Analytics
12/27/2012
11:16 AM
Connect Directly
RSS
E-Mail
50%
50%

Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies

As attacks become more sophisticated and breaches abound, it's time for enterprises to change their cybersecurity thinking from the ground up, experts say

Developing a comprehensive architecture means defining not only requirements and capabilities in the backbone systems and networks, but at the endpoint as well, says John Prisco, CEO of Triumfant, a provider of next-generation antimalware services. "If you look at the tools that most companies are using today, there's a focus on network-based technologies, like antivirus and deep-packet inspection," he says. "But the attacks are coming more frequently at the endpoint, whether it's a laptop or a mobile device. If you're going to define an architecture today, we have to get past deep-packet inspection and basic firewalls and look at the endpoint as well."

Some of the underlying assumptions behind the "layered" security strategy have become dated obsolete, notes Steve Pao, vice president of product management at Barracuda Networks, a security and anti-malware tool provider. "In the old days, you didn't change your applications all that often, so you could build a positive defense," Pao says. "You could put email on one [router] port, Internet traffic on one router port, and have a strategy for defending them through the firewall. Today, we have mobile users, changing applications, and we can't lock down the desktop anymore. The old 'M&M candy' architecture with the hard outside and the soft, chewy center no longer works. It has to be a jawbreaker now -- hard all the way through."

Assumptions about the attacker are also being challenged, Pao says. As cybercriminals increasingly seek to target their attacks, enterprises are seeing fewer large-scale exploits -- such as viruses and attacks on Windows or Adobe -- and more targeted attacks designed to infect or steal data from just a few systems or individuals. "The cat-and-mouse game around vulnerabilities in the most popular apps is pretty much under control," he says. "Today the real problems are in custom applications or those that aren't patched very frequently. The assumption that your most common attacks will be made on the most widely deployed applications is being challenged."

As attacks become more sophisticated, they are also challenging conventional wisdom on how to detect malware, says Srinivas Kumar, CTO and co-founder at TaaSERA, a startup anti-malware company that is expected to launch next month. "The signature-based tools focus on what known malware looks like, rather than how it behaves, which means they can't detect most zero-days. Another key question to ask is how do you know when your systems are compromised, and which ones? That's an area that the industry has not focused on." Tomorrow's security architectures need to provide a layer of forensics that enables companies to determine the source of an infection and the extent of its reach, Kumar says.

A growing reliance on cloud networks and applications further complicates the security architecture question, notes Patrick Bedwell, vice president of product marketing at Fortinet, a maker of multifunction security appliances and applications. Use of the cloud means that security pros can no longer build architectures designed to keep data inside company walls, or that rely on a single enterprise's ability to own and manage them, he says. A new, more open approach will be necessary.

"When you combine [the trend toward cloud computing] with what's going on in mobility, social networking, and big data, you can see that today's approach to security architecture must be different than it was even a short time ago," Bedwell says.

Like several other experts, Bedwell says he is seeing a definite movement toward the employment of a security architect in many large organizations. "There's an increase in the number of companies that currently have a security architect or plan to employ one in 2013," he says. "It's becoming more important to not only have someone who can build the architecture, but who's charged with implementing it across the organization."

What should that architecture look like? To start with, it should be tailored and customized to fit the specific business involved -- there is no template that fits every enterprise, experts say. "Ask the fundamental questions," Liu advises. "What are your goals? What compliance requirements do you have? What do you need to do operations in your market? What do you need to do operations in other markets?"

Granado agrees. "You start with what your business is, and then you optimize your security tools accordingly," he says. "Where there is duplicity, look at where you can sunset some of your technologies. Where you have three or four network analysis tools, choose one and get really good at using it."

Once you have your technology and processes whittled down, look for places where they can be integrated, Pao recommends. "The interesting problems are often in the seams," Barracuda's Pao says. "From early on, when we saw the emergence of the 'blended threat,' we integrated the management of our email and Web security solutions together. As we have reconcepted the next-generation firewall, we have sought to more tightly integrate the experience of the firewall and content security solutions working together."

