Most network security professionals agree that there's no such thing as a perfect system. But that's not what keeps them up at night. The biggest source of frustration is the ongoing quest for a balanced approach that will enable them to detect breaches early and keep data safe.
As the intrusions at Target, Sony, Home Depot and more have shown, the nature of breaches has evolved. Today's attackers are not like smash-and-grab criminals who invade a home and leave with anything they can grab in less than 10 minutes. The new batch of intruders take their time to find the most unobtrusive way in, scope out the environment, find the tender spots, and siphon off profitable data before they exit through the back door.
“If you don't think there's somebody already on your network you're pretty naïve,” says Richard Ullom, IT security manager at Western Reserve Group, a Wooster, Ohio-based insurance company. “In the past, if you ran anti-virus software, kept your firewall up and applied all the patches, you were in pretty good shape. But these days, the bad guys are studying the technology you're using and looking for any vulnerability they can find to get in.”
Nine times out of 10 these attackers will go through an unsuspecting employee and bypass every piece of security in place, he adds. “So, chances are they're already there.”
Once they're in, the same technology that enables business networks to communicate gigabytes of information in an instant makes it easy for attackers to download the data they want. Usually, they can get everything out before detection systems even know they're inside. In fact, most attackers are inside a network for six to eight months before the breach is detected.
Michael Fey, president and COO, Blue Coat
Tsion Gonen, chief strategy officer for the identity and data protection division, Gemalto
David Shearer, CEO, (ISC)2
Frank Stratton, senior security consultant, Birchy Bay
Richard Ullom, IT security manager, Western Reserve Group
Ryan Wilk, director of customer success, NuData Security
“If you have a very fast pipe into your network you've created a wonderful opportunity for the bad guys to transfer huge volumes of data in seconds,” says Frank Stratton, senior security consultant at Birchy Bay, an Ottawa, Ontario, Canada-based IT security systems analyst firm. “That means data will exit faster than detection systems can identify a problem, so limiting the amount of data attackers can take once they're in is difficult.”
Although acceptance may be the first step to enlightenment, determining how best to mitigate risk is the key to finding a perfectly balanced solution that reduces frustration. Traditional firewalls, endpoint protection systems and intrusion prevention systems are no longer enough. And the conversation continues around how those systems should be enhanced or supported.
“Everyone from the IT team to the board understands and acknowledges that there is a problem, but there's a lot of confusion around how to address it,” says Tsion Gonen, chief strategy officer for the identity and data protection division at Gemalto, a digital security company with U.S. headquarters in Austin, Texas. Up until about five years ago there was a blueprint, he says. It was very clear what security professionals were supposed to do to protect their networks: “You put in a firewall, anti-malware, anti-virus and a few more pieces and you were good. You could rest assured that you had done everything you needed to do to protect your network. Now I don't think anyone knows what the blueprint is.”
Defining that new blueprint is a challenge because the business and end-user environment in which data is accessed and shared has changed dramatically. The proliferation of mobile devices, user demand for instant anytime-anywhere access, and the growth of the bring-your-own-device (BYOD) trends, coupled with the dramatic increase in the communications power of all user devices, has extended the network that must be protected. In this new environment, an effective security strategy requires new tools that go beyond the capabilities of traditional protection systems.
“An additional level of protection is needed that looks at not just what's connecting, but also who's connecting,” says Ryan Wilk (left), director of customer success at NuData Security, a Vancouver, B.C., Canada-based software development company. “That's really where the big gap is. We've done a good job identifying machines and connections and how ports are being used, but we're not as advanced as we should be at understanding what the human who is using the machine is doing – the behavior that allows us to understand that there may be a level of risk with a specific access event.”
Analyzing behavior addresses the sophistication of attackers who are using legitimate aspects of the network environment illegitimately. New systems that leverage behavior analytics can learn and track normal behaviors and distinguish them from illegal breaches. The right system can detect attacks earlier, improve alert management and reduce the time it takes to investigate alerts. This will go a long way to reducing the breach detection gap and alleviating some frustration security teams are facing today.