Partner Perspectives  Connecting marketers to our tech communities.
11/18/2014
02:45 PM
Bradon Rogers
Bradon Rogers
Partner Perspectives
50%
50%

Best Practices in the Face of High-Profile Breaches

Attacks are a mainstream problem, and organizations must employ more than just traditional minimalist approaches of firewalls and virus scanners.

Ongoing, high-profile security breaches are prompting many conversations with customers about the basic hygiene steps they should be taking to improve their security posture and reduce their risk of data compromise. The painful reality is that attacks are a mainstream problem, and traditional minimalist approaches of firewalls and virus scanners are no longer sufficient.

You need to think through the zones in your infrastructure and reduce the crevices through which cyber criminals can crawl. They will go for your weakest point, which today is often a specialty device. From a point-of-sale or ATM system, criminals can navigate up spokes to your hubs, a store, branch, or office. From a compromised machine in one site, they will push into the data center, then out again to other sites. 

Different Defenses for Different Devices

The first step is to differentiate desktop protection from data center and specialty device protection. The desktop is under constant modification with new applications, patches, and upgrades. However, with fixed-function devices such as point-of-sale terminals, ATMs, or app-specific tablets, you can restrict functionality to a narrow range, lock them down, and block anything that is outside of the normal scope. The small size, large number, and wide distribution of these devices means they don’t change very often, if at all. Small-footprint application and change-control defenses will allow nothing to run that you do not want to run, including malware.

In locking down these systems, you cannot just block updates, because those updates may contain critical security patches. Effective application and change-control technologies also provide virtual patching, creating a barrier to newly discovered weaknesses and exploits. Virtual patches recognize and block the attempted exploit without having to patch the software, reducing panic when new threats are announced. System upgrades or firmware updates can then be properly evaluated and installed during regular maintenance windows.

Data center servers may provide a similar broad range of functions to desktops, but they are vastly different in scale, contain more sensitive data, and are just as likely to be virtual devices spanning multiple physical systems. In turn, there is a wide variety of purpose-built, high-performance, low-impedance security technologies that are adapted to the virtual and cloudy nature and scale of modern data centers and server infrastructures.

Secure the Data Center Perimeter

The speed and volume of traffic through your data center requires a different level of performance, inspection, and reliability in a firewall at the data center boundary. The sheer number of servers, and the spread of virtual and cloud-based systems, means point defenses are no longer sufficient. Traffic prioritization should direct critical data to the best pipes, while inherent load-balancing and failover capabilities keep everything moving. Perhaps most important is anti-evasion capability, identifying and reconstructing seemingly innocuous message parts into their intended whole package, and checking that against attack patterns or threat signatures.

Defend Your Database

Databases can be especially vulnerable, running software that is many versions behind due to restricted patching windows and elaborate testing requirements. Sometimes this code is very complex, has been customized in some way, or the person who wrote the scripts is long gone and the scripts have not been updated. Virtual patching also protects these systems, blocking exploits even if the underlying software is unpatched. For further protection, database vulnerability management can identify misconfigurations or potential risk areas within the database and make suggestions on how to fix those weaknesses, such as using open ports or unmodified default settings.

Check Data Before It Leaves

Data centers may process a high volume of traffic, but the traffic tends to follow established patterns. Database application monitoring observes traffic and interactions within the databases, develops a baseline for normal behavior, and flags or blocks anomalous actions that may be part of a malicious attack. Data loss prevention capabilities observe data in-motion through the network and at-rest in storage, helping you quickly build and deploy accurate usage policies, and then monitor and enforce policies on data-in-use, ensuring compliance before the data leaves your network. Data-monitoring tools can even capture traffic leaving the network for later analysis, so you do not have to guess at the impact should an error or breach occur.

Consider the Cloud

By now, your systems probably extend well beyond the physical walls of the IT department. Cloud services, such as Microsoft Azure and Amazon Web Services, provide tremendous scale and elasticity but still need to be protected. The standard model of virus scanners and firewalls falls apart quickly when faced with the scale of the cloud. Instead, virtual virus scanners and centralized security controllers work with the strengths of the cloud, analyzing patterns, directing items that require further analysis to centralized resources, and policing what can and cannot be moved outside of the physical perimeter.

Know What’s Happening Now

Cyber attacks are no longer passive events. They are no longer static viruses trying to find and infiltrate as many weaknesses as they can find, or crudely written emails trying to trick you into sharing your bank account details or clicking on a malicious link. Instead, they are active events, guided by human intelligence, learning and adapting to the conditions found in your organization. Finding these attacks within the high volume and rate of traffic flowing in and around your systems requires knowledge of events as they are happening, not in a report produced hours or even days afterward. Security information and event management (SIEM) systems must operate at data center scale and provide real-time visibility into abnormal behaviors, wherever they are. With attackers continuously probing for areas of weakness, and shifting from one attack vector to another to confuse or evade your defenses, the ability to digest and correlate messages and warnings from anywhere is an essential component of SIEM functionality.

The Best Security, Physical or Virtual, Is Integrated

Taken together, the steps above create an integrated defense that is more effective, and less expensive, than deploying scanners on every server instance and point defenses at every ingress and egress. Intelligence on threats, from phishing to malware to zero-day exploits, should be shared among the systems and collected centrally for a complete view of the current situation. Suspicious data should be picked off and sent to a malware analysis engine for static and dynamic evaluation once, instead of multiple times, reducing the quantity of intensive inspection and improving response times. Reports are available sooner and provide a clearer picture of what is happening, and the likely objectives of the attacks.

This list of best practices is not all-inclusive, and there are certainly other technologies and practices that can improve your security posture. However, data center infrastructure and purpose-built devices (such as point-of-sale machines) are common themes in recent major breaches. We need to reevaluate how systems and networks are safeguarded and raise the minimum protection threshold.

Bradon Rogers is the Senior Vice President of Product and Solution Marketing at Intel Security, and is a 14 year veteran in the security space. In this role, Bradon is responsible for worldwide go-to-market of the Intel Security product portfolio. In his prior role at Intel ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Pair of Reports Paint Picture of Enterprise Security Struggling to Keep Up
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/11/2018
New Domains: A Wide-Open Playing Field for Cybercrime
Ben April, CTO, Farsight Security,  10/9/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18315
PUBLISHED: 2018-10-15
com/mossle/cdn/CdnController.java in lemon 1.9.0 allows attackers to upload arbitrary files because the copyMultipartFileToFile method in CdnUtils only checks for a ../ substring, and does not validate the file type and spaceName parameter.
CVE-2018-18316
PUBLISHED: 2018-10-15
emlog v6.0.0 has CSRF via the admin/user.php?action=new URI.
CVE-2018-18317
PUBLISHED: 2018-10-15
DESHANG DSCMS 1.1 has CSRF via the public/index.php/admin/admin/add.html URI.
CVE-2018-18296
PUBLISHED: 2018-10-15
MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action.
CVE-2018-18309
PUBLISHED: 2018-10-15
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service,...