Extending network security
Martin Roesch, founder and CTO, Sourcefire
If you knew you were going to be compromised, would you do security differently?
Here's the harsh reality: despite best efforts, attackers often know more about the networks they attack than the network owners and they're using that to their advantage. Modern networks are increasingly complex. Their components constantly evolve and spawn new attack vectors including mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers, home computers and even vehicles. To truly protect these extended networks, we have to accept the nature of modern networked environments and devices and start defending them by thinking like an attacker.
Few organizations think this way and fewer still have shifted their security postures and approaches to reflect this reality. They secure extended networks that also include endpoints, mobile devices, virtual assets and data centers using disparate technologies that don't – and can't – work together. Attackers fundamentally understand the nature of classic security technologies and their applications and exploit the gaps between them. They employ a methodical approach to remain undetected and accomplish their mission, using technologies and methods that result in nearly imperceptible indicators of compromise. A quick look at the “attack chain” – the chain of events that leads up to and through the phases of an attack – shows how:
Survey: Attackers start with surveillance malware to get a full picture of your environment including all elements across your extended network, to understand what attack vectors are available, the security technologies deployed and what accounts they can capture and use for elevated permissions.
Write: Based on this intelligence, attackers then create targeted, context-aware malware.
Test: They validate that the malware works as intended by recreating your environment to ensure the malware gets through defenses undetected.
Execute: Attackers then navigate through your extended network, environmentally aware, evading detection and moving laterally until reaching the target.
Accomplish the mission: Be it to gather data or destroy, the attacker is positioned to maximize success of the mission. Once they complete the mission they remove evidence but maintain a beachhead for future attacks.
So what are our next steps? How do we protect the extended network?
Simply put, we need to change our security model to be threat-centric; to address the extended network and the full attack continuum – before, during and after an attack. The attackers have this perspective, but we need to have it as well.
Before: Context-aware attackers require context-aware security. We are fighting against context-aware attackers so we need to start by gaining full awareness and wider visibility of our own environments. If we don't understand what we're trying to protect we will be unprepared to configure our security technologies to defend ourselves. We need to develop visibility that includes the entirety of the extended network. Visibility is the basis for context-aware security and the only way we can achieve information superiority over attackers.
During: Relentless attacks demand continuous security. Traditional security technologies can only detect an attack at a point in time, which on its own is limiting when dealing with viruses and other threats. When dealing with targeted, prolific advanced malware, using only traditional security technologies isn't even a consideration. With security infrastructure based on the concept of awareness and using a foundation of visibility, we can aggregate data and events across the extended network. This evolves security from an exercise at a point in time to one of continual analysis and decision-making. With this real-time insight we can employ intelligent automation to enforce security policies without manual intervention.
After: To address the full attack continuum we need retrospective security. Retrospective security is a big data challenge and a capability now emerging. With an infrastructure that can continuously gather and analyze data to create security intelligence we can, through automation, identify indicators of compromise, detect malware that is sophisticated enough to alter its behavior to avoid detection, and then remediate. Compromises that would have gone undetected for weeks or months can be identified, scoped, contained and cleaned up rapidly.
A threat-centric model of security lets defenders address the full attack continuum, across all attack vectors, and respond at any time, all the time.
I'm not saying change will be easy, but it is undeniably urgent and the technology is here to make it happen. Continuous monitoring, automated analysis, control automation, and retrospective remediation exist already. They are integrated and they work together, in continuous fashion, to secure networks, endpoints, virtual and mobile, and across the full attack continuum. However, this is not only a technology problem; this is a people and process problem as well. Mindsets need to shift and organizational structures need to be redefined.Technology and business leaders need to accept that the attackers have changed the game. We as an industry – vendors and practitioners alike – need to understand how attackers operate in the real world. Only then can we defend our weaknesses and strengthen our defenses.