The security industry has a mindset problem. For years, businesses have operated with the "might" mentality -- that they might get attacked someday, unless they do something to prevent it. The reality, though, is that all organizations, whether they are public, private or non-profit, are being analyzed, tested and exploited by malicious entities constantly. These entities' motivations may differ between industries, but the fact is that someone, somewhere is trying to break in, and the odds are in their favor.
If you acknowledge that you are under attack -- today, right now -- then it becomes possible to shift your mindset towards protecting your organization. Focusing on detection and remediation gives you a better chance of limiting the damage to your business once an incident happens.
However, in order to respond to an incident, you first have to recognize that one has actually occurred. The statistics are still quite troubling in this area, with the majority of breaches being identified by external third parties and not by an organization's internal teams. Verizon's 2017 Data Breach Investigations Report found that 89% of all breaches caused by miscellaneous errors were discovered by external parties -- 76% of which were a customer. This leaves little opportunity to remediate the threat in a meaningful way, i.e. prior to data exfiltration.
Once you understand that (unfortunately) you as an organization are unlikely to identify a certain portion of threats, ensuring that you maximize your detection capabilities is critical. Here are a few ways to do so.
Of course, this is not to say that prevention should be ignored. There are still necessary tactics that should be put in place to help your organization's overall security, such as limiting access to critical infrastructure -- if someone doesn't need access to "X," they should not have access to "X." This applies to both users and machines -- web server "Y" should not be able to reach database "Z" unless absolutely necessary.
And while investing in quality security products remains important in any enterprise security strategy, they need to be coupled with a security team that knows how to implement these products and get results. These security products are simply tools in a human analyst's security tool belt. Firewalls, intrusion prevention systems, anti-virus solutions, SIEMs and sandboxes all exist to reduce risk and exposure, but at the end of the day, a well-trained analyst is an enterprise's best defense.
Many will argue that subsets of artificial intelligence (AI), such as machine and deep learning, are a bigger key to success than actual employees. However, those of us who are realists understand that while these technologies may be effective in certain, specific use cases today, we are decades away from AI replacing most solutions (and humans) that are employed today.
With your security team -- and ideally, the full organization -- on board with an "imminent breach" mentality, the chances of limiting damage when an attack hits are much higher. By coupling a strong security team with the right tools and processes for when -- not if -- the worst happens, your organization will be in a stronger position to protect itself.
— Craig Dods is the Chief Architect for Security within Juniper Networks' Enterprise Business.