Perimeter
6/26/2014
12:00 PM
Dan Ross
Dan Ross
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why A Secured Network Is Like The Human Body

It's time to throw away the analogies about building fortresses and perimeter defenses and start to approach InfoSec with the same standard of care we use for public health.

The networked enterprise is often compared to a fortress: Guard your perimeter, build a secure wall, keep out intruders, beware spies and traitors. Like many of our approaches to cyber security, this metaphor is outdated and doesn’t help clarify the complex of challenges we are facing.

The new reality is that blocking and prevention mechanisms are not enough to stop the more targeted types of threats we’ve seen. If massive, multinational corporations can put millions of dollars and hundreds of people on cyber security patrol and still be spectacularly breached, we obviously need to make some adjustments. Security professionals are realizing that they need to defend in three dimensions:

  • What we do before an attack
  • What we do during an attack to understand that one is happening (before the dwell time leads to significant loss in IP)
  • What we do after an attack to ensure it doesn’t happen again

This multidimensional view operates on the assumption that the attackers will eventually get in (or are already inside as Gartner reminds us). It's a paradigm shift that is quickly becoming the new norm and must be at the heart of your plan to adapt to emerging attack vectors by proactively and rapidly detecting and then remediating threats on all components of the networked enterprise: servers, appliances, endpoints, and applications.

To draw a parallel to something that we all experience every day, the secured networked enterprise is comparable, in its complexity and mutability, to the human body. Unless you’re a member of a SWAT team, most of us don’t put on Kevlar each morning, pop a magic pill, and venture out into the world thinking we’ll be safe. Likewise, a firewall and anti-virus/anti-malware software aren’t nearly enough to keep our networks safe, especially against targeted attacks.

Healthy bodies are well cared for on a continuous basis with preventive measures. Day in and day out, they are nourished properly, exercised to avoid weakness and stress, cleansed, and replenished by rest. Healthy people respond to pain or illness with much greater vitality than sick people. But when they get sick, they will usually respond with professional diagnosis and targeted medication.

What’s more, people continuously monitor all their faculties -- skin, digestion, cognitive function, respiration, and mobility -- for changes and warning signs and adjust their behavior and nutrients to get back to an optimal state. But even healthy people, like healthy networks, are not impenetrable. They never know when they will eat bad food, pick up viruses, or get hurt in an accident, but when they do, they don’t sit idly by; they do something about the malady that is impacting them.

Similarly, although up to date anti-virus and anti-malware defenses are important to keep out the normal day-to-day threat, companies need also to focus on technologies and practices that will quickly find intruders and mitigate the damage they can do. Just as there’s no magic pill to protect our bodies, there’s no silver bullet in cyber security. Even the latest and greatest  technologies are deployed to detect threats only, not to block them.

This was the case at Target where one mitigating factor was a significant dwell time of the threat once it got inside. The detection took a long time, response was delayed, and the damage was done. Imagine you are diagnosed with a tumor and instead of taking an MRI that day, your oncologist uses one from 12 months ago to determine the current size and nature of your tumor. Unfortunately, by the time many of the advanced threat detection technologies on the market today deduce that action is needed, the intruder more than likely will have moved on deeper in to the network, spreading like a cancer.

We don’t go about our day assuming we are in perfect health; instead we continuously check, remediate, and replenish. We usually know something is wrong because we notice a cut is not healing, or that a rash is getting bigger, not because a medical test indicates a problem but because we detect it, we investigate it. This is how the new standard of cyber security should look.

Towards a consensus on due care
This standard of care isn’t just a good idea, it is steadily evolving into a necessity. Even the federal government’s NIST Cybersecurity Framework urges a shift in the way we think about risk management and adapt to ever-emerging threats. (See Section 2.2 "Framework Implementation Tiers, Tier 4: Adaptive" for a vision of what we should be working toward.) While each company and industry has its own set of standards, a consensus on due care has begun to coalesce. At its essence, due care is the amount of caution a reasonable person would have exercised to prevent a foreseeable bad thing from occurring. If we assume attacks are always happening and intruders are already in, then a data breach becomes a "foreseeable bad thing."

Today, the job of security teams, boards, and executives is to determine and deploy reasonable precautions: Protect your brand, prioritize your most mission-critical assets, nurture a culture of security from the bottom up, educate key stakeholders, and plan your incident response in detail. But traditional perimeter defenses only get you part of the way there. Constant, integrated, and holistic monitoring of the organization from network core all the way to endpoints is what will bring you much closer to becoming a truly healthy and protected enterprise.

