With the barrage of attacks only growing, today’s enterprise must face reality with a variety of defenses, reports James Hale.
Ask the ’92 New York Knicks or the ’85 Chicago Bears: Playing great defense is seldom sexy. It might take you to the championship – you might even win – but the flashy offensive stars always seem to get priority on the highlight reel.
In the digital realm today, the offense is attracting all the press as well.
“Right now, the malware writers are winning,” says Dave Frymier, CISO of Unisys, a Blue Bell, Pa.-based IT company.
Among security analysts and senior executives at global IT service providers, there is consensus that many organizations are back on their heels, being outmaneuvered by the bad guys. What is needed, they agree, is a return to the fundamentals of sound strategic analysis and risk mitigation that reflects the reality of the source and purpose of malicious data attacks.
“It seems that everyone is looking for a silver bullet,” says Marc Maiffret, CTO at BeyondTrust, a San Diego-based security solution vendor. “It’s still the basics that work best.”
Those basics start with understanding what one needs to protect and who might be out to get it. “You have to be able to answer four key questions,” says Frymier. “What do you have to defend? How and where do you store that? Who has access? Who are your ‘enemies’?”
When it comes to answering that first question, a healthy dose of realism is essential, says Steve Martino, acting CISO of Cisco Systems in San Jose, Calif. “Not all customer data and intellectual property is created equal,” he says. “You need to break it down by essential, critical and important, and determine where to put your focus and build your defenses.”
Martino (right) works on what he calls a 95/5 principle, assuming that no organization can protect 100 percent of its assets. “Humans make mistakes,” he says. “Attackers understand that, and they have deep pockets.”
Maiffret agrees that too much energy is wasted worrying about the range of threats that could come one’s way, and says more focus is needed on where networks are vulnerable.
“There is an infinite amount of malware,” he says, “but a finite number of ways to get in.”
Plugging every leak might well be impossible, as Martino believes, but a proactive, continuous approach can help ensure most offensive moves are rejected. There’s agreement that many organizations are making the error of thinking that putting defensive software in place is sufficient.
“It’s not a set-it-and-forget-it situation,” says Maiffret. “In many instances, organizations are not using their technology to the fullest. They may have a lot of data about network traffic, but they’re not necessarily analyzing it.”
Vince Berk, CEO of FlowTraq, a network security company based in Lebanon, N.H., says he is constantly confounded by how little attention people pay to who’s accessing what, and where their data is flowing. He says that many companies are quick to provide network access, but slow to remove or restrict those users. He recommends compartmentalizing data, encrypting it and maintaining strict controls over who can access it.
“You can’t be passive and you can’t make it an afterthought,” he says. “If something’s not working, you have to change it up.”
But what happens when Michael Jordan slips past Patrick Ewing and drives to the basket? That’s the five percent play, and it is going to happen. That doesn’t mean your defensive play is over, says Barrett Lyon (below), who made his reputation identifying denial-of-service (DoS) attacks a decade ago and is co-founder and CTO of Defense.net based in Belmont, Calif.
“If you don’t have a good mitigation plan in place, the result can be chaos,” he says. “What often happens is that as soon as they realize they’ve been attacked, companies start pulling their network apart.”
Lyon says that the level of detail that escapes organizations has shocked him. What kind of detail? How about not knowing how to contact their security suppliers when disaster occurs? “It’s hard to believe,” says Lyon, “but it happens.”
Within minutes, significant damage – both financial and reputational – can be done. He says he is also surprised by how much faith organizations place in the marketing pitches of those security suppliers and in the ability of their own IT staffers to quickly assess and solve problems when they are not resourced sufficiently.
“You can’t leave these types of issues in the hands of your IT department without ensuring they have the budget for it, and can answer the question, ‘What now?’” says Defense.net co-founder and CEO Chris Risley.
Another operational issue that plays a critical role in an effective defensive strategy is widely understood ownership of data, says Cisco’s Martino. “Having clear governance in place is an important part of understanding and mitigating your risks,” he says. “You need that kind of clarity before you make investments in your security planning. It must be a business decision.”
“A lot of teams simply don’t communicate well,” adds Maiffret, “and they don’t necessarily share a unified view of the world.”
Meanwhile, Risley says that he doubts the average corporate CIO fully understands the impact on the organization’s systems should a DoS attack suddenly fill their data pipeline. “Even if you have a good mitigation plan on your network, your pipe can still be plugged very fast,” he says.
“We’ve recently seen a 46 percent increase in the amount of tiny data packets that can hit your network during one of these attacks,” says Lyon. “That can be particularly flummoxing, and you’re looking at a lot of collateral damage. You’ll have no room left for clean traffic.”
The solution, he says, is to separate data assets and minimize what can be attacked. Ongoing network testing is an essential part of this solution, he says, as is having a protocol for escalating the defensive stance during a sustained attack.
Allocating resources strategically is also recommended. “Don’t spend money to defend what’s not worth it,” says Frymier. “Concentrate on hiding your most valuable assets using the most modern encryption methods, and combine that with need-to-know access. That will ensure that systems go dark to anyone without permission.”
Martino agrees, and adds that these fundamentals apply regardless of the number or type of access points to the enterprise network.
“Even bring-your-own-device (BYOD) adds very little additional risk if you build in some basic, simple controls,” he says. “Playing good defense means making sure your house is in order.”
There is unanimous agreement that all organizations – from the smallest online retailer to federal government departments – need to adopt a strong defensive posture for the foreseeable future. “It’s just a part of doing business now,” says Lyon, noting that botnets are currently available on the black market for a rental fee of $7 per hour.
“You just have to look at the number of attacks to realize this is not going away,” says Frymier. “We are paying the price for the way internet protocols were designed, which allow you to do a lot of things anonymously. Until these flaws get fixed, everyone is at risk, as long as your adversary has enough firepower.”
As usual, the guys with the best offensive moves get all the attention.