But an effective security architecture isn't just about integrating point technologies -- it's about making sense of security data, which is a skills problem, Granado observes. "The CIO could triple the size of the security spend, but most enterprises wouldn't know what to do with that money because they don't have the arms and legs in the enterprise that would be able to make use of all of the data they would collect. In the end, the architecture is only as good as the people who implement it."

The most important piece of developing a security architecture is mapping (or, often, remapping) the organization's business needs to its security requirements, experts say. Building a security architecture requires not only the buy-in of upper management, but their direct participation.

"There's a shakeup that's going to occur in enterprises because there have been so many breaches," Prisco says. "There was a day when we could say, 'Nobody ever got fired for buying IBM,' but, at this point, there are no safe choices in technology ... If management finds out that a breach occurred -- and there was technology that could have stopped it and you didn't buy it -- then it doesn't matter how safe your choices were."

Breaches always provide an eye-opener that can help drive an architecture project, Liu says, but there's a business case to be made as well. "We're seeing a strategic shift from investing in new tools toward an effort to make what you have more efficient," he says.

"Anybody can make a grilled-cheese sandwich with the right equipment -- but there are only a few people who do it really well, and even fewer people who can do it well for 1,000 customers," Liu says. "What we try to do is tell enterprises not just to buy another grilled-cheese maker, or this year's model, but to look at how they're using what they have and really taking advantage of it. Are your security systems in the right places? Are they configured properly? Are you using all of their capabilities? These are good questions to ask."

Granado agrees. "I'm not sure it always takes a breach to drive companies to look at the architecture problem," he says. "We're now seeing questions about security being asked at the board of directors level. They read the papers. They want quarterly updates on what's being done about security. They want to know what the plan is, and what the threats are. They want to know if the company is prepared to protect its data. A security architecture project can answer a lot of those questions."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
PrinceR
50%
50%
PrinceR,
User Rank: Apprentice
3/15/2013 | 4:46:32 AM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
On the whole, I liked this article and appreciated the points it raised regarding the cost/benefit evaluation it suggest is being made about the DiD security strategy. Food for thought for many of us charged by our organizations to select and execute a DiD security system.-Š

Lately, I've been asking myself whether the lack of 'success' achieved by DiD is due entirely to the factors already mentioned by many of those who responded to this article or if in fact its our 'thinking' about such strategies that is really the issue. Reading the quotes in this article, I was reminded of that line from Samuel Beckett's play, 'Waiting for Godot" .. -Š-ŠThereG«÷s man all over for you, blaming on his boots the faults of his feet".-Š

It's my view that while there is ample evidence that the DiD strategy, when executed incorrectly, does not-Šyield-Šthe expected results; it can also be argued that successful, ongoing-Šexecution of the strategy relies too heavily on factors and resources not readily available to most users (knowledge, skills, etc.)

It also is apparent that our 'adversaries' have the-Šadvantage-Šof fighting a-Šguerrilla-style-Šwar against security professionals in which the very tools we use to blunt their attacks are being turned against us. I've noticed an inherently,-Šasymmetrical aspect to each battle-Šsecurity professionals fight; -Šthe advantage is our adversaries' learn more about our defenses,-Šadapt-Šfaster, and with greater agility of deployment than we obtain from our analysis of their attacks. The evidence cited by the article about the continuing increase in security breaches despite greater security spend suggests that we defenders are missing something-Šfundamental in our attempts to build better security systems and controls.-Š

