In many ways, too many enterprises get stuck in a rut fighting yesterday’s attacks and defending yesterday’s architecture. Not good. Unless, of course, you are an attacker.
Enterprises tend to develop their enterprise security risk management program, invest in their security defenses, build a security awareness program (if they are really, really proactive) and move on – rarely, if ever to revisit that plan again. To quote Ron Popeil enterprises, when it comes to information security, they “set it and forget it.”
That may be good for cooking a rotisserie chicken, but it’s not a good way to cook an information security program.
Our cyber adversaries change. How they target our systems change. And the very nature of the attacks they employ change as well. Security programs need to be able to adapt with them.
Yet, many enterprises today remain focused on blocking already-known attacks. They don’t spend much if any time modeling who is likely to attack them, why they would attack, and specifically what data and resources they may attempt to breach or disrupt. Enterprises also tend to spend too little time and resources on how they will respond to successful attacks. This is something adversaries know very well, and manage to stay one step ahead.
How well do these stagnant defenses work? Not well, if we are counting the numbers of enterprise breaches and the sheer ocean of records stolen and exposed.
Here is what enterprises need to do:
Know the threats against them. Many organizations simply do not understand the sophistication of the threats they face. They don’t threat model. They don’t ask themselves what data or information could be of use to criminals, and then examine what ways attackers could potentially target such data. Where are attacks coming from? How are others in my industry being attacked? Once threats are understood, enterprises can better take the steps necessary to strengthen the weaknesses in their defenses. SANS Institute has an excellent paper on this: Beyond Continuous Monitoring: Threat Modeling for Real-time Response.
Know the architecture and where attackers will target. Sounds simple, but with the move to mobile, virtualized environments, cloud computing, and more recently containerization and micro-services – too few information security groups have an up-to-date grasp of where their critical data and applications reside.
Layer security controls and defenses. With the proper defenses, attacks can be more readily stopped and responded to. Yet, most enterprises today rely on the same defenses they always have: firewalls, passwords, encryption, intrusion detection and prevention systems and so on. While all of these technologies are very useful, and have their place, they are not enough in and of themselves. History has shown that enterprises are continuously being breached. In fact, 2014 was a record year for data breaches and 2015 is likely to turn out near the same. It shows that most enterprises have not adjusted their defenses to adequately face current levels of risk.
Security defenses must adapt as attacks evolve. As attackers change their methods, enterprise defenses must change. Security policies must mirror the current, real-world threat level. Endpoint and server level security must reflect the nature of attacks that target them. And it doesn’t matter if these are physical servers, or virtualized servers, or servers resided on public cloud infrastructure.
There is no one defense that will provide all of the security an organization needs. However, it is very important to have defenses that identify attacks so they can be rapidly mitigated.
Additionally, when it comes to identifying new attacks, it is important to adapt your defenses to match the threat. For instance, a recent Bitdenfender study showed that targeted attacks, spear phishing and ransomware are the most feared types of incidents in corporations today. How has your organization responded to these threats? Are there defenses in place to fight and look for targeted attacks and customized malware? Are employees trained to be on the lookout for spear-phishing emails? Have you tested them by spear phishing execs to see how they respond? Are employees educated about the risks of ransomware? As an informal indictor, I reached out this weekend to five friends who work in Fortune 500 financial intuitions in non-IT roles. Not one of them were familiar with the term ransomware. Not scientific, but also unsettling.
Be able to detect and respond to data breaches. The ability to quickly detect and respond to data breaches is more important than ever to an effective IT security program. And in addition to looking for key indicators of compromise, forensics abilities are central to those efforts. By being able to quickly determine the nature and cause of an incident, enterprises can not only stop the data bleeding from them, but more intelligently stop future incidents through increased visibility into the network it provides.
By having layers of security defenses (access controls, antimalware, monitoring, etc.) in place, and specifically against likely attacks and data likely to be attacked, you will do better than most enterprises. By continuously evaluating those capabilities against the current threat level you will be doing the best that can be expected.
You will be able to adapt to threats as they arise, understand the nature of modern-day threats, and in that way it’s possible to have in place the level of security necessary to keep systems secure. It’s not easy; however, and it’s no guarantee – but it is the best path forward.