Need to stand up to cyber security breaches more effectively? Change your posture!
An organisation’s ‘security posture’ indicates how robustly they are equipped to avoid, detect and repel cyber threats, based on current information security infrastructure and practices. Given ever-bolder cybercrime, a major review of security posture is
now imperative.
A proactive defence strategy drives chances of success against cyber criminals.
Cyber security failures costs continue increasing. High profile examples include massive breaches at Yahoo (twice), Target and Equifax. Hackers break through complex and costly defences to access and steal valuable data. They cost their victims dearly -
financially and by damaging consumer trust, market profile, and even core brand value.
The three principal strategies for combatting cybercrime today are the reactive (after it happens, if it happens), the active (as it happens) and the proactive (before it happens).
The Target breach alone, where credit card details were stolen from point-of-sale machines at nearly 2,000 stores, is estimated to have cost nearly $300 million. An active cyber security strategy would have offered many routes to limiting, and potentially
preventing, the damage.
Reactive – ‘if they come, we will respond’.
Traditionally security approaches centred on the detection and reaction to threats that actually penetrate a system or network. The focus is on establishing strong perimeters to prevent breaches. Information security is typically a discrete operation,
independent of the core business. Significantly, it is organisation-specific. It does not consider issues arising from security practice variations between different, but connected, companies.
The reactive approach invests in upgrading to latest versions of security software and ‘keeping the lights on’. The downside is its limited view of the threat landscape. This is inappropriate for dealing with a ‘360 degree’ threat horizon and is proving
insufficient for effective network safeguarding. However, this type of strategy still has a place in today’s cyber security environment and for some good reasons:
- Longevity – reactive has been around for a while and contains proven elements
- Security software choices – there are many reactive strategy-driven resources and options available to businesses, allowing them to choose what best suits them
- Simplicity - the reactive approach is relatively simpler, with limited upkeep costs.
These advantages make a viable option for businesses that do not store sensitive data. But, for organisations responsible for valuable data, events show that reactive strategy-led defences are inadequate.
Active - ‘when they come, we will respond’.
An active approach to security builds upon the reactive with enhanced security monitoring of information and assets. In addition, vulnerability management, advanced firewalls, multi-factor authentication, NAC (network access controls), DLP(data loss prevention)
and other technologies are deployed and managed. Security Information Event Management (SIEM) systems are also deployed to provide real-time monitoring, though often not for all enterprise-critical assets.
However, regardless of the investment in people, processes and technology, the active model still waits for the bad guy to act first, before responding. By that point, it is potentially too late, the attacker is already in, although it will be discovered
sooner which means moving to to active measures faster.
Another drawback with the active stance is that many companies try to protect all the data all the time, thus increasing cost and unnessary complexity, as not all data is worth the same.
Proactive – ‘before they come, we will be ready’.
A proactive defence posture is intelligence-led, depending on comprehensive cyber security assessments. It uses cyber threat intelligence feeds working with real-time network monitoring to develop a detailed picture of the whole security landscape and how
threats can be manifested and exploited. Taking into account the nature and needs of the core business at threat, the resulting in-depth analysis can help identify and remediate weak spots, before exploits are available, as well as identify areas for targeted
investment to improve the total security of the system. Active intrusion prevention, data protection, data loss prevention and encryption or dynamic distribution technologies can protect data at rest, in-motion and in-use.
In this model, information and assets are assessed for confidentiality, integrity and availability needs. Defences are tuned to provide the level of protection appropriate to the value of the information and the risk appetite of the company.
The basis is strategic military principles of taking the fight to the enemy. Honeypots and (digital) tar traps can be set up to attract, slow down, or funnel attackers to certain parts of a defended but valueless network. This can help identify and act
against zero-day exploits, by hindering the attacker, and then assist in identifying the attack vector so it can be addressed.
Proactive intelligence will strengthen defences and increase resilience against the effects of Advanced Persistent Threats (APT) and ensure the smallest possible attack surface for zero-day attacks. The latter allows faster detection of attacks and identification
of remediation activities. Enhanced and detailed information can then be extracted and passed to the relevant authorities.
Clearly, staying one step ahead in potential attack vectors can make the defining difference. Thus, research and development is at the heart of this dynamic approach. But proactive cyber security posture does not render current firewall and safeguard infrastructure
pointless.
The proactive posture is most productively implemented in conjunction with the ‘traditional’ defences. It builds on the active to turn the enterprise from a perimeter and defence in-depth approach to one that combines data centricity with intelligence.
This in turn allows firms to predict adverse security events before they occur and take proactive defence measures.
To work effectively, this strategy demands long-term commitment. This is a challenge, given limited resources and shortage of appropriately skilled workers. (Although, over time, these obstacles will likely reduce.) But for big institutions safeguarding
substantial, valuable and continuously growing data sets, the prospect of proactive - and much more effective – cyber security is increasingly attractive.
What can a proactive cyber security posture achieve in practice?
If it had been implemented at Target, for example, many routes would have existed to prevent the damage and to provide faster means to contain and limit the damage.
Constant real-time network monitoring combined with intelligence would have identified abnormal activity from infected point-of-sale machines. This would have allowed for isolation and infection removal, before nearly 2000 were compromised and data was
egressed.
Honeypots and tar traps would have slowed down incursions, funnelling the hackers away from the real data, and preventing large losses of confidential information.
‘Caught’ infected machines could even have been used to track down the attackers, limit their potential to carry out future attacks, and provide prosecution evidence in a legally acceptable form.
Finally, non-attributable information on systemic vulnerabilities exposed, and exploitation mechanisms used, should be shared with the cyber security community and intelligence vendors. This could help improve identification of similar attacks and strengthen
resistance.
Conclusion
This ‘alternative Target scenario’ remains hypothetical. Yet it shows compellingly how a proactive approach is vital in effectively combatting cyber security threats.
As the cyber security industry continues to fight the war against criminals, the big hope is that there will be fewer of those massive breaches that shock the world. Making hope a reality demands a big shift – to nothing less than a fully proactive security
posture.
References
https://www.thesslstore.com/blog/2013-target-data-breach-settled/