So in what new direction should we be looking to find a way to turn the tide of this war in our favor? I've taken a closer look at the fundamental underpinnings of my own approach to thinking about security strategy and I found a few insightful and thought-provoking ideas in the work done by-ŠJames A. Dewar of the RAND Corporation on Assumption-Based Planning (ABP) and that of Prof. Richard Heeks of the University of Manchester's, "design reality gap" model. I hope to have a paper submitted to ISACA by the end of the summer which discusses how one might apply these ideas to develop a new-Šapproach in-Šbuilding security infrastructure.-Š
_stephan_
50%
50%
_stephan_,
User Rank: Apprentice
2/2/2013 | 2:37:49 AM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
A blog post I wrote that is along the same lines - I definitely agree with most of what was said above --Šhttp://blog.ioactive.com/2013/...
SgS125
50%
50%
SgS125,
User Rank: Moderator
1/17/2013 | 7:27:19 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
I think they are correct, the layered approach is just the same template over and over.-Š The only real tool that seems to work is direct analysis of the traffic, and connections.-Š I would still keep all the "hard crunchy outside" stuff, but I would much rather see what is being accepted past my defenses rather than what is stopped.-Š Especially what is leaving the network and where it is going.-Š They are right we have to have the talent and the desire to work on the issue.-Š Most places I have been do not take security seriously once they think the firewalls make them safe.

You are right, once the system is built it is time to keep it up to date....daily.
MichaelSB
50%
50%
MichaelSB,
User Rank: Apprentice
1/17/2013 | 6:19:55 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
very insightful article, although I disagree with your assumption that a layered defense is not working.-Š Your title should have said a misconfigured layered defense is not working.-Š Defense in depth is a proven strategy if properly implemeted.-Š I do agree with some of your points, especially with new and emerging threats.-Š Vigiliance is the key here.-Š You can't configure your security solution then sit back.-Š As the threats evolve so must your solution.
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
1/14/2013 | 8:39:47 AM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
Really insightful article! There
isnG«÷t a security threat that you can think of that some security companyG«÷s
marketing literature doesnG«÷t promise a solution for. But despite the zeal of
marketers and the production of many great security solutions, there are still
many threats to enterprise IT that simply cannot be offset, mitigated or
prevented by a single technology solution. Because this topic is so important
to the industry, here are a series of blogs that cover four genres of tools and
technologies. The blogs discusses pros & cons; and, most importantly, what
each genre can and cannot protect against: http://blog.securityinnovation...
Here are the 4 genres: Development tools; Test tools; IT/Network defenses; Standards,
Policies, and Maturity Models. Hope you and your readers find it useful! Keep
up the good work! -Š
psmith531
50%
50%
psmith531,
User Rank: Apprentice
1/8/2013 | 4:45:43 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
The title of the article is pointless. Basically the article says that the problem is not the layered defense, but the implementation of it. People don't have any idea of how their networks and applications work and basically just throw products at it in the hope that something will catch a problem. If you understand how applications and networks work, then you can build layered defenses against these problems that will stop it. All applications, whether they are good or bad will behave in a certain way. When they don't, then something is wrong and you should be able to see that.

The problem is not the layered approach. The problem is the lack of understanding how to build the layered approach and the proper processes and procedures around it.
Don Gray
50%
50%
Don Gray,
User Rank: Apprentice
1/4/2013 | 3:43:13 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
I was following the premise of the article for the most part. -Š

And agree that having the right personnel with the right skills is if not the hardest part of the problem to solve, one of the hardest. -ŠOften times we see organizations fail to make use of security capabilities inherent in the infrastructure they already have because as mentioned, they don't have a risk based approach to securing the enterprise and they don't have the depth of expertise -Šrequired.

But then you mentioned this:

"There's a shakeup that's going to occur in enterprises because there have been so many breaches," Prisco says. "There was a day when we could say, 'Nobody ever got fired for buying IBM,' but, at this point, there are no safe choices in technology ... If management finds out that a breach occurred -- and there was technology that could have stopped it and you didn't buy it -- then it doesn't matter how safe your choices were."

Which to me seems to invalidate the entire point of the article!

You can't have it both ways. -ŠEither you do a risk assessment and make risk based decisions or you "buy stuff" and hope it works. -Š

True risk based decision making forces the issue of justifying and weighing the costs of a solution versus the costs of a breach and incorporating the organizations risk tolerance. -ŠThat means sometimes you don't spend money on a piece of technology.

