Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/8/2014
10:30 AM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Poll: The Perimeter Has Shattered!

The traditional corporate network perimeter is not dead, but its amorphous shape is something new and indescribable.

Where is the new perimeter? The industry consensus is that the traditional definition of endpoint devices connected to a corporate network has given way to something new. But what exactly does that mean? It’s impossible to describe, according to our latest Dark Reading flash poll.

(Source: Dark Reading)
(Source: Dark Reading)

More than 950 Dark Reading community members participated in the Death of the Perimeter poll. But while many in the industry have been claiming for a while now that the once-common fortress mentality for securing corporate assets has outlived its usefulness, a huge 80% of respondents today are looking for a cause of death beyond simply the confluence of mobility and cloud.

The major takeaway from our online survey over the past weeks is that for the vast majority of poll-takers, the classic view about what constitutes a network boundary has given way to a new metaphor. For 55% of respondents, the network perimeter has evolved to a seemingly boundless space “anywhere and everywhere data is located” that incorporates what is on the device, in a cloud, or on a server (51%) and how the data gets there and back (4%).

For the rest of our sampling (18%) the sentiment, “Haven't a clue. Damned if I can find it, let alone defend it” is the new reality. It’s an understandable reaction, reflecting frustration with today’s diverse corporate computing environments and the tremendous challenges and responsibilities security professionals face on a daily basis. It also begs a new question -- where do we go from here?

One of the best places to turn for a cutting-edge cyber security strategy is the burgeoning world of startups. Find out How Startups Can Jumpstart Security Innovation. 

As the perimeter continues to break apart, let’s begin a conversation about what keeps you up at night in the battle to protect corporate data in devices, cloud, transit, and wherever else attackers lurk. What are the new tools and strategies you need in your arsenal? Where are you looking for solutions, from startupsstalwarts, or a combination of the two? Share your thoughts about what's working and what's not in the comments.

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mtotton
50%
50%
mtotton,
User Rank: Apprentice
12/14/2014 | 10:30:50 AM
Re: Reports of death are greatly exaggerated
Without attempting to suggest a strategy for dealing woith it, I would say the perimeter today, as always, is the point after which you can no longer verify, or directly enforce, the security of your information
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/9/2014 | 10:13:29 AM
Re: Reports of death are greatly exaggerated
@Marilyn Cohodas,... "Maybe more of an amplication of multiple tools versus a major overhaul....", I think so, and because I'm retired military here's more military speak... I think network architects and security professionals need to get better at the interchangability of thinking strategic and acting tactically. Normally you would think of Defense in Depth as a strategy to build your Layered Security into or within call this is Operational thinking, however with the malware driven\blended attacks that we are starting to see we cannot lose site or forget to protect the "systems" we rely on to do the stuff that the user very seldom sees (usually a restore) BC|DR. Then you ad virtualization and other cloud services into the mix, and as mbishopCP has pointed out you really do need a plan because it's ALL connected and we as network architects and security professionals had better know how and where. I have a good friend who's a Penetration Tester, he told me that he visualizes pouring a bucket of water on the "network" then he looks for the leaks.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/9/2014 | 9:25:08 AM
Re: The Perimeter Isn't Shattered; It's Just Moved
This is an interesting checklist, @mbishopCP, thanks. But it seems to apply primarily to a primarily cloud environment, which may not be typical for many enterprises.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/9/2014 | 9:10:09 AM
Re: Reports of death are greatly exaggerated
@ODA155  I like that military analogy -- concealment + cover = Defense in Depth + Layered Approach. And they are all both better together. IMO the death of the perimeter -- or what ever metaphor you use -- just means that security teams can't rely on a single strategy or technology any more. Maybe more of an amplication of multiple tools versus a major overhaul....
mbishopCP
50%
50%
mbishopCP,
User Rank: Apprentice
12/8/2014 | 5:50:41 PM
The Perimeter Isn't Shattered; It's Just Moved
The survey results cited in this post are interesting, but before we abandon the idea of protecting the perimeter, we should consider the idea that the definition of the word perimeter has fundamentally changed. When you owned your own physical data center, guarding the perimeter (network) was a sound strategy, until the bad guys find ways in (and they always do). It's akin to moving into a gated community and leaving your expensive home unlocked and the windows open; once the bad guys get over the fence, they have free run of the place. Simply adding more guards at the gate or raising the height of the fences works only temporarily, until someone finds a bigger ladder. We have to protect closer to home -- at the virtual machine (workload) level. This is especially important as more companies are increasing investments in private and public cloud infrastructure. Yes, protect the perimeter, but the new perimeter is at the VM and workload. 

