The very definition of information technology is being rewritten as the rate of change accelerates in the industry. Software-Defined Networking (SDN) and virtualization are just two examples of data center technologies that are shifting traditional notions of IT infrastructure. Once clear-cut and under the sole purview of the IT department, today's infrastructure is more fluid and less visible.
This shift coincides with a veritable Big Bang of interconnectedness: the Internet of Everything. From tablets and mobile devices to smart home appliances and sensors, 10 billion devices are currently connected: a number that will grow to 50 billion in the next six years. These devices are responsible for consumer-driven activities like entertainment and health monitoring, as well as services that support our socio-economic foundations, like energy and agriculture.
In terms of security, this brave new world means many more opportunities for attack. Whereas at one time IT was tasked with securing a smaller and well-defined landscape, we now have the mission of protecting any device against the increasingly malicious attacks of hackers. Traditional security tactics, for the most part, will not fit the bill. In short, we need to rethink what cyber security means.
Strategies for a new security landscape
The aspects I just quickly described may sound overwhelming, but I remain optimistic that methods exist to contain damage to assets, processes, and people that make use of information technology. Ironically, what is old is new again for some of this, and then there are just plain new ways to approach the issue. Of the many methods being discussed in the industry, I'd like to talk about three in particular.
First, master the basics. This includes taking a diligent approach to software patching, user identity management, network management and eliminating any dark space in your infrastructure. The main objectives in this endeavor include reducing attack surfaces available to adversaries and basing resource access policies on need-to-know/need-to-use principles. Even just getting better at patching can reduce available attack surface by as much as 70 percent. Organizations that perform thorough asset inventories are often surprised by how many previously undocumented systems they discover connected to their networks.
This do-the-basics strategy might sound commonplace, but it can be quite demanding when one takes into account the diversity and sheer numbers of devices and systems that today's IT operations must secure. A sophisticated identity management program that brings together the latest strong password, federated identity, privilege management and anomalous behavior detection technologies would not have been possible a few short years ago, but it can go far in improving the ability of security teams to prevent, see and contain security incidents.
Second, take an activist approach to destabilize the enemy. There are plenty of ways to do this. You can start by making your infrastructure a moving target by changing addresses, infrastructure topologies and available resources daily. An activist approach to virtualization makes it possible to build up and tear down resources at will. SDN technology can virtualize the deception process while streamlining the process of building security management and control features into the network fabric. In short, do what you can to prevent the adversary from seeing the same infrastructure twice.
You can also set up honey pots and Potemkin villages on your network that can waste the adversaries' time, divert them from real assets, lead them to tainted intellectual property or cause them to stumble into alarms that announce their presence in your domain. At their most advanced, these techniques can shake adversaries' confidence in their hacking prowess and increase their anxiety over being caught, exposed and prosecuted.
Third, use operational data as an offensive weapon. This strategy is significant, as it signals a shift in the remediation mode to detecting and defeating attacks and intrusions quickly and thoroughly when they do occur. In the data, you are looking for Indicators of Compromise (IoCs): anomalous device or user behavior, network traffic to and from known addresses and other tip-offs. Data subject to analysis can include local telemetry from your infrastructure, information and intelligence from beyond your infrastructure, or data traffic that doesn't conform to normal patterns of activity.
From a reactive to a proactive mindset
This new approach to security carries with it a not-trivial change in our mental approach for security. Formerly, we thought of security as defending perimeters and hardening assets against attack. The new model calls for assuming that if people, things and business processes haven't been compromised, they will be shortly. Established security tools and products like firewalls, security appliances or anti-malware software do a good job of blocking known threats and more readily enable us to detect, recognize, and contain those threats that manage to slip through basic defenses.
Increasingly, we have come to understand that the most dangerous threats do their work quietly and quickly, and then disappear. A threat of this kind will typically wreak its damage in minutes, hours or days. By contrast, too many security teams require days, weeks or months to discover and remediate an intrusive threat of this kind. That's not good enough.
We also need accountability shifts, a measure by which to define efficacy and a willingness to “break some glass” to change what we have … otherwise, we continue to get more of what we have today, and that isn't acceptable.
What security requires today
A combination of fundamental and new strategies provides a winning formula against would-be attackers:
- Use traditional methods to reduce the amount of landscape susceptible to attack.
- Turn the tables on attackers so that they are the ones who feel threatened.
- Increase the speed at which you are able to respond to malicious acts.