Attacks/Breaches

9/16/2013
02:03 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Is The Perimeter Really Dead?

Despite naysayers, many security experts believe perimeter defenses have relevance when deployed as a part of defense-in-depth

Even while mobile, cloud, and software services are blurring the lines of corporate IT boundaries through deperimeterization, enterprises still continue to spend increasing amounts of security budget on perimeter protection. The question is, are they wasting their money? It's one of the most contentious questions in security -- perhaps only behind the one about the usefulness of antivirus. So it is no surprise that the answers are varied.

Hardliners, of course, have been hammering on the death of the perimeter for a long time now.

"Perimeter security is no longer relevant to enterprises. With the mobilization of the workforce, it's very hard to define the perimeter of any organization because mobile-enabled employees are connecting to the network from all over the world on devices of their choosing," says Thevi Sundaralingam, vice president of product management at Accellion. "Next-gen security needs to focus keeping content safe, not on defining a network perimeter."

Then there are the cynical abandoners.

[Is IPS in it for the long haul? See The Future of IPS.]

"In my opinion, perimeter security is not dead -- it just has been handled incorrectly for so long people are giving up," says Alex Chaveriat, a consultant at SystemExpert, of this crowd.

But others believe perimeter protection still has plenty of relevance for enterprise IT, even if it means rethinking the role of the perimeter and how these defenses are deployed.

"The perimeter will never die, it will just get more focused," says Corey Nachreiner, director of security strategy for WatchGuard. "Sure, our workforce is getter more mobile, which means we need to incorporate new security solutions. But let's not fool ourselves. The perimeter will never go away."

Instead, he says, it will focus on server infrastructure and data centers, rather than endpoint users. As he puts it, the industry will eventually realize that it will always have to operate in a hybrid environment. That means recognizing the need for additional security innovations bolstering perimeter security rather than replacing it.

"Just because people are using mobile devices and cloud services doesn't mean they won't still have local servers and assets behind a relatively static perimeter," Nachreiner says.

Additionally, organizations need to maintain perimeter defenses not just for the traditional ingress monitoring, but also for egress visibility -- crucial to pinpoint large-scale breaches.

"Ultimately, the bad guys need to pass through the perimeter in order to complete the exfiltration of the data they are trying to steal," says says Michael Patterson, CEO of Plixer International. "Monitoring behaviors is playing a significant role in this area as is the reputation of the site being connected to. "

Patterson also explains that perimeter defense doesn't necessarily have to be placed as a border wall defense at the edge -- in fact, it may have more relevance inside the network as organizations monitor and block threats as they try to move laterally within the organization. It's for this reason that Mike Lloyd, CTO of RedSeal Networks, says that rather than dying, the perimeter has actually grown in recent years.

"Think of the brooms versus Mickey Mouse as the Sorcerer's Apprentice. Companies have more and more perimeters that are getting smaller and smaller," he says. "Regulation drives it: PCI demands internal "zones" of segregation. BYOD drives it: Once you let zany uncontrolled endpoint devices onto your network, you have to build zones to keep them away from internal assets. Security drives it: We've talked about defense in-depth for years, but people are finally doing it."

As a result, Lloyd says, security practitioners have more opportunities for controls. This, though, can be a blessing and a curse.

"The downside is complexity, more controls in more places," he says. "The aspirin for that headache is automation. Make sure that all the enclaves you designed are actually set up and maintained properly as change happens."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AccessServices
50%
50%
AccessServices,
User Rank: Apprentice
9/17/2013 | 3:37:51 PM
re: Is The Perimeter Really Dead?
The perimeter is not dead. It evolved and and companies have not assessed the risks accordingly. Allowing VPNs from non-company controlled devices and high bandwidth cell phones changed the perimeter from a few choke points to the Internet to many devices that the company does not have direct control over. Most companies have not acknowledged this and thus accepted the risks involved in this to their detriment. There are technologies and corporate policies that will help mitigate these risks; but, companies believe that they are too expensive or time consuming to implement. The current primary attack vector I'm seeing is phishing or web page based attacks. The BYOD attacks are a little harder to implement, but gaining popularity quickly. BYOD is harder to detect and remove so there is no doubt that criminals will migrate in this direction. I think that the key here is to no longer think about a firewall cluster as the perimeter. It has become a wide path and needs to be treated accordingly.

Jeff Jones
Abacus Solutions
douglasmow
50%
50%
douglasmow,
User Rank: Apprentice
9/17/2013 | 10:21:02 AM
re: Is The Perimeter Really Dead?
Organizations must accept the fact that the perimeter is relatively porous. Systems have been put in place to create efficiencies and walling them off is not the answer. The best answer would seem to be a combination of perimeter defense (like the home security sign on your house) and an ability to monitor activity inside the perimeter. In today's world of mandatory open access that would be the only way to cope.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/16/2013 | 6:53:04 PM
re: Is The Perimeter Really Dead?
It's sort of amazing how long this debate has been going on. Lloyd's argument makes a lot of sense.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17332
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
CVE-2018-17333
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.
CVE-2018-17334
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.
CVE-2018-17336
PUBLISHED: 2018-09-22
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n...
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.