Partner Perspectives  Connecting marketers to our tech communities.
11/18/2014
02:45 PM
Bradon Rogers
Bradon Rogers
Partner Perspectives
50%
50%

Best Practices in the Face of High-Profile Breaches

Attacks are a mainstream problem, and organizations must employ more than just traditional minimalist approaches of firewalls and virus scanners.

Ongoing, high-profile security breaches are prompting many conversations with customers about the basic hygiene steps they should be taking to improve their security posture and reduce their risk of data compromise. The painful reality is that attacks are a mainstream problem, and traditional minimalist approaches of firewalls and virus scanners are no longer sufficient.

You need to think through the zones in your infrastructure and reduce the crevices through which cyber criminals can crawl. They will go for your weakest point, which today is often a specialty device. From a point-of-sale or ATM system, criminals can navigate up spokes to your hubs, a store, branch, or office. From a compromised machine in one site, they will push into the data center, then out again to other sites. 

Different Defenses for Different Devices

The first step is to differentiate desktop protection from data center and specialty device protection. The desktop is under constant modification with new applications, patches, and upgrades. However, with fixed-function devices such as point-of-sale terminals, ATMs, or app-specific tablets, you can restrict functionality to a narrow range, lock them down, and block anything that is outside of the normal scope. The small size, large number, and wide distribution of these devices means they don’t change very often, if at all. Small-footprint application and change-control defenses will allow nothing to run that you do not want to run, including malware.

In locking down these systems, you cannot just block updates, because those updates may contain critical security patches. Effective application and change-control technologies also provide virtual patching, creating a barrier to newly discovered weaknesses and exploits. Virtual patches recognize and block the attempted exploit without having to patch the software, reducing panic when new threats are announced. System upgrades or firmware updates can then be properly evaluated and installed during regular maintenance windows.

Data center servers may provide a similar broad range of functions to desktops, but they are vastly different in scale, contain more sensitive data, and are just as likely to be virtual devices spanning multiple physical systems. In turn, there is a wide variety of purpose-built, high-performance, low-impedance security technologies that are adapted to the virtual and cloudy nature and scale of modern data centers and server infrastructures.

Secure the Data Center Perimeter

The speed and volume of traffic through your data center requires a different level of performance, inspection, and reliability in a firewall at the data center boundary. The sheer number of servers, and the spread of virtual and cloud-based systems, means point defenses are no longer sufficient. Traffic prioritization should direct critical data to the best pipes, while inherent load-balancing and failover capabilities keep everything moving. Perhaps most important is anti-evasion capability, identifying and reconstructing seemingly innocuous message parts into their intended whole package, and checking that against attack patterns or threat signatures.

Defend Your Database

Databases can be especially vulnerable, running software that is many versions behind due to restricted patching windows and elaborate testing requirements. Sometimes this code is very complex, has been customized in some way, or the person who wrote the scripts is long gone and the scripts have not been updated. Virtual patching also protects these systems, blocking exploits even if the underlying software is unpatched. For further protection, database vulnerability management can identify misconfigurations or potential risk areas within the database and make suggestions on how to fix those weaknesses, such as using open ports or unmodified default settings.

Check Data Before It Leaves

Data centers may process a high volume of traffic, but the traffic tends to follow established patterns. Database application monitoring observes traffic and interactions within the databases, develops a baseline for normal behavior, and flags or blocks anomalous actions that may be part of a malicious attack. Data loss prevention capabilities observe data in-motion through the network and at-rest in storage, helping you quickly build and deploy accurate usage policies, and then monitor and enforce policies on data-in-use, ensuring compliance before the data leaves your network. Data-monitoring tools can even capture traffic leaving the network for later analysis, so you do not have to guess at the impact should an error or breach occur.

Consider the Cloud

By now, your systems probably extend well beyond the physical walls of the IT department. Cloud services, such as Microsoft Azure and Amazon Web Services, provide tremendous scale and elasticity but still need to be protected. The standard model of virus scanners and firewalls falls apart quickly when faced with the scale of the cloud. Instead, virtual virus scanners and centralized security controllers work with the strengths of the cloud, analyzing patterns, directing items that require further analysis to centralized resources, and policing what can and cannot be moved outside of the physical perimeter.

Know What’s Happening Now

Cyber attacks are no longer passive events. They are no longer static viruses trying to find and infiltrate as many weaknesses as they can find, or crudely written emails trying to trick you into sharing your bank account details or clicking on a malicious link. Instead, they are active events, guided by human intelligence, learning and adapting to the conditions found in your organization. Finding these attacks within the high volume and rate of traffic flowing in and around your systems requires knowledge of events as they are happening, not in a report produced hours or even days afterward. Security information and event management (SIEM) systems must operate at data center scale and provide real-time visibility into abnormal behaviors, wherever they are. With attackers continuously probing for areas of weakness, and shifting from one attack vector to another to confuse or evade your defenses, the ability to digest and correlate messages and warnings from anywhere is an essential component of SIEM functionality.

The Best Security, Physical or Virtual, Is Integrated

Taken together, the steps above create an integrated defense that is more effective, and less expensive, than deploying scanners on every server instance and point defenses at every ingress and egress. Intelligence on threats, from phishing to malware to zero-day exploits, should be shared among the systems and collected centrally for a complete view of the current situation. Suspicious data should be picked off and sent to a malware analysis engine for static and dynamic evaluation once, instead of multiple times, reducing the quantity of intensive inspection and improving response times. Reports are available sooner and provide a clearer picture of what is happening, and the likely objectives of the attacks.

This list of best practices is not all-inclusive, and there are certainly other technologies and practices that can improve your security posture. However, data center infrastructure and purpose-built devices (such as point-of-sale machines) are common themes in recent major breaches. We need to reevaluate how systems and networks are safeguarded and raise the minimum protection threshold.

Bradon Rogers is the Senior Vice President of Product and Solution Marketing at Intel Security, and is a 14 year veteran in the security space. In this role, Bradon is responsible for worldwide go-to-market of the Intel Security product portfolio. In his prior role at Intel ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.