Damage Mitigation As The New Defense

Containing the attacker in today's persistent threat environment
Containing or corralling the attacker to thwart his efforts takes the IR and recovery concept to the next level. "This concept of containment will bring to a more holistic security strategy a way to help buy more time for detection and response and the ability to mitigate attacks," Rains says.

Among the technologies that fall under this category today are sandboxing, Microsoft's Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and AppBlocker, for example. "DEP and ASLR have been useful in mitigating the big worm attacks we saw the in the past" and some of the recent advanced persistent-threat (APT)-style attacks, Rains says.

"Attackers would love to send you an attachment and compromise your system. Those [technologies] like DEP and ASLR make that a lot harder," Rains says. Whitelisting and other techniques like AppBlocker can help organizations specify which applications can run, he says.

Organizations need to better understand what data specifically needs advanced protections, and to deploy access control so that users are given access only to apps they need for their jobs, and the least privileges as possible to avoid attackers abusing that, according to Rains.

But the full-blown tools for building a containment strategy are really not there yet, experts say. "One of the biggest challenges is that customers really don't have the ability to protect themselves or contain a threat," says Oliver Friedrichs, senior vice president of Sourcefire's cloud technology group. "That's very serious today. Most threats have a half-life of a day or less, and so much of the data has already been exfiltrated" by then, he says.

Containment is basically an old military concept that has permeated the business world. It has two basic elements, says Eddie Schwartz, CSO at RSA, the security division of EMC. "Get visibility into [at-risk data] faster, and shut down the attackers before they get access to the most valuable [assets]," he says. "And containment puts the more valuable things in spaces that are more protected."

Schwartz says virtualization is a key tool for containment. RSA has deployed this technology in-house, including in its mobile systems, he notes. "[You build] a virtual container where you don't allow the cool stuff on BYOD [bring your own device] to pollute the environment ... carefully crafted" for security, he says.

Bottom line: The layered approach to security is still very much in fashion. "Security is about the layered approach. That means several technical layers and user education," says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "[And] a mitigation strategy is really something you should always have."

And 2011, which has been coined "the year of the hack" due to the high-profile breaches of HBGary Federal, RSA Security, Sony, and others, was a wake-up call for many large organizations.

"Last year was a watershed event for us and for our industry," RSA's Schwartz says. "It was a game changer ... The industry is realizing we [all] need to change what we're doing, not just in security products, but in what organizations and governments are doing" to protect themselves, Schwartz says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading