Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
As attacks become more sophisticated and breaches abound, it's time for enterprises to change their cybersecurity thinking from the ground up, experts say
December 27, 2012
Layered security. Security integration. Defense in depth. For years now, cybersecurity professionals and vendors have been preaching sermons on the merits of an enterprise security strategy that mixes a variety of tools and technologies to create a complex barrier that hackers can't penetrate. "Layered security" has become as much a part of industry parlance as authentication or encryption.
There's just one problem: It isn't working.
While enterprises and government agencies have invested unprecedented resources in cybersecurity over the past few years, the incidence of new data threats and breaches remains at record highs. The most recent Verizon Data Breach Investigations Report (PDF) indicates that breaches involving hacking and malware were both up considerably last year, with hacking involved in 81 percent of incidents and malware involved in 69 percent. According to the Cost of a Data Breach Report, malicious attacks on enterprise data rose last year, and the cost of a breach is at an all-time high ($222 per lost record). According to figures posted this month by Panda Labs, more than 6 million new malware samples were detected in the third quarter alone, and more than a third of machines across the globe are already infected.
Is it time to hit the "reset" button on cybersecurity strategy? Should organizations challenge current thinking around security architecture -- and, particularly, the effectiveness of layered defense? Many experts think so.
"Organizations are implementing incremental improvements to their information security capabilities to provide short-term solutions -- without tackling the issues associated with the overall information security threat," says research and consulting firm Ernst & Young in its Global Information Security Survey 2012, published in October. "The need to develop a robust security architecture framework has never been greater."
However, 63 percent of organizations have no such framework in place, the study says. "For years, companies have been approaching security as a technical problem, usually by buying products to solve specific problems," says Jose Granado, principal and practice leader for IT security services at Ernst & Young and one of the authors of the new report. "There hasn't been much thought put to how those technologies will work together, or to the people and process sides of the equation."
While many large organizations have systems architects or network architects who help create the framework for the evolution of hardware and communications technology across the enterprise, most of E&Y's large clients do not have security architects, Granado says.
"There is a huge [difference] between organizations that have a security architect and those that don't," he comments. "When there is an architecture that's tied to the company's business goals, then there's a realization that security problems can't be solved in a silo." A well-defined architecture helps dictate how the various single-function security technologies will work together -- and makes it easier to find the weak spots in enterprise defenses, he says.
Vinnie Liu, partner and co-founder of Stach & Liu, a consulting firm that works with large enterprises on security architecture and tests companies' defense strategies, agrees that enterprises' historical focus on point solutions has prevented many organizations from developing a broader security strategy.
"The industry has been approaching the cybersecurity problem like the TSA has been approaching the air-security problem," Liu says. "First the bad guys brought guns on board, so they put in metal detectors. Then somebody put a bomb in his shoe, and now we all have to take our shoes off. Then they found liquid explosives, so now we can't bring on any liquids. It's one problem, one solution, with no real thought to the big picture."
If enterprises do have a broader defense strategy, then it's usually focused on "layering," in which the organization buys a variety of different point products, essentially creating an obstacle course that the attacker must navigate to get to the sensitive data, Liu observes. By implementing a patchwork of firewalls, antivirus software, intrusion prevention systems, and the like, the enterprise hopes to detect a wide variety of attacks and mitigate them before they can do much damage.
"The problem is that most of these tools are still signature-based, which means you're taking a known threat and blacklisting it. So what you're doing is essentially layering one technology with another layer of the same type of technology," Liu says. "It's sort of like putting on a coat, and then putting on another coat that covers the exact same parts of your body, and then wondering why you're still cold."
Stach & Liu recommends that rather than buying more point technology, organizations should perform a risk assessment that identifies the most sensitive areas of the business, the most likely threats, and a holistic defense strategy -- an architecture of technology and processes -- designed specifically to protect the business. The risk assessment, along with the definition of the business' specific security requirements, helps identify top priorities and most likely threats, as well as key goals -- such as compliance -- in order to develop a comprehensive, practical defense strategy.
"You need to define your [security] requirements, just as you would with any architecture," Liu says. "Most companies don't take this step, so when it comes to building out the architecture, they have a hard time. They're trying to defend against everything without really knowing what problems they're trying to solve."
Next Page: The most important piece of developing a security architecture.
Developing a comprehensive architecture means defining not only requirements and capabilities in the backbone systems and networks, but at the endpoint as well, says John Prisco, CEO of Triumfant, a provider of next-generation antimalware services. "If you look at the tools that most companies are using today, there's a focus on network-based technologies, like antivirus and deep-packet inspection," he says. "But the attacks are coming more frequently at the endpoint, whether it's a laptop or a mobile device. If you're going to define an architecture today, we have to get past deep-packet inspection and basic firewalls and look at the endpoint as well."
