With the disappearing network perimeter, data being either at rest or in flight, inside the datacenter or on a user’s mobile device, companies are finding it increasingly difficult to secure their critical assets.
Cyber attacks, apart from being more sophisticated - harder to detect and mitigate, have risen up from standalone incidents to being more organised and thorough.
Attack-as-a-service together with post sales support and guaranteed success or money back option poses a daunting task ahead of organisations preparing to put up a defence against them.
The life of a CISO has never been so challenging as it is now.
Is having a best in breed next-generation security solution the answer to this challenge?
Gartner research suggests that, through 2020, 99% of firewall breaches will be caused by simple firewall misconfigurations, not flaws.
There's an overriding need for not only a framework to implement best in class security solutions to detect & mitigate attacks and breaches more quickly, but also the right expertise to design, implement, test and gauge the efficacy of such a solution on a periodic basis.
What choice would you make - Remediation after a security breach has taken place or continual inspection to ascertain the resilience of your company’s cyber defence ?
Let's take a closer look at these aspects to help you find the answers.
Establishing the Zero Digital Trust Framework
The principle 'Zero Digital Trust' is one of the most integral security frameworks in recent times. Its crux lies in simplicity - a default deny for all flows and concept of minimal access.
To effectively realize 'Zero Digital Trust' in your ecosystem here's what it entails
Complete Visibility - in the PERIMETER, NETWORK, END POINT, DATA CENTER, CLOUD, SAAS environment
More than 60% of the traffic in companies of all sizes is web-based and encrypted. They also serve as the carriers for anomalies of varied kinds - malwares, ransomwares, trojans, spywares etc.
Implementing SSL inspection for outbound internet traffic (i.e. from the users to the Internet) and the inbound direction for servers hosting critical application services is the key to gain full control over the application flows, made possible with the direct view of the application traffic under the encrypted layer.
Reduce the Attack Surface - It has the most wide scope and warrants a strict security discipline
Reduce the attack surface with an affirmative security model "Who needs access, to what resource, how and using what?" Block all known malicious activity. Disabling IPS signatures to gain firewall performance might prove costly further down the line. Avoid implicit trust between all hosts in a TRUST or DMZ zone.
Just because the name of the logical zone is TRUST it does not mean all the hosts in it are trustworthy.
One affected host in a network can infect the rest in no time.
Internal segmentation - without network segmentation, lateral movement for the anomalies is a straightforward - unhindered and undetected, both for attackers with remote access in your network as well as for automated attacks (i.e. NotPetya, BadRabbit).
Combine firewall policy enforcement with Identity based firewalling, Multi-Factor Authentication, File Blocking and URL Categorization using a Cloud based engine - all contribute to effectively reducing the attack surface. Automation is the only possible way to keep up with the volume and complexity of the attacks and overcome the skills shortage.
Extensive Logging, not only blocking. All logs need to be saved. This is crucial for incident response, threat hunting, threat intelligence, machine learning, and other activities.
Data is widely considered to be a most valuable asset. Big amounts of data are required in order to create Machine Learning and Artificial Intelligence models to detect malicious activity. Storing and analyzing data in house is not enough. With big amounts of high quality data and machine learning applied to behavioral analysis, we can keep up with our adversaries.
Prevent Known Attacks
Almost all next-generation security vendors maintain a huge shared pool of threat intel with each other. It includes hashes and samples from attacks seen in the wild and reported by other customers. This equips the security vendors to consolidate their defence and create timely signatures for detecting and blocking such anomalies, soon after the ‘patient zero’ is reported
Having seamless connectivity of all the sensors in your ecosystem - network firewall, endpoint protection clients, SaaS and Cloud security sensors - to the signature distribution points is the key to detect and respond to these known anomalies.
Attackers often target the known vulnerabilities existing in end point systems. Having a detailed posture from the users machine is absolutely imperative It's an essential practice to allow access to critical assets for users, whose endpoints match upto the security guidelines in the organization.
Of course there needs to be a strict IT security framework and cyber security awareness in the first place!
Prevent Unknown Attacks
Detection, mitigation and distribution of Zero Day Protection for completely new anomalies - malwares and other form of threats.
Sand-box environments in different form factors - on premise, cloud based or hosted as a SaaS service to tackle the Zero Day exploits provides a solution to this challenging problem.
Advanced persistent threats warrant a behavioral detection methodology - instead of identifying the malware based on what it is (signature-based) - behavioral malware detection relies on what the malware is prone to do. Sandboxes execute these anomalous programs, observe its behavior and then analyze it in an automated fashion.
Sandboxes and machine learning powered models
The sandbox blocks malicious samples based on their behavior before it runs on the endpoints. These days most sandboxes include a virtual execution environment for in-depth inspection of running samples that use multiple detection methods including behavior-based detection, in-memory introspection and extrapolation models powered by machine learning.
This approach is more concrete and efficient than comparing the signatures of files. Sandboxing closely inspects what the file does, hence it is much more conclusive in ascertaining if the file is malicious than signature-based detection technique. Often well crafted malwares are resistant to detonation in virtual sandbox environment.
Hence a sandboxing environment which also uses dynamic behavioral analysis and dynamic unpacking to detonate suspect files in a variety of software and bare metal environments is required.
Once the malware is detected the signature is then created and distributed to all registered points in the customer’s eco system - firewalls and end point systems.
Choosing Next-Generation Cyber Security Products
Getting best of breed off-the-shelf, standalone security products might prove counterproductive, contrary to the expectation.
The focus should rather be directed towards a solution based approach in which multiple security sensors on the Network, End Point, Cloud, SaaS environments along with SIEM and Machine Learning can be stitched together to build a complete secure posture for your organisation.
Kunal Biswas - 7 March 2019
Do you want to learn more about this subject, or do you have specific questions? Don't hesitate and reach out! Speak with a solutions expert or architect. Give us a call or leave a message. Our team is ready for your inquiries.
Solutions Architect Cyber Security, Infradata