Defenders are at an asymmetric disadvantage when it comes to defending their networks. Attackers spend every minute of their day focused exclusively on penetrating your network to accomplish their mission…and opportunities abound. Today’s modern networks go beyond the walls of the enterprise to include endpoints, mobile devices, and virtual desktops and data centers. These extended networks constantly evolve and create new attack vectors including mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers and home computers. The job of the defender has never been more challenging.
Unfortunately, defenders don’t have the luxury of spending their days focused on security. The reality is that most IT security teams are understaffed, hampered by static and disconnected security technologies and consumed with addressing compliance and regulatory issues and other business imperatives. Unfocused on threats for too long, they risk being blindsided by attackers gaining maximum leverage of new vulnerabilities and new techniques to gain entry and achieve their objective, be it to gather data or simply to destroy.
Security teams need to recalibrate the way they approach security. To stay ahead of threats they need to start thinking like attackers. The only way to do this is to change their security model to be threat-centric; to address the extended network and the full attack continuum – before, during and after an attack. And to be truly effective, this threat-centric model must encompass all aspects of a security – not only technology, but processes and people as well.
Here are just few recommendations for how to move forward with a threat-centric approach to security.
Technology: It’s a natural instinct to go for low-hanging fruit first so most organizations start by protecting their core networks with solutions that are typically the fastest and easiest to deploy. But ‘silver bullets’ don’t exist and this approach alone won’t suffice. Attackers don’t discriminate and will take advantage of any gap in protection to reach their end goal. You need solutions that also protect endpoints, mobile and virtual environments. They must work together in a continuous fashion and they must span the full attack continuum.
Before an attack, defenders need comprehensive awareness and visibility of what’s on the extended network – devices, operating systems, services, applications, users, content and potential vulnerabilities. Establishing a baseline of information is a critical first step in defending your organization from attack. From there you can implement policies and controls to defend it, for example implementing access control over applications and users to minimize the attack surface.
During an attack, the ability to continuously detect threats and block them is critical. And because threats change so quickly, having the ability to learn and update detection information based on evolving threat intelligence is critical to maintaining security effectiveness.
After an attack, marginalizing the impact becomes the priority. To do this defenders need to take a proactive stance with retrospective security, the ability to identify the root cause, understand the scope of the damage, contain the event, eliminate the risk of re-infection, remediate it and bring operations back to normal.
Processes: There are two aspects to consider here; the first is identifying processes ripe for automation. There aren’t enough hours in the day and IT security teams have too many other responsibilities to be able to address today’s barrage of attacks with manual approaches. The ability to reduce labor intensive tasks and streamline processes with automation is essential. Tools that can intelligently identify and automatically alert only on relevant security events can save security teams hours investigating events that aren’t real threats. In addition, being able to automatically enforce and tune security policies and rules to keep pace with the changing threat landscape and evolving IT environment minimizes risk of exposure to the latest threats and vulnerabilities.
The second aspect to consider is an incident response process. Security events happen and many organizations don’t have an incident response plan in place. Every organization should have a designated Incident Response team, even if not full time, that is cross-functional and trained to communicate and respond to security events. The team needs to be backed by documented processes and policies. For example, an InfoSec Policy must be put in place to ensure you’re protecting the right data. An incident response runbook with clear step-by-step instructions for the team to follow in the event of an attack, including incident notification and a collaboration call tree, leads to better, swifter and more accurate containment and remediation. Finally, systematic program reviews on a quarterly basis can ensure that your policies, configurations and rules performance are protecting your organization as needed.
Education: At the end of the day, technology and processes are only as good as the people behind them. Organizations must be committed to keeping their staff highly trained on the current threat landscape. Ongoing professional development with a specific focus on being able to identify an incident, know how to classify it and how to contain and eliminate it will help keep security teams apprised of the latest techniques used by attackers to disguise threats, exfiltrate data and establish beachheads for future attacks. Certifications and trainings to remain current on security technologies and how to optimize their deployment and tuning for maximum security effectiveness ensure organizations are getting the most from their IT security investments.
In these particularly challenging times for security professionals, it’s imperative they re-balance and optimize operations for a consistent emphasis on the threat. By putting a threat focus closer to the center of what they do they’ll have the clarity, the resources and the liberty they need to sharpen decision-making and confront the greatest risks to their enterprise.
Al Huger is the vice president of development, cloud technology group, at Sourcefire.