With more than 30 years of successful entrepreneurial leadership and management experience, Dan Ross is responsible for strategic direction and day-to-day global management at Promisec. Promisec is a pioneer in endpoint visibility and remediation, empowering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Dan Ross
50%
50%
Dan Ross,
User Rank: Author
7/1/2014 | 8:17:32 AM
Re: Preventive vs Proactive
well, your mileage may vary but we've seen reasons like not having the resources/means to do this effectively, talent on staff, costs to outsource ongoing testing vs audit compliance must do activities, to name a few. In general, we believe customers that can carry this out as part of a larger plan to detect potential threats proactively stand a far better chance of stopping or at least limiting their next targetted attack.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2014 | 5:53:08 PM
Re: Preventive vs Proactive
What would you say is the reason/s why ethical hacking isn't more prevalent? Especially within organizations on there own test environments?
Dan Ross
50%
50%
Dan Ross,
User Rank: Author
6/30/2014 | 10:49:25 AM
Re: Apt analogy
Thank you! At the risk of changing the scope of the article, I thought it was a good place to leave it at, due care, but I agree with you that such a term does interject a legal element to the conversation. I am sure we will see more around this topic. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 10:01:09 AM
Re: Apt analogy
Agree that an important shift is taking place within the security industry -- though I would argue that the use of the term "due care' does interject a legal element to the discussion, particularly in light of pending litigation related to the Target breach.

But, in terms of how security pros need to respond to the changing threat landschipe, due care is as good a term as any to describe what needs to be done!

 

 
Dan Ross
50%
50%
Dan Ross,
User Rank: Author
6/30/2014 | 10:00:22 AM
Re: Preventive vs Proactive
I couldn't agree more with you Ryan.  More Pen Testing, not just as part of a compliance audit but as a general practice carried out by ethical hackers is and should be considered part of this wholistic approach. At the risk of stretching the analogy a little, one could draw parallels to innoculations to disease as an example of trying to break in and bring down your defenses but instead as means to build up one's defense to an attack. The process of building up immunity hinges upon some level of exposure and allowing your body to build defense.  We as an industry should be proactively applying similar principles in trying to find areas of weakness before someone that wishes to cause us harm ultimately does.
Dan Ross
50%
50%
Dan Ross,
User Rank: Author
6/30/2014 | 9:46:47 AM
Re: Apt analogy
While one could form a legal argument from "due care" in this context, the consensus in this article was coming from the security industry as a whole.  Its becoming generally accepted that companies/customers are always under attack and the "boogieman" is already inside. Its our job as security professionals to see this and the ramifications this has in our approaches and the paradigm shifting in tactics, putting more emphasis on proactive vs reactive, detection vs prevention, etc.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/29/2014 | 1:31:34 AM
Re: Apt analogy
Good question. When I hear phrases like "due care" I immediately think lawsuit. But the standard for that, unless it is defined by compliance regulations, is going to have to be very broad to the point it would take something egregious on the part of the business to create liability. 

BP
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/28/2014 | 10:11:30 PM
Preventive vs Proactive
Great article. I am a big advocate of the wholistic approach as well. But as threats evolve, security professionals are on the reactive side of the equation most of the time. What I believe needs to happen is that CyberSec professionals need to be more proactive. Preventive is a good approach but it acknowledges, mostly, that there are threats that are already known that we are trying to stop. But as we have seen, and as the article alludes to, zero day attacks will not fall into this category for preventive control.

What I am alluding to, is a higher emphasis on penetration testing. I think if this was to be a larger priority, not as many zero day attacks be would banging on the door. Its hard to justify because the idea of the health system is lets prepare to keep the body healthy and if it does fall ill, lets remediate. But if we think of zero days as such with a contagion scenario we can follow similar analogies to the point that we are trying to remediate new disease before it becomes a devastating issue.
Dan Ross
50%
50%
Dan Ross,
User Rank: Author
6/27/2014 | 4:26:40 PM
Re: rest
If you are referring to the Rest api, we agree, having an open standard to share security information between systems is a preferred approach. If you are referring to personal snooze time the body certainly does need rest, which is a choice...
Okal sugu
50%
50%
Okal sugu,
User Rank: Apprentice
6/27/2014 | 11:37:43 AM
rest
I totally agree with you. I am a believer in wholistic approach in life. How can I intergrate Rest in my systems?
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?