Why A Secured Network Is Like The Human Body

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/perimeter/why-a-secured-network-is-like-the-human-body/a/d-id/1278827


The networked enterprise is often compared to a fortress: Guard your
perimeter, build a secure wall, keep out intruders, beware spies and
traitors. Like many of our approaches to cyber security, this metaphor is
outdated and doesn’t help clarify the complex of challenges we are facing.

The new reality is that blocking and prevention mechanisms are not enough
to stop the more targeted types of threats we’ve seen. If massive,
multinational corporations can put millions of dollars and hundreds of
people on cyber security patrol and still be spectacularly breached, we
obviously need to make some adjustments. Security professionals are
realizing that they need to defend in three dimensions:

- What we do before an attack
- What we do during an attack to understand that one is happening (before
the dwell time leads to significant loss in IP)
- What we do after an attack to ensure it doesn’t happen again

This multidimensional view operates on the assumption that the attackers
will eventually get in (or are already inside as Gartner reminds us). It's
a paradigm shift that is quickly becoming the new norm and must be at the
heart of your plan to adapt to emerging attack vectors by proactively and
rapidly detecting and then remediating threats on all components of the
networked enterprise: servers, appliances, endpoints, and applications.

To draw a parallel to something that we all experience every day, the
secured networked enterprise is comparable, in its complexity and
mutability, to the human body. Unless you’re a member of a SWAT team, most
of us don’t put on Kevlar each morning, pop a magic pill, and venture out
into the world thinking we’ll be safe. Likewise, a firewall and
anti-virus/anti-malware software aren’t nearly enough to keep our networks
safe, especially against targeted attacks.

Healthy bodies are well cared for on a continuous basis with preventive
measures. Day in and day out, they are nourished properly, exercised to
avoid weakness and stress, cleansed, and replenished by rest. Healthy
people respond to pain or illness with much greater vitality than sick
people. But when they get sick, they will usually respond with professional
diagnosis and targeted medication.

What’s more, people continuously monitor all their faculties -- skin,
digestion, cognitive function, respiration, and mobility -- for changes and
warning signs and adjust their behavior and nutrients to get back to an
optimal state. But even healthy people, like healthy networks, are not
impenetrable. They never know when they will eat bad food, pick up viruses,
or get hurt in an accident, but when they do, they don’t sit idly by; they
do something about the malady that is impacting them.

Similarly, although up to date anti-virus and anti-malware defenses are
important to keep out the normal day-to-day threat, companies need also to
focus on technologies and practices that will quickly find intruders and
mitigate the damage they can do. Just as there’s no magic pill to protect
our bodies, there’s no silver bullet in cyber security. Even the latest and
greatest  technologies are deployed to detect threats only, not to block
them.

This was the case at Target where one mitigating factor was a significant
dwell time of the threat once it got inside. The detection took a long
time, response was delayed, and the damage was done. Imagine you are
diagnosed with a tumor and instead of taking an MRI that day, your
oncologist uses one from 12 months ago to determine the current size and
nature of your tumor. Unfortunately, by the time many of the advanced
threat detection technologies on the market today deduce that action is
needed, the intruder more than likely will have moved on deeper in to the
network, spreading like a cancer.

We don’t go about our day assuming we are in perfect health; instead we
continuously check, remediate, and replenish. We usually know something is
wrong because we notice a cut is not healing, or that a rash is getting
bigger, not because a medical test indicates a problem but because we
detect it, we investigate it. This is how the new standard of cyber
security should look.

Towards a consensus on due care
This standard of care isn’t just a good idea, it is steadily evolving into
a necessity. Even the federal government’s NIST Cybersecurity Framework
urges a shift in the way we think about risk management and adapt to
ever-emerging threats. (See Section 2.2 "Framework Implementation Tiers,
Tier 4: Adaptive" for a vision of what we should be working toward.) While
each company and industry has its own set of standards, a consensus on due
care has begun to coalesce. At its essence, due care is the amount of
caution a reasonable person would have exercised to prevent a foreseeable
bad thing from occurring. If we assume attacks are always happening and
intruders are already in, then a data breach becomes a "foreseeable bad
thing."

Today, the job of security teams, boards, and executives is to determine
and deploy reasonable precautions: Protect your brand, prioritize your most
mission-critical assets, nurture a culture of security from the bottom up,
educate key stakeholders, and plan your incident response in detail. But
traditional perimeter defenses only get you part of the way there.
Constant, integrated, and holistic monitoring of the organization from
network core all the way to endpoints is what will bring you much closer to
becoming a truly healthy and protected enterprise.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!