In the abstract, network and systems security is easy. We all agree that keeping bad actors out of your electronic world is a no-brainer. We also all agree that there are different rights levels that should be assigned to different user groups. Finally, we all agree that certain systems contain more valuable data than others. So with all of this agreement, why can't any of us seem to accomplish any of these things?
As it turns out, while abstract security concepts are easy, concrete implementations are not. All we need to do to validate this is to look to the recent spate of high-profile security breaches. Companies like Sony, Home Depot, Target, Skype, and Neiman Marcus have all been compromised, as have health insurance companies Anthem and Premera.
The cost of security breaches
These hacks deal twofold damage. The targeted organizations' brands and reputations suffer, and so does the privacy and safety of consumers' identities and financial data. All of this leads to a significant amount of financial damage to the companies affected. Some won't survive the resulting fallout.
Retail and financial services organizations aren't the only ones at risk, either. Over the course of the last 20 years, cyberattacks have evolved from mere nuisances for the network and systems professionals to contain and swat away, to much more advanced and damaging attacks sometimes aimed at critical infrastructure. All we have to do is look at the attack on the Iranian Nuclear program to note that networks are being targeted not only by advanced hacking groups, but also by nation states on all sides. Even systems that are not ostensibly accessible from the outside have proven vulnerable. In the wake of this and other disclosures, is it any wonder that one of the fastest-growing specializations for IT professionals is cyber security?
Security firm IronNet Cybersecurity, headed by former NSA head and retired four-star general Keith Alexander, put the figure that companies worldwide will have spent in 2014 to combat and recover from security breaches at approximately $364 billion. That is a truly staggering number, and it is only growing year over year. In fact, by many other accounts, that figure is soft. The Center for Strategic and International Studies puts the number at $300 billion for the U.S. alone, with worldwide spending coming in at $575 billion.
Security breaches going undetected
Robert Mueller, former director of the FBI, has said of the current state of security, "There are only two types of companies: those that have been hacked, and those that will be." I would change that last part to read, "those that have been hacked, and those that don't know they've been hacked," due to the simple fact that most companies don't have an adequate security monitoring infrastructure or mindset in place.
Further proof of this comes in the form of the latest announced healthcare hack, that of CareFirst, a Blue Cross and Blue Shield healthcare insurer serving the Maryland, Virginia, and Washington D.C. areas. Security company Mandiant discovered the hack while helping the company to secure its systems after the recent spate of healthcare security breaches. One wonders how many other insurers and healthcare entities are unaware of their own statuses in the wake of these announcements.
A scary statistic for those trying to stem the seemingly inevitable tide of compromised data comes from a 2015 Mandiant M-Trends report, which concluded that the median length of time an attacker was left undetected in a system post-compromise was 205 days. Making matters worse, in 69 percent of cases, up from 63 percent in 2012, the victims were notified of the breach by an external entity. Let's say that again, just to be clear: The companies themselves did not discover the hack on their own. Clearly, detection is a challenge.
The need for real cybersecurity leadership
Part of the problem we have seen with cyber security up until very recently is that business decision-makers in most companies were simply not attuned to the true threats facing their organizations. Network security was mostly a series of checkboxes to be ticked off on audit reports--yes, we have a firewall, yes we run antivirus--and then largely left alone. "Set it and forget it" was the paradigm for years, and that is only now beginning to change. The position of Chief Information Security Officer, or CISO, has gained widespread adoption, with this position typically having operational oversight and authority in parallel with the CIO for IT operations. This shift is changing the way organizations handle information security.
No longer are firewalls and isolated DMZs good enough, and nor are antivirus or any of the other traditional means of protection. After all, despite these standard measures and the rudimentary monitoring that has largely passed scrutiny in the past, all of the attacks discussed above were missed. Hackers infiltrated these systems for months, and sensitive data was stolen. Not only is detection a challenge. So too is prevention.
Preventing security breaches on your network
Considering that an inordinately large number of attacks are predicated on social engineering--getting someone to click on a malicious link in an email, for instance--training becomes a key component of any defense strategy. Most of the attacks we've outlined here have used valid credentials to carry out the attacks. The attackers went unnoticed because they were operating within the confines of the role based access control (RBAC) systems they were able to compromise. If we cling to the old idea that inside-the-network threats are less severe than those coming from outside, we have already lost. Threats may largely originate from outside, but in today's world, they don't break down the doors to get in. They're invited in and welcomed with open arms.
One of the best ways to get a handle on network security today is to first gain real visibility into the landscape of your network. Just monitoring select traffic flows or servers, or relying on syslog data coming to a box somewhere that someone checks sometimes is not enough. We have to get our networks to a point where we are monitoring absolutely everything and doing it at network speed. If you can't see it, you can't react to it.
Passive taps, larger and more affordable bandwidth, better switching fabrics, more computing power, and faster and larger storage all make this a much less daunting and financially difficult process than ever before. No longer is it unrealistic to assume that all traffic on a network will be captured, analyzed in real time, and stored for future playback and analysis. Storing everything forever is untenable, of course, unless you have unlimited government funds and an opaque operating charter, but storage for some amount of time is now within most large organizations' grasp.
Real-time Big Data security analytics is another key component of an advanced threat mitigation strategy. Capturing the data at network speed is one thing, but if you're relying on human eyes to spot the threats and respond, you've accomplished nothing more than handing a series of vendors and consultants your money. Big Data analytics succeeds in this arena precisely because of the strength of what it does: analyzing unstructured data and pulling out information that you may not have even known to look for. For the first time in information security's history, heuristically analyzing security threats is within our reach.
Of course, a robust reporting engine as well as human oversight is still necessary, but putting advanced analysis tools as a first line of defense will finally arm information security professionals with enough tools to make cyber security a fair fight. Threats will continue to evolve, and as soon as we adapt to them the attackers will find new avenues to exploit. If there is one takeaway here, it's just this: threats are rapidly changing, and so must we. The process won't get any easier, but awareness and acceptance of the need for it keeps us moving forward, and keeps us in the game.
Photo courtesy of Shutterstock.