Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Poll: The Perimeter Has Shattered!
Newest First  |  Oldest First  |  Threaded View
mtotton
mtotton,
 User Rank: Apprentice
12/14/2014 | 10:30:50 AM
Re: Reports of death are greatly exaggerated
Without attempting to suggest a strategy for dealing woith it, I would say the perimeter today, as always, is the point after which you can no longer verify, or directly enforce, the security of your information
ODA155
ODA155,
 User Rank: Ninja
12/9/2014 | 10:13:29 AM
Re: Reports of death are greatly exaggerated
@Marilyn Cohodas,... "Maybe more of an amplication of multiple tools versus a major overhaul....", I think so, and because I'm retired military here's more military speak... I think network architects and security professionals need to get better at the interchangability of thinking strategic and acting tactically. Normally you would think of Defense in Depth as a strategy to build your Layered Security into or within call this is Operational thinking, however with the malware driven\blended attacks that we are starting to see we cannot lose site or forget to protect the "systems" we rely on to do the stuff that the user very seldom sees (usually a restore) BC|DR. Then you ad virtualization and other cloud services into the mix, and as mbishopCP has pointed out you really do need a plan because it's ALL connected and we as network architects and security professionals had better know how and where. I have a good friend who's a Penetration Tester, he told me that he visualizes pouring a bucket of water on the "network" then he looks for the leaks.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
12/9/2014 | 9:25:08 AM
Re: The Perimeter Isn't Shattered; It's Just Moved
This is an interesting checklist, @mbishopCP, thanks. But it seems to apply primarily to a primarily cloud environment, which may not be typical for many enterprises.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
12/9/2014 | 9:10:09 AM
Re: Reports of death are greatly exaggerated
@ODA155  I like that military analogy -- concealment + cover = Defense in Depth + Layered Approach. And they are all both better together. IMO the death of the perimeter -- or what ever metaphor you use -- just means that security teams can't rely on a single strategy or technology any more. Maybe more of an amplication of multiple tools versus a major overhaul....
mbishopCP
mbishopCP,
 User Rank: Apprentice
12/8/2014 | 5:50:41 PM
The Perimeter Isn't Shattered; It's Just Moved
The survey results cited in this post are interesting, but before we abandon the idea of protecting the perimeter, we should consider the idea that the definition of the word perimeter has fundamentally changed. When you owned your own physical data center, guarding the perimeter (network) was a sound strategy, until the bad guys find ways in (and they always do). It's akin to moving into a gated community and leaving your expensive home unlocked and the windows open; once the bad guys get over the fence, they have free run of the place. Simply adding more guards at the gate or raising the height of the fences works only temporarily, until someone finds a bigger ladder. We have to protect closer to home -- at the virtual machine (workload) level. This is especially important as more companies are increasing investments in private and public cloud infrastructure. Yes, protect the perimeter, but the new perimeter is at the VM and workload. 

There are a growing number of products that do this on the market, so how should you evaluate them? Here are 5 essential ingredients that will keep your business safe at the workload level:

1.     On Demand: Modern cloud security solutions must be able to be switched on, instantly. It should take just minutes to set up and configure non-intrusive visibility and protection – at the virtual machine (workload) level. This contrasts with traditional software or security appliances, which often take days or weeks to configure and get running. The solution must also be able to run in "read-only" or audit mode, making it ideal for visibility and compliance use cases. 

2.     Comprehensive: Your cloud security solution should be 'always-on' and provide a full suite of security and compliance capabilities including: workload firewall management, multi-factor network authentication, configuration security monitoring, software vulnerability assessment, intrusion detection, file integrity monitoring and more. Many offerings on the market today only support some of these features.

3.     Works Anywhere: Moving from physical data centers to cloud technologies won't happen overnight. And most companies are investing in cloud technologies from multiple vendors. This makes good business sense as the market matures and you spread risk around. You certainly don't want to be locked into a single cloud provider that may, one day, be surpassed in features, performance or reliability. So choose a security platform that is agnostic to the infrastructure it runs on. It should give you visibility and enforcement in any environment: virtual data center, private cloud, public cloud, or mixed (hybrid).

4.     Operates at Any Scale: Pick a cloud security solution that provides hands-free security automation and orchestration that's built-in, making it fast and simple to provision elastic compute needs for the business, at any scale. If the platform uses an agent model, check the size of the agent. If it's larger than 6MB, beware; the solution will not scale. Ensure that the platform supports full automation and orchestration capabilities, making it faster and easier to support fully elastic infrastructure needs.

5.     Invest in a Platform, Not a Feature: Choose a security platform, not a security feature. Vendors come out with new features all the time, oftentimes leap-frogging each other. Future-proof your decision by examining how fast new features come to market, and how disruptive they are to existing implementations. Make sure the platform itself is architected to scale and that it is fully integrated through open APIs with the virtual infrastructure tools you already use today.
jwaters974
jwaters974,
 User Rank: Apprentice
12/8/2014 | 5:18:47 PM
Re: Reports of death are greatly exaggerated
ODA155 - That was great - no need to apologize - the idea is foreign to too many people

 
ODA155
ODA155,
 User Rank: Ninja
12/8/2014 | 4:31:37 PM
Re: Reports of death are greatly exaggerated
In my opinion and as someone has already pointed out, the biggest threat or risk to the network is the user, but I'd like to add on to that comment that the second biggest threat to the network are the people making bad decisions about what's more important to the business, the speed that business needs to run at to make money or the speed that business should run at to protect resources. Do we really need a BYOD program? Why can't we just say no to mobile devices?
  • Does every sysadmin really need remote access?
  • Does the supervisor or ITO\CIO need all of the network privileges they have?
  • Does everyone who has a laptop really need to have remote access to the network?
  • Since we "can't" treat the C-Suite users the same as other (non-admin) users, why not create a set of user policies especially for them?

