When it comes to making snap judgments, lizards are hard to beat. If it's an insect, eat; a bigger reptile, run away…and so on. Not known for their intelligence, lizards don't think – they act. While their response mechanisms have ensured their survival, over time, the world has evolved and they haven't. So, lacking the capacity to adjust to changing circumstances, natural selection has moved our reptile friends a few notches down the food chain.
Our network security posture has survived in a similar manner. Attempts to block threats based on IP Addresses, port numbers, URLs and content signatures are not unlike making reptilian snap judgments. There was a time when that would have sufficed, but the world has changed. The global threat landscape has radically evolved as cyber criminals and their attack strategies outpace traditional mitigation strategies and challenge cyber security efforts worldwide.
Hacking, as we are all well aware, is now a highly organized profession with clear economic and strategic objectives. Often financed by large corporations, criminal organizations, political cohorts and nation states, there is an abundance of resources and sophisticated talent at work in the cyber underworld.
The nature of cyber threats is also changing from widely applicable, single-method attacks, to stealthier, multi-phase and targeted threats, many of which frequently utilize zero-day vulnerabilities and evasive metamorphic or polymorphic malware propagation. These attacks are invariably immune to traditional, signature-based detection methods and are increasingly undetectable by session-based stage-specific network security appliances and services.
A key distinction between the decision-making processes of lizards vs. humans is that humans use context for making decisions. In short, unlike a lizard that triggers action based on a single input, humans consider pros and cons of an action considering many inputs and built-up knowledge. In the world of cyber security, it means making decisions based on a number of variables including immediate activity, threat intent, security posture, knowledge of our adversaries, what their motivations are and the sensitivity of targeted users and devices.
Context is the aggregation and analysis of all potentially relevant information. Perimeter security gear such as firewalls are just not in a position to do either. First of all, the perimeter is not where all of the security action is nowadays. In order to successfully thwart an advanced threat, you need to be able to correlate information across your infrastructure and (if necessary) outside sources. But more importantly, you need to be able to exhaustively inspect and analyze the information, which if done at the network perimeter, would cause major network blockades.
Just like evolved organisms (like humans) have separate action and thoughts (i.e. limbs and brain) to deal with complex issues, network gear needs to have enforcement and intelligence in order to provide useful security outcomes. Technology has gotten much, much better at enforcement, but advanced attacks are (by definition) designed to circumvent existing security controls. This is not a failure of the security vendors to provide useful technology. The tools used by sophisticated cyber criminals are an evolution of the threat landscape – one that requires an equally creative response.
Before you roll your eyes at the thought of having to throw another security technology at yet another security problem, let's take a step back. Corporate networks are more complex, distributed and dynamic than ever. That makes it pretty much impossible for even the most high performing security teams to fully anticipate the full scope of risk that exists on the network at a given point in time. Not to mention any change to the state of the network (which can occur hundreds of times a day) changes the organization's risk profile, and that there are elements of risk that are simply uncontrollable.
With this being the case, the argument for separating enforcement from intelligence makes sense. And bear in mind, “separate” does not mean “siloed” or “mutually exclusive,” it just means that we leverage advances in security technologies appropriately and apply brainpower to context based security problems that require human input.
Just like evolution gave us separate senses but one brain, security in a complex world requires gathering of data from multiple sources and locations but processing it all together to get a complete picture (or context) of the threat. Enforcement mechanisms should be driven by this enhanced understanding of a given threat, with the goal being to eliminate the risk it poses to the organization.
If you think about it, dividing up security management this way opens up a clear and attractive growth path for security professionals – one where they get to practice strategic thinking, problem solving, and a host of other higher brain functions, and rely on technology to automate the “dumber” aspects of enforcement and remediation.
It certainly sets the stage for dealing with advanced, targeted attacks in a way that is sustainable, efficient, and realistic. A lizard is never going to grow a cortex. Neither is a firewall. But they both have their respective place in the scheme of things. I wouldn't dream of ripping my company's corporate firewalls, but I certainly wouldn't rely on a lizard to protect my home against a highly motivated, skilled, and well-armed thief either. Not even a Komodo Dragon.Would you?