The Network is everywhere…and so are the threats. To stay protected and competitive your IT security strategy must continue to evolve.
For decades, the standard approach to IT security has been to protect the perimeter: put firewalls and anti-virus software at the edge of the network to keep the bad guys outside, and to assume that anyone inside the network is innocent. This defensive approach gained a few more layers as IT networks became more complex – developing into a multi-layered defense strategy – but the basic concept stayed the same.
However, a perimeter defense only works when you have an identifiable perimeter, and that is becoming a real challenge in this era of intelligent networked devices, mobile computing, and multi-cloud networks. If the network is everywhere, how do you defend it?
Protect Borderless Networks
In our November 8 webcast, The Frontline is Everywhere: New Perspectives in Defense in Depth, I explained why IT organizations need a new model for security, one that can adequately protect our borderless networks.
Four Key Concepts to use as the Foundation of Your IT Security Strategy
It’s these types of incidents, as well as the recent rash of ransomware and hacking attacks around the globe, that illustrate how easy it is to lose control of confidential information. While there are many good security technologies on the market to help protect different parts of the network, inside and out, IT managers should first evaluate their organization’s security plans and procedures. Without an inventory of IT systems, security technologies and processes, it is impossible to know which of the many security products on the market – e.g. encryption, endpoint security, firewalls, IP monitoring, malware detection, mobile security, threat analysis, transaction security, etc. – will be the best fit for your IT environment.
Organizations should adopt an IT security strategy based on four concepts:
- Zero trust
- Rapid response
(1) Zero Trust
The concept of zero trust is rooted in the principle of “never trust, always verify” and assumes that any packet on the network, at any given time, could be a malicious payload or from a malicious actor. Unfortunately, we’ve seen attacks where, once the external security was compromised, the attackers could roam freely on the network.
A better approach is to have security inside, as well as outside, constantly verifying that users are legitimate and have the right to the data they are attempting to access. This approach is particularly important in virtualized environments where a single compromised system, without appropriate protections in place, can be used to move laterally within the network and leverage weaker internal protections as potential attack vectors to gain additional elevated access.
Because cyber-criminals all want the same thing – your data –a data-focused security strategy that employs different levels of security for different categories of data is ideal. That means cataloging and classifying all your company’s data by its importance and sensitivity, and then adopting security policies and technologies appropriate to each. A data-centric security plan would, for instance, place minimal security on non-critical information, such as web content, but assign the highest level to the company’s mission-critical data, such as its R&D plans for new products.
For commonly accessed, but highly sensitive, information such as personnel records, a company might set access controls on each file, or even each record of each file, so people can view only the information they’re authorized to and no more. Or a company launching its IPO might employ a heavily secured, online “data vault” to provide auditors and institutional investors a place to view the records without the risk of them saving to disk or emailing the records elsewhere. Other factors also determine the level and type of security measures – such as the response time required by users of the data, and where it’s located.
Ask what data is mission critical, or how quickly would it put me out of business if it were to show up on a Dark Web site somewhere. Then focus strongly on validating and developing policies to ensure that all traffic coming anywhere near that data is monitored as closely as traffic coming in from the outside.
Another critical element of defense is visibility into network activity and evidence of possible data breaches. To monitor traffic patterns and user behaviors, a security information and event management (SIEM) tool lets you start to see patterns as to what’s normal, what’s abnormal, and where a policy may have been violated, or where it needs attention. SIEM software tools provide dashboards with alerts and forensic analysis to dig deeper into problems. For the more budget-conscious organization, however, even an old-fashioned log monitoring tool is useful and provides critical information on events in your IT environment. Event logs, however boring they may seem, are the DNA of your environment. They can provide essential early indicators of potential compromise, and allow for more rapid remediation of threats to the integrity of your organization’s data.
(4) Rapid Response
Coupled with visibility is the ability to respond rapidly if a breach is detected. The longer it takes to detect and respond to an attack, the longer a cybercriminal has to evaluate and exploit your IT assets. In a number of high profile attacks over the past few years, hackers had literally months of “dwell time” in which to steal large volumes of data. A well-known example of this is the Sony Pictures breach. As much as 100 terabytes of employee data and confidential company emails was compromised and it took Sony over a year to notice and then shut down the breach.
Additionally, everyone should have an effective response plan for what to do in the event of a breach. Once you know something has happened, how do you contain it? How do you take systems offline, and move that virtual machine off the public router, or save evidence for future prosecution, and clean the environment of malware? Even having a plan in place for who is going to talk to the press or call suppliers is important in executing an effective response.
But above all—be paranoid. You must be maniacally risk-aware in order to be able to defend against a breach. You can’t protect what you don’t know you’re protecting.
Establish a Comprehensive IT Security Strategy
To learn more about establishing a comprehensive IT security strategy, watch this on-demand webinar, The Frontline is Everywhere: New Perspectives in Defense in Depth. As always, feel free to reach out directly with any questions or considerations.
Brian Anderson is Director of Security Product Management at TierPoint where he is responsible for the care and upkeep of the Managed Security services portfolio. Brian brings 20+ years of experience leading product management and engineering teams focused on building and delivering advanced Cybersecurity, Risk, and Threat Intelligence services on a global scale. While he is currently based in suburban Philadelphia, he’s never far from the InfoSec frontlines.