The Forty Thieves had a problem named Ali Baba. Stealthily penetrating their treasure lair, in the famous “Arabian Nights” tale, he made off with a load of gold coins and threatened to come back for more. Although the story has many a twist and turn, the thieves' draconian measures to protect their treasure in the face of this “security breach” ultimately failed.
It's a lesson for today's CISO for whom security measures far more arcane and complex than a simple “Open Sesame” password are required to guard corporate treasures. Yet, as many have found, systems are always going to be breached. So, an additional focus needs to be placed on making data “exfiltration” far more difficult, whether the breach is accomplished through an insider or via undetected malware.
OUR EXPERTS: Stopping leaks
Anton Chuvakin, research VP,
John Pescatore, director of emerging trends, SANS Institute
Peter Tran, senior director, worldwide advanced cyber defense practice, RSA
Randy Trzeciak, technical manager of the CERT Insider Threat Center, Carnegie Mellon Software Engineering Institute
Wade Williamson, director of product marketing, Vectra Networks
“Outbound traffic is the key enabler of modern attacks – it links internal malware to the outside attacker, allowing a near infinite ability for the attack to adapt and spread over time,” notes Wade Williamson, director of product marketing at Vectra Networks, a San Jose-based vendor of cyber attack detection technology. “In addition to the control functions, outbound channels represent the actual path of loss where key data and assets leave the target organization. In short, it's the source of both harm and complexity in modern attacks,” he says.
Of course, detecting outbound traffic is just a first step. A possible symptom of data leakage is increased use of external sites and the most obvious means of detecting that leakage is to implement a network monitoring and data loss prevention (DLP) system, which can help to identify information leaking from the organization, says James Bindseil, president and CEO of Globalscape, a San Antonio, Texas-based provider of secure file transfer solutions. “More generically though, you need to make sure all of the different ways that leakage can occur are protected, and it is important that all communications mechanisms are a part of the DLP solution,” he says. For example, leveraging tools that can integrate into the broader security and DLP solutions, through methods such as internet content adaptation protocol (ICAP) integration, can provide warning signs that can indicate a problem.
In fact, notes Peter Tran, senior director - worldwide advanced cyber defense practice at RSA, a Bedford, Mass.-based network security company, a traditional perimeter-only defense approach is not effective any more given the overwhelming porous nature of networks today and the increasing requirement for global interconnectivity. That implies, in his view, crafting a strategy to combine different security methods. Thus, a risk-based approach to cyber defense is needed that considers which assets are most critical – with business context and a risk index tied to business impact or loss. “This approach should be implemented across multiple domain areas – such as incident response, cyber intelligence, analytic intelligence – to provide balanced capabilities across critical security operational areas in addition to traditional layered defense-in-depth,” Tran explains.
He says in most cases the first priority in detecting data exfiltration or “leakage” is anchored on an intelligence-driven security strategy he calls the “cyber defense triad,” which is an organization's capability across people, process and technology. To achieve this strategy, organizations need the ability to identify “people” who may be attacking and the how and why they are targeting your organization. Further, it is vital to understand the process and gain insight via host and network behavioral analytics of the attacker. This means having the right technology so that data never leaves the perimeter.