide forensic analysis after a breach. A SIEM can also generate reports for compliance purposes. A SIEM is the technology that can tie all your security efforts together.
Think like a hacker – and test
Once an overall security solution is in place, the best way to find out how effective it is at preventing a breach is to subject it to penetration testing. Also called vulnerability assessment and testing or "pen testing" for short, this involves a simulated attack on your organization's network to assess security and determine its vulnerabilities.
These "white hat" attacks carried out by security professionals are designed to identify network security issues and other vulnerabilities, identify policy compliance failures, and improve employee awareness of proper security practices.
Preparing for a breach
Since the ideal security solution does not exist, that means there is always a risk of a security breach, and organizations should prepare for one to ensure that damage can be limited by planning an incidence response process.
This should include preparation, identification, containment, eradication, recovery and learning from the incident, according to SANS Institute recommendations.
One final measure that can be taken as part of a risk management process is the purchase of cyber insurance to mitigate the financial costs of a breach. These costs should not be underestimated: the average cost of a data breach in the U.S. is $221 per record, or $7 million per breach, according to the Ponemon Institute's Cost of Data Breach Study.
Organizations have many IT security solutions to choose from. An assessment of your most critical vulnerabilities is a very good place to start to determine which of your assets are the most valuable, and then begin to protect them. We offer comprehensive security product overviews in our security products section.
See anything we missed or wish to share your own views and experience? Let us know in the comment form below.