Best Practices in the Face of High-Profile BreachesAttacks are a mainstream problem, and organizations must employ more than just traditional minimalist approaches of firewalls and virus scanners.
Ongoing, high-profile security breaches are prompting many conversations with customers about the basic hygiene steps they should be taking to improve their security posture and reduce their risk of data compromise. The painful reality is that attacks are a mainstream problem, and traditional minimalist approaches of firewalls and virus scanners are no longer sufficient.
You need to think through the zones in your infrastructure and reduce the crevices through which cyber criminals can crawl. They will go for your weakest point, which today is often a specialty device. From a point-of-sale or ATM system, criminals can navigate up spokes to your hubs, a store, branch, or office. From a compromised machine in one site, they will push into the data center, then out again to other sites.
Different Defenses for Different Devices
The first step is to differentiate desktop protection from data center and specialty device protection. The desktop is under constant modification with new applications, patches, and upgrades. However, with fixed-function devices such as point-of-sale terminals, ATMs, or app-specific tablets, you can restrict functionality to a narrow range, lock them down, and block anything that is outside of the normal scope. The small size, large number, and wide distribution of these devices means they don’t change very often, if at all. Small-footprint application and change-control defenses will allow nothing to run that you do not want to run, including malware.
In locking down these systems, you cannot just block updates, because those updates may contain critical security patches. Effective application and change-control technologies also provide virtual patching, creating a barrier to newly discovered weaknesses and exploits. Virtual patches recognize and block the attempted exploit without having to patch the software, reducing panic when new threats are announced. System upgrades or firmware updates can then be properly evaluated and installed during regular maintenance windows.
Data center servers may provide a similar broad range of functions to desktops, but they are vastly different in scale, contain more sensitive data, and are just as likely to be virtual devices spanning multiple physical systems. In turn, there is a wide variety of purpose-built, high-performance, low-impedance security technologies that are adapted to the virtual and cloudy nature and scale of modern data centers and server infrastructures.
Secure the Data Center Perimeter
The speed and volume of traffic through your data center requires a different level of performance, inspection, and reliability in a firewall at the data center boundary. The sheer number of servers, and the spread of virtual and cloud-based systems, means point defenses are no longer sufficient. Traffic prioritization should direct critical data to the best pipes, while inherent load-balancing and failover capabilities keep everything moving. Perhaps most important is anti-evasion capability, identifying and reconstructing seemingly innocuous message parts into their intended whole package, and checking that against attack patterns or threat signatures.
Defend Your Database
Databases can be especially vulnerable, running software that is many versions behind due to restricted patching windows and elaborate testing requirements. Sometimes this code is very complex, has been customized in some way, or the person who wrote the scripts is long gone and the scripts have not been updated. Virtual patching also protects these systems, blocking exploits even if the underlying software is unpatched. For further protection, database vulnerability management can identify misconfigurations or potential risk areas within the database and make suggestions on how to fix those weaknesses, such as using open ports or unmodified default settings.
Check Data Before It Leaves
Data centers may process a high volume of traffic, but the traffic tends to follow established patterns. Database application monitoring observes traffic and interactions within the databases, develops a baseline for normal behavior, and flags or blocks anomalous actions that may be part of a malicious attack. Data loss prevention capabilities observe data in-motion through the network and at-rest in storage, helping you quickly build and deploy accurate usage policies, and then monitor and enforce policies on data-in-use, ensuring compliance before the data leaves your network. Data-monitoring tools can even capture traffic leaving the network for later analysis, so you do not have to guess at the impact should an error or breach occur.
Consider the Cloud
By now, your systems probably extend well beyond the physical walls of the IT department. Cloud services, such as Microsoft Azure and Amazon Web Services, provide tremendous scale and elasticity but still need to be protected. The standard model of virus scanners and firewalls falls apart quickly when faced with the scale of the cloud. Instead, virtual virus scanners and centralized security controllers work with the strengths of the cloud, analyzing patterns, directing items that require further analysis to centralized resources, and policing what can and cannot be moved outside of the physical perimeter.
Know What’s Happening Now
Cyber attacks are no longer passive events. They are no longer static viruses trying to find and infiltrate as many weaknesses as they can find, or crudely written emails trying to trick you into sharing your bank account details or clicking on a malicious link. Instead, they are active events, guided by human intelligence, learning and adapting to the conditions found in your organization. Finding these attacks within the high volume and rate of traffic flowing in and around your systems requires knowledge of events as they are happening, not in a report produced hours or even days afterward. Security information and event management (SIEM) systems must operate at data center scale and provide real-time visibility into abnormal behaviors, wherever they are. With attackers continuously probing for areas of weakness, and shifting from one attack vector to another to confuse or evade your defenses, the ability to digest and correlate messages and warnings from anywhere is an essential component of SIEM functionality.
The Best Security, Physical or Virtual, Is Integrated
Taken together, the steps above create an integrated defense that is more effective, and less expensive, than deploying scanners on every server instance and point defenses at every ingress and egress. Intelligence on threats, from phishing to malware to zero-day exploits, should be shared among the systems and collected centrally for a complete view of the current situation. Suspicious data should be picked off and sent to a malware analysis engine for static and dynamic evaluation once, instead of multiple times, reducing the quantity of intensive inspection and improving response times. Reports are available sooner and provide a clearer picture of what is happening, and the likely objectives of the attacks.
This list of best practices is not all-inclusive, and there are certainly other technologies and practices that can improve your security posture. However, data center infrastructure and purpose-built devices (such as point-of-sale machines) are common themes in recent major breaches. We need to reevaluate how systems and networks are safeguarded and raise the minimum protection threshold.
Bradon Rogers is the Senior Vice President of Product and Solution Marketing at Intel Security, and is a 14 year veteran in the security space. In this role, Bradon is responsible for worldwide go-to-market of the Intel Security product portfolio. In his prior role at Intel ... View Full Bio