Some of the underlying assumptions behind the "layered" security strategy have become dated obsolete, notes Steve Pao, vice president of product management at Barracuda Networks, a security and anti-malware tool provider. "In the old days, you didn't change your applications all that often, so you could build a positive defense," Pao says. "You could put email on one [router] port, Internet traffic on one router port, and have a strategy for defending them through the firewall. Today, we have mobile users, changing applications, and we can't lock down the desktop anymore. The old 'M&M candy' architecture with the hard outside and the soft, chewy center no longer works. It has to be a jawbreaker now -- hard all the way through."
Assumptions about the attacker are also being challenged, Pao says. As cybercriminals increasingly seek to target their attacks, enterprises are seeing fewer large-scale exploits -- such as viruses and attacks on Windows or Adobe -- and more targeted attacks designed to infect or steal data from just a few systems or individuals. "The cat-and-mouse game around vulnerabilities in the most popular apps is pretty much under control," he says. "Today the real problems are in custom applications or those that aren't patched very frequently. The assumption that your most common attacks will be made on the most widely deployed applications is being challenged."
As attacks become more sophisticated, they are also challenging conventional wisdom on how to detect malware, says Srinivas Kumar, CTO and co-founder at TaaSERA, a startup anti-malware company that is expected to launch next month. "The signature-based tools focus on what known malware looks like, rather than how it behaves, which means they can't detect most zero-days. Another key question to ask is how do you know when your systems are compromised, and which ones? That's an area that the industry has not focused on." Tomorrow's security architectures need to provide a layer of forensics that enables companies to determine the source of an infection and the extent of its reach, Kumar says.
A growing reliance on cloud networks and applications further complicates the security architecture question, notes Patrick Bedwell, vice president of product marketing at Fortinet, a maker of multifunction security appliances and applications. Use of the cloud means that security pros can no longer build architectures designed to keep data inside company walls, or that rely on a single enterprise's ability to own and manage them, he says. A new, more open approach will be necessary.
"When you combine [the trend toward cloud computing] with what's going on in mobility, social networking, and big data, you can see that today's approach to security architecture must be different than it was even a short time ago," Bedwell says.
Like several other experts, Bedwell says he is seeing a definite movement toward the employment of a security architect in many large organizations. "There's an increase in the number of companies that currently have a security architect or plan to employ one in 2013," he says. "It's becoming more important to not only have someone who can build the architecture, but who's charged with implementing it across the organization."
What should that architecture look like? To start with, it should be tailored and customized to fit the specific business involved -- there is no template that fits every enterprise, experts say. "Ask the fundamental questions," Liu advises. "What are your goals? What compliance requirements do you have? What do you need to do operations in your market? What do you need to do operations in other markets?"
Granado agrees. "You start with what your business is, and then you optimize your security tools accordingly," he says. "Where there is duplicity, look at where you can sunset some of your technologies. Where you have three or four network analysis tools, choose one and get really good at using it."
Once you have your technology and processes whittled down, look for places where they can be integrated, Pao recommends. "The interesting problems are often in the seams," Barracuda's Pao says. "From early on, when we saw the emergence of the 'blended threat,' we integrated the management of our email and Web security solutions together. As we have reconcepted the next-generation firewall, we have sought to more tightly integrate the experience of the firewall and content security solutions working together."
But an effective security architecture isn't just about integrating point technologies -- it's about making sense of security data, which is a skills problem, Granado observes. "The CIO could triple the size of the security spend, but most enterprises wouldn't know what to do with that money because they don't have the arms and legs in the enterprise that would be able to make use of all of the data they would collect. In the end, the architecture is only as good as the people who implement it."
The most important piece of developing a security architecture is mapping (or, often, remapping) the organization's business needs to its security requirements, experts say. Building a security architecture requires not only the buy-in of upper management, but their direct participation.
"There's a shakeup that's going to occur in enterprises because there have been so many breaches," Prisco says. "There was a day when we could say, 'Nobody ever got fired for buying IBM,' but, at this point, there are no safe choices in technology ... If management finds out that a breach occurred -- and there was technology that could have stopped it and you didn't buy it -- then it doesn't matter how safe your choices were."
Breaches always provide an eye-opener that can help drive an architecture project, Liu says, but there's a business case to be made as well. "We're seeing a strategic shift from investing in new tools toward an effort to make what you have more efficient," he says.
"Anybody can make a grilled-cheese sandwich with the right equipment -- but there are only a few people who do it really well, and even fewer people who can do it well for 1,000 customers," Liu says. "What we try to do is tell enterprises not just to buy another grilled-cheese maker, or this year's model, but to look at how they're using what they have and really taking advantage of it. Are your security systems in the right places? Are they configured properly? Are you using all of their capabilities? These are good questions to ask."
Granado agrees. "I'm not sure it always takes a breach to drive companies to look at the architecture problem," he says. "We're now seeing questions about security being asked at the board of directors level. They read the papers. They want quarterly updates on what's being done about security. They want to know what the plan is, and what the threats are. They want to know if the company is prepared to protect its data. A security architecture project can answer a lot of those questions."
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.