 While all of those things help to expand the perimeter they also expose it and apparently to some (most) companies it's worth the risk to them.

"Defense in Depth" is nothing new, except to those companies who have just discovered it. Defense in Depth, which comes from the military philosophy that there is no real possibility of achieving total, complete security against threats by implementing any collection of security solutions... in other words, if it's going to happen, if it's going to happen regardless what you do. Fight if you must, but prepare for the aftermath.
 
Another strategy is something called "The Layered Approach", which assumes that any single defense can be flawed, and the best way to find those flaws is when you are compromised by an attack -- so a succession of barriers should be used to cover the gaps in the others' protective capabilities. Firewalls> intrusion detection\prevention systems> SIEM> malware scanners> DLP> integrity auditing procedures> full-disk encryption are tools that can each protect information in ways the others can't. And this is also why you see vendors selling these "things" (applications\appliances) they call "solutions that try to do everything on the same platform.

So Defense in Depth and Layered Security should be implemented together. I saw an article this morning titled "A combination of MS14-066 and MS14-068 has a massive attack potential"(recommend doing a search and reading it), it took me 2 weeks and about 7 meeting to convince IT management that we needed to apply this update (MS14-068) to our domain controllers... so which strategy does patching fit into?
 
Finally, I'd say either as a stand-alone Defense in Depth and Layered Security are like a choice between concealment or cover to a soldier. Concealment is exactly what it sounds like, it "conceals" or hides you from the view of the bad guys but it ain't going to stop a bullet. Cover is anything that can be reasonably expected to stop the travel of a bullet fired from small arms such as handguns and rifles... me, I'd take the big rock over the bushes any day of the week, but both if I can get them.

Sorry for ranting... I hope I didn't get too far off topic.  ;-)
andregironda
andregironda,
 User Rank: Strategist
12/8/2014 | 12:55:08 PM
Re: Reports of death are greatly exaggerated
I've always been of the opinion that perimeter defenses starting with the original firewalls to PNAT to UTM and DLP -- all do not work: they are poor primary preventative controls and even worse as secondary detective or responsive controls. Worst of all, they are terrible at deceptive controls.

We have been looking at controls as ISO 27001 or its predecessors wrongly for two decades or longer. It's also not about "security beyond the firewall". Cyber security is really all about our economic and geopolitical investments in ICT coming back to bite us. Until we get out of the chaotic mode of fire fighting, the 1 in 40 chance per year your organization will have tons of earnings lost and shown in something like a 10-K SEC filing will rise to 1 in 4. How can a business sustain itself when it has 40 partners and at least one of them will be breached? Is that partner core to its business, core to its information security? Can you protect that with your UTM, your Palo Alto Networks, your FireEye, and your Vontu? No, you can't.

We must rebalance the ICT equation through diplomacy, through treaties, through counter denial and counter deception practices including game theory that deter and prevent cyber warfare. We must rebalance ICT through programs such as CYBERPOL and internationalizing it through the rule of law. We don't even have a working CFAA in the US! It is difficult to ascertain how long these cyber risk problems will go on for, but we're not working the root-cause issues. Good luck with your perimeter defenses, losers!!!
aws0513
aws0513,
 User Rank: Ninja
12/8/2014 | 11:40:03 AM
Reports of death are greatly exaggerated
Boundary defenses are here to stay. 
DDoS attacks and overt port scanning are still tools used by malicious actors today.  This stuff isn't gone folks...  it just doesn't catch the headlines that it used to.  Heck, these activites happen so often that such events have become analogous to people who exceed the speed limit when driving.
Newer methods like MITM and watering hole attacks are making boundary defenses seem out of date, but these are methods are just different in nature and do not preclude the need for boundary defenses.  In some situations, boundary defenses can still assist in mitigation of newer external risks.

What has changed is the defense-in-depth mindset that the industry is beginning to embrace.  Back in the day, internal (within the boundaries defenses) protections were usually relegated to AV and Spam protection mechanisms.  
Current security programs will have DLP strategies, DAR protections, whitelisting practices, and SIEM implementations.  New "nex-gen" malicious activity solutions are also coming to the fore as security product vendors find new ways to monitor the secure operations of "all the things".

The idea that a "fence around the things" is not dead, it is just part of a much deeper and more complex security puzzle that will (hopefully) make malicious actors work harder for more limited success.

Of course, the greatest weakness of any security program is people. 
How people use systems and data will likely be the endless frontier of risk management.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-40597
PUBLISHED: 2022-06-29
The firmware of EDIMAX IC-3140W Version 3.11 is hardcoded with Administrator username and password.
CVE-2022-30467
PUBLISHED: 2022-06-29
Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF.
CVE-2022-33061
PUBLISHED: 2022-06-29
Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_service.
CVE-2022-2073
PUBLISHED: 2022-06-29
Code Injection in GitHub repository getgrav/grav prior to 1.7.34.
CVE-2022-33057
PUBLISHED: 2022-06-29
Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_reservation.