Most network security professionals agree that there's no such thing as a perfect system. But that's not what keeps them up at night. The biggest source of frustration is the ongoing quest for a balanced approach that will enable them to detect breaches early and keep data safe.
As the intrusions at Target, Sony, Home Depot and more have shown, the nature of breaches has evolved. Today's attackers are not like smash-and-grab criminals who invade a home and leave with anything they can grab in less than 10 minutes. The new batch of intruders take their time to find the most unobtrusive way in, scope out the environment, find the tender spots, and siphon off profitable data before they exit through the back door.
“If you don't think there's somebody already on your network you're pretty naïve,” says Richard Ullom, IT security manager at Western Reserve Group, a Wooster, Ohio-based insurance company. “In the past, if you ran anti-virus software, kept your firewall up and applied all the patches, you were in pretty good shape. But these days, the bad guys are studying the technology you're using and looking for any vulnerability they can find to get in.”
Nine times out of 10 these attackers will go through an unsuspecting employee and bypass every piece of security in place, he adds. “So, chances are they're already there.”
Once they're in, the same technology that enables business networks to communicate gigabytes of information in an instant makes it easy for attackers to download the data they want. Usually, they can get everything out before detection systems even know they're inside. In fact, most attackers are inside a network for six to eight months before the breach is detected.
Michael Fey, president and COO, Blue Coat
Tsion Gonen, chief strategy officer for the identity and data protection division, Gemalto
David Shearer, CEO, (ISC)2
Frank Stratton, senior security consultant, Birchy Bay
Richard Ullom, IT security manager, Western Reserve Group
Ryan Wilk, director of customer success, NuData Security
“If you have a very fast pipe into your network you've created a wonderful opportunity for the bad guys to transfer huge volumes of data in seconds,” says Frank Stratton, senior security consultant at Birchy Bay, an Ottawa, Ontario, Canada-based IT security systems analyst firm. “That means data will exit faster than detection systems can identify a problem, so limiting the amount of data attackers can take once they're in is difficult.”
Although acceptance may be the first step to enlightenment, determining how best to mitigate risk is the key to finding a perfectly balanced solution that reduces frustration. Traditional firewalls, endpoint protection systems and intrusion prevention systems are no longer enough. And the conversation continues around how those systems should be enhanced or supported.
“Everyone from the IT team to the board understands and acknowledges that there is a problem, but there's a lot of confusion around how to address it,” says Tsion Gonen, chief strategy officer for the identity and data protection division at Gemalto, a digital security company with U.S. headquarters in Austin, Texas. Up until about five years ago there was a blueprint, he says. It was very clear what security professionals were supposed to do to protect their networks: “You put in a firewall, anti-malware, anti-virus and a few more pieces and you were good. You could rest assured that you had done everything you needed to do to protect your network. Now I don't think anyone knows what the blueprint is.”
Defining that new blueprint is a challenge because the business and end-user environment in which data is accessed and shared has changed dramatically. The proliferation of mobile devices, user demand for instant anytime-anywhere access, and the growth of the bring-your-own-device (BYOD) trends, coupled with the dramatic increase in the communications power of all user devices, has extended the network that must be protected. In this new environment, an effective security strategy requires new tools that go beyond the capabilities of traditional protection systems.
“An additional level of protection is needed that looks at not just what's connecting, but also who's connecting,” says Ryan Wilk (left), director of customer success at NuData Security, a Vancouver, B.C., Canada-based software development company. “That's really where the big gap is. We've done a good job identifying machines and connections and how ports are being used, but we're not as advanced as we should be at understanding what the human who is using the machine is doing – the behavior that allows us to understand that there may be a level of risk with a specific access event.”
Analyzing behavior addresses the sophistication of attackers who are using legitimate aspects of the network environment illegitimately. New systems that leverage behavior analytics can learn and track normal behaviors and distinguish them from illegal breaches. The right system can detect attacks earlier, improve alert management and reduce the time it takes to investigate alerts. This will go a long way to reducing the breach detection gap and alleviating some frustration security teams are facing today.
“We've let attackers test us for far too long,” says Michael Fey, president and COO at Blue Coat, a Sunnyvale, Calif.-based enterprise security firm. “We need to start learning from each attack. We need to start stealing their information – what they were going to do, what vulnerability they were going to exploit, who they were going to ring back – get all that information so we can feed the ecosystem with what we've learned and leverage that knowledge to defend the network on the next round of attack.”
For some, however, there is a concern that too much data will create a different kind of gap and a whole new level of frustration, because all the data being generated has to be managed.
David Shearer (left), CEO at (ISC)2, a Palm Harbor, Fla.-based nonprofit that certifies information security professionals, believes it comes down to having the right balance between the protection technology and the people who use it. Many organizations need more people who are qualified to read the information, analyze it, recognize an anomaly and then act on it. But, often, the workforce is stretched so thin that they're not in a position to act on the available information quickly enough.
Beyond the workforce, finding the right balance is usually about juggling cost and risk. Birchy Bay's Stratton notes that organizations that are willing to accept a higher risk that data will escape require a less robust and less costly security solution to protect their data.
“It comes down to a decision point and an understanding of how that tolerance for risk will affect the level of trust between you and your customers,” adds NuData's Wilk. “That's important because customers will look at the risk in a different way. They may question whether they want to continue trusting your ability to protect their information.”
He believes a level of frustration will always be there. But, he says, with a layered, 360-degree approach that includes the best of perimeter protection and some type of behavior analytics, “you can go a long way to lowering that frustration.” n