But traditional risk based approaches don't account for things like black swans and I would argue are often based on flawed models of the risks they are trying to address. -ŠIn many risk based approaches I have seen there is a lack of discernment between what is-Švaluable-Šand what is not. -ŠAnd there is a misunderstanding of what is likely and what is not. -ŠThis inevitably leads to the highest value assets being under protected and the lowest value assets being over protected.

In my opinion that needs to be improved before we can avoid the scenario you outlined where the decision making comes down to "better safe than sorry" buying decisions.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
1/2/2013 | 7:08:56 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
@ubm_techweb_disqus_sso_-81bca6e80f13f2acea45f6242555c4e2:disqus-ŠLayered security is the practice of buying a [usually best-of-class] set of security solutions (which encompass products/services from multiple vendors that are intended to work well together to provide that classic "Defense-in-Depth -- aka DiD").
The NSA IATF, who created DiD, included operational practices/procedures and personnel (individual capital, aka "talented people"). Unfortunately, security product/service vendors did not include this. They assumed this would be left up to their customers, the companies and organizations who hire their own people for Information Security Management and Risk Management (such as CISOs or CSOs). Modern CISO/CSOs aren't even aware of the frameworks (e.g. ISO 27k), let alone the easy-do-it-in-a-day frameworks (e.g. Visible Ops Security) -- and they don't use them. They use COBIT, if anything. Most are just compliance-nerds, placating to PCI DSS or GLBA/HIPAA.

What basically resulted was companies hiring [often multiple] highly-paid CISO/CSOs with huge bonuses and incentives to stockpile security product technology without any staff to operate or optimize the products. This is why many security appliances, firewall, and web-application firewall technology is often referred to as "door-stops".

The demand for security-producing solutions has overpopulated the information security industry with less-than-talented individuals because the industry has over-focused on vendor-specific-solutions instead of holistic (e.g. "Reverse Deception") problem-solving activities.

We are in the "triage" state of information security management and risk management. If you went to the hospital, and the triage nurses and doctors told you to go home bleeding and dying because they don't know how to diagnose (let alone treat) your disorder -- wouldn't that be a lawsuit waiting to happen? Instead, staff that perform triage at the hospital need to be aware of all of the potential outcomes and pass that information to the specialized ER team. In the information security world -- these are our needed "security architects" and their patient is the business, not some IT manager focused on vendor solutions.

When it comes time to add specialists, security architects can add them as Incident Response (IR) personnel tied to the type of breaches that are occurring. Add IR staff at a rate that is quantitatively tied to the rate of breaches. If you do this correctly, you'll have a baseline level of staff necessary to tackle information security management and risk management programs for your organization.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
1/2/2013 | 6:44:42 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
@stu8king:twitter-ŠYou are thinking of classic "posture" or "point-in-time" based risk assessments. I think what's being suggested instead here is just that holistic approach you see as flawed, but more "on-going" in nature: a security improvement program with a security improvement process.

What I took as the point of this article is that technology-focused security products/services, even when they fit into a solution or reference architecture, are oversold, underutilized, and ineffective.

Instead, leaders need to lead and their security professionals need to hack their way secure -- but they MUST coordinate these efforts TOGETHER focused on their SPECIFIC needs in order to even HOPE for any small successes.
stu8king
50%
50%
stu8king,
User Rank: Apprentice
1/2/2013 | 3:01:50 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
The article is good in that it points out the truism that security strategies are, to a large degree, flawed and need a new approach, but then falls back on the old cliches of "do a risk assessment", "think holistically." The point is that new ways of thinking are needed - risk assessments are and have always been a flawed approach because of the natural bias inherent whenever people try to figure out what's important. You have to start from the perspective of protecting revenue. It's all about money. The greatest risk is where the most money or losses can occur. Face it - you don't need a risk assessment to figure out the assets that are most important to your business - you need some degree of common sense and the ability to communicate a decent plan. Finally - if you think technology is the solution then you do not understand the problem.-Š
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.