1 year ago


total protection TIME TO

total protection TIME TO FACE UP REACTING AFTER AN ATTACK IS WAY TOO LATE. THE DAMAGE IS DONE. SO WHAT STRATEGY WILL KEEP YOUR ORGANISATION SAFE AND NOT PROVE AN ILLUSION? The choice between Protection + Prevention versus Detection + Response is an illusion - that is the contention of David Broad, Information Security and Audit Lead, Echoworx. "As security practitioners, we all learnt that defence in depth was key. Yet we focused too much on defence as just a wall or line that would protect us. This type of thinking has been proven to be insufficient, time and time again. First, we put up firewalls and thought we were safe. Then we realised we needed IDSes, and eventually IPSes. SIEMs and other tools were next. These fulfil parts of the equation, but not all of them. Once your defences are static and do not evolve based on feedback of what is actually happening, then they can be worked around." Aligning to only one of Protection + Prevention or Detection + Response will leave gaps, he says. "If modern threats have taught us anything, it is that no one solution is going to solve all the problems. We need blended approaches that implement tools to protect our perimeters, but also other tools and systems that can detect anomalous traffic and tune networks on the fly to respond. No significant Information Security standard - be it ISO 27001, the NIST Cyber Security Framework, Webtrust, or others - stops at simply doing one aspect of security. "The key is to keep them balanced and all fed with tools, resources and funding to enhance capabilities across the board," he comments. Many companies think that once they have a few tools deployed to control their perimeter they are done. "But how effective are these tools that they have deployed? Just because the tools don't detect anything doesn't mean that there is nothing there. For each tool that is deployed, businesses should think of how they will measure its effectiveness. What did traffic look like before it was deployed? What does it look like after? What would it look like if it wasn't working? What could it be missing? "Understanding the limitations of tools that are deployed is key to understanding what else you should be monitoring for and being able to feed this into your risk management processes to forecast the next tools that you should be deploying. Reacting after an attack is too late. The damage is done." For Broad, it's not a question of 'Protection + Prevention or Detection + Response' - it's more a matter of 'Protection + Prevention + Detection + Response'. "The hope would be that, if you are monitoring your current tools, then you will detect gaps before they are an issue and the response will then be a planned upgrade or deployment, as opposed to an incident investigation." A MATTER OF PERCEPTION Daniel Driver is head of Perception Cyber Security at Chemring Technology Solutions, which has developed Perception, a bioinspired network security system used worldwide by defence and security agencies. He argues that, while IT professionals now work on the assumption that their networks are constantly at risk, traditional cyber security systems still use a 'protect & prevent' approach, rather than a more modern 'detect & respond' approach. "In reality, the biggest security threat that most organisations are exposed to exists within their own network. Social engineering is a growing method for hackers who want to break into networks and endpoint security cannot identify if an authorised user's device is sending out sensitive data. Bring Your Own Device (BYOD) and tools that encourage online collaboration also blur the lines between trusted and untrusted data sources, 14 computing security May/June 2018 @CSMagAndAwards

total protection making identification of threats far more difficult." Increasingly sophisticated attack activity can only be detected by real-time internal network monitoring, which until now has proved to be an almost impossible task, due to the volume of data which flows through even the most basic of networks, he adds. "The traditionally applied security systems such as firewalls, Intrusion Detection Systems (IDS) and anti-virus should therefore form only part of modern cyber defences. An additional network layer is needed to quickly identify activity caused by malicious behaviours, regardless of whether it's a new threat, a novel technique or a malicious insider," adds Driver. Such a behavioural-based system, he states, "delivers incredibly high detection rates with equally low false alarms and would be equally powerful in identifying potentially exploitable weaknesses in a network before any attack actually occurs - enabling organisations to proactively increase the security of a network over time". Driver believes that this step change in the battle to combat the increasingly sophisticated cyber security threat would identify malware that actively outwits rulesbased or sandboxing appliances, as well as data being leaked by a trusted device. "Organisations could also proactively close vulnerabilities in a network, rather than reactively patching holes once they've already been exploited by an attacker," he points out. THANKLESS TASK We expend a lot of energy in cyber security, attacking and pillorying organisations that are successfully targeted, states Neil Anderson, director of cyber security at Assure APM. "A brief glance at Twitter after a major breach will often show an impressive level of disdain on the part of researchers and 'redteam' groups - people whose livelihoods rely on finding vulnerabilities and exploiting them - about an organisation's inability to stay secure." The critics have a point, he concedes. All too often, it is basic security failings that let attackers into organisations. "We often hear a recently breached company throw up its hands as it tells us that 'it was an advanced threat actor that attacked us, what could we do?' Well, patching your known vulnerabilities and not clicking on links in unsolicited emails wouldn't hurt." For all this worthy criticism, however, protecting an organisation can be a difficult and thankless task. "Security teams are often viewed as a cost centre and an obstacle to achieving business objectives, leaving them struggling to keep abreast of the firehose of new vulnerabilities, exploits and regulatory pressure," Anderson adds. "In the past, security vendors have been apt to try to sell us miracle solutions: tools that will solve all our security problems in one fell swoop, leaving security engineers free to concentrate on pondering strategy, petting unicorns, and fiddling with the occasional firewall. In those days, we tended towards a protect and prevent strategy, forming a perimeter around our networks and trying hard to stop any attacker, no matter how skilled, from getting in." These days, we are generally sadder, but also a little wiser, he comments. "As the network perimeter has disintegrated, the concept of complete protection has been shown to be an impossibility and we tend to focus our efforts on an infinitely more achievable riskbased approach. This basically involves working out what the risk of a given vulnerability being exploited is and then making a (mostly) objective decision on whether to stop that risk from ever being realised, to mitigate its effects should it happen or to accept the risk - in other words, gamble that it will never happen." The important thing to remember, Anderson says, is that none of these options is a perfect Daniel Driver, Chemring Technology Solutions: the biggest security threat that most organisations are exposed to exists within their own network. David Broad, Echoworx: many companies think that once they have a few tools deployed to control their perimeter they are done. @CSMagAndAwards May/June 2018 computing security 15