The threats that organizations face to their information security are continually growing, and they come from numerous directions. Security-minded IT leaders not only have to worry about hackers, organized cybercrime groups and cyberespionage teams, but they also must address threats posed by internal users and trusted external parties.
It’s nearly impossible to completely protect an IT environment against the growing array of threats. Criminals are highly motivated, persistent and adaptable, able to break in using toolsets ranging from the simple to the sophisticated. Since organizations are unable to stop every strike in this barrage, it’s important to put some serious effort into breach containment.
To better hold the line in this battle, entities must stop thinking about intrusion protection and detection as two separate processes, says Ron Gula, chief executive officer (CEO) of Tenable Network Security. “If either one of these processes was perfect, you wouldn’t need the other one,” he says.
Today, any point on the network can be the source of a breach. With every asset essentially on the front line, security teams should approach intrusion protection, detection and risk management holistically.
The key: Organizations should abandon piecemeal security approaches that rely on periodic, manual log audits. Instead, security experts recommend implementing a strategy based on continuous monitoring to identify vulnerabilities and prioritize fixes based on attack vectors and risk.
Detection Deficit Disorder
One of the biggest problems with protecting network architectures is that an IT shop’s security efforts may be overly focused on the perimeter. If cyberattackers manage to inject malware or use a brute force attack to slip past a gateway undetected, they can take their time exploring a data center’s crown jewels — databases packed with confidential information and applications that process financial transactions by the millions.
If breaches are not detected quickly, attackers can accomplish their primary objectives – and more. Whether it’s spoofing executive emails to initiate hefty wire transfers to offshore banks or exfiltrating data through back doors until they’re discovered, the potential for organizational damage is significant.
Lengthy data center occupations are hardly a rarity. Worse, a situation that Verizon’s Data Breach Investigations Report (DBIR) researchers call the “detection deficit” — the amount of time between compromise and detection — is on the rise. The 2015 DBIR shows that, in 2014, 46 percent of compromises required just minutes for attackers to succeed. Victims weren’t nearly so fast; roughly half of the organizations that suffered a breach didn’t detect them for months.
“To contain a breach, you have know you’ve been breached,” says Kyle McGrane, a network security specialist with CDW. “With a perimeter firewall, you don’t notice anything until it comes in or goes out of the gateway. But what about internal activity?” With so many organizations making significant investments in applications, deployments of next-generation firewalls within data centers are increasing rapidly, says McGrane. These faster, more intelligent devices are application- and context-aware, incorporate intrusion prevention system (IPS) capabilities and are a key component in network segmentation strategies designed to contain breaches.
“You still have to keep the front door closed, but we’re seeing a lot more organizations moving inside to lock other doors to block access to areas where their most valuable data resides,” says McGrane.
The Credential Essential
The human element introduces significant vulnerabilities for many IT enterprises. Users generally support an organization’s security efforts, but humans remain fallible, so it’s important to enforce effective cybersecurity habits by managing user access privileges to all IT assets.
“User access should be based on the principle of least privilege,” says Anil Desai, an independent IT consultant. “Everyone — from the CEO to the database administrator — should have only the access privileges they need to do their job.” To add another layer of control, Desai says, sensitive data should be encrypted so lower-tier employees responsible for managing and backing-up critical databases can’t see what’s stored inside.
“Most companies have an onboarding process to make sure new hires have the right credentials, but they also need a similar exit process,” says Desai. When a user leaves an organization, his or her credentials should be immediately updated to reflect this change in status.
Further, security teams should regularly verify appropriate use of privileges by auditing all users and the IT resources they’re allowed to access — including servers, databases and applications. Rarely does an organization conduct this kind of audit and not find at least a few cases where users whose roles changed (such as by a promotion) still had access privileges to systems they no longer needed to use, Desai says.
Another effective control is to remove user privileges if they haven’t accessed an application or database in a specified period of time. This not only helps to maintain updated, accurate credential data, but it’s also an effective way to monitor what data users are accessing and when, says McGrane.
Not Allowed Beyond This Point
Ultimately, modern network architectures require multiple layers of security. Each layer’s job is to be the dead end for an attack. But compromises happen. Network segmentation for compartmentalizing breaches should be part of an organization’s defense-in-depth strategy, but it’s complicated and requires continual oversight. This is why many businesses either don’t practice it or do so ineffectively.
In a 2015 Enterprise Strategy Group (ESG) survey, 57 percent of IT professionals said they’d had at least one security incident that compromised one or more data center servers within the previous two years. Nearly half (47 percent) experienced a server breach where attackers succeeded in moving laterally to other servers. More than three-quarters (77 percent) said they believed that further network segmentation would help prevent server compromises in their data center.
For effective segmentation, security teams must understand potential network pathways based on attack vectors. If attackers manage to break into a network, where could they go? Can they only get to a certain server or a certain segment of the network? If they can compromise a specific database server, does it house sensitive data? Is it likely they can move laterally to compromise other servers in that segment?
“If there’s a breach of a human resources database but it’s segmented from sales data, there’s no crossover, so it’s at least contained to one segment,” says McGrane. Technologies and techniques used for segmentation include network zoning, virtual local area networks, next-generation firewalls, IPS and strict access privileges.
The right segmentation approach — and overall security strategy — will depend on the organization. Some requirements will be dictated by regulations that govern data protection such as the Payment Card Industry Data Security Standard (PCI DSS). Security teams should conduct self-audits to ensure they’re in compliance with these regulations.