There are a growing number of products that do this on the market, so how should you evaluate them? Here are 5 essential ingredients that will keep your business safe at the workload level:

1.     On Demand: Modern cloud security solutions must be able to be switched on, instantly. It should take just minutes to set up and configure non-intrusive visibility and protection – at the virtual machine (workload) level. This contrasts with traditional software or security appliances, which often take days or weeks to configure and get running. The solution must also be able to run in "read-only" or audit mode, making it ideal for visibility and compliance use cases. 

2.     Comprehensive: Your cloud security solution should be 'always-on' and provide a full suite of security and compliance capabilities including: workload firewall management, multi-factor network authentication, configuration security monitoring, software vulnerability assessment, intrusion detection, file integrity monitoring and more. Many offerings on the market today only support some of these features.

3.     Works Anywhere: Moving from physical data centers to cloud technologies won't happen overnight. And most companies are investing in cloud technologies from multiple vendors. This makes good business sense as the market matures and you spread risk around. You certainly don't want to be locked into a single cloud provider that may, one day, be surpassed in features, performance or reliability. So choose a security platform that is agnostic to the infrastructure it runs on. It should give you visibility and enforcement in any environment: virtual data center, private cloud, public cloud, or mixed (hybrid).

4.     Operates at Any Scale: Pick a cloud security solution that provides hands-free security automation and orchestration that's built-in, making it fast and simple to provision elastic compute needs for the business, at any scale. If the platform uses an agent model, check the size of the agent. If it's larger than 6MB, beware; the solution will not scale. Ensure that the platform supports full automation and orchestration capabilities, making it faster and easier to support fully elastic infrastructure needs.

5.     Invest in a Platform, Not a Feature: Choose a security platform, not a security feature. Vendors come out with new features all the time, oftentimes leap-frogging each other. Future-proof your decision by examining how fast new features come to market, and how disruptive they are to existing implementations. Make sure the platform itself is architected to scale and that it is fully integrated through open APIs with the virtual infrastructure tools you already use today.
jwaters974
50%
50%
jwaters974,
User Rank: Apprentice
12/8/2014 | 5:18:47 PM
Re: Reports of death are greatly exaggerated
ODA155 - That was great - no need to apologize - the idea is foreign to too many people

 
ODA155
100%
0%
ODA155,
User Rank: Ninja
12/8/2014 | 4:31:37 PM
Re: Reports of death are greatly exaggerated
In my opinion and as someone has already pointed out, the biggest threat or risk to the network is the user, but I'd like to add on to that comment that the second biggest threat to the network are the people making bad decisions about what's more important to the business, the speed that business needs to run at to make money or the speed that business should run at to protect resources. Do we really need a BYOD program? Why can't we just say no to mobile devices?
  • Does every sysadmin really need remote access?
  • Does the supervisor or ITO\CIO need all of the network privileges they have?
  • Does everyone who has a laptop really need to have remote access to the network?
  • Since we "can't" treat the C-Suite users the same as other (non-admin) users, why not create a set of user policies especially for them?

 While all of those things help to expand the perimeter they also expose it and apparently to some (most) companies it's worth the risk to them.

"Defense in Depth" is nothing new, except to those companies who have just discovered it. Defense in Depth, which comes from the military philosophy that there is no real possibility of achieving total, complete security against threats by implementing any collection of security solutions... in other words, if it's going to happen, if it's going to happen regardless what you do. Fight if you must, but prepare for the aftermath.
 
Another strategy is something called "The Layered Approach", which assumes that any single defense can be flawed, and the best way to find those flaws is when you are compromised by an attack -- so a succession of barriers should be used to cover the gaps in the others' protective capabilities. Firewalls> intrusion detection\prevention systems> SIEM> malware scanners> DLP> integrity auditing procedures> full-disk encryption are tools that can each protect information in ways the others can't. And this is also why you see vendors selling these "things" (applications\appliances) they call "solutions that try to do everything on the same platform.

So Defense in Depth and Layered Security should be implemented together. I saw an article this morning titled "A combination of MS14-066 and MS14-068 has a massive attack potential"(recommend doing a search and reading it), it took me 2 weeks and about 7 meeting to convince IT management that we needed to apply this update (MS14-068) to our domain controllers... so which strategy does patching fit into?
 
Finally, I'd say either as a stand-alone Defense in Depth and Layered Security are like a choice between concealment or cover to a soldier. Concealment is exactly what it sounds like, it "conceals" or hides you from the view of the bad guys but it ain't going to stop a bullet. Cover is anything that can be reasonably expected to stop the travel of a bullet fired from small arms such as handguns and rifles... me, I'd take the big rock over the bushes any day of the week, but both if I can get them.

Sorry for ranting... I hope I didn't get too far off topic.  ;-)
andregironda
50%
50%
andregironda,
User Rank: Strategist
12/8/2014 | 12:55:08 PM
Re: Reports of death are greatly exaggerated
I've always been of the opinion that perimeter defenses starting with the original firewalls to PNAT to UTM and DLP -- all do not work: they are poor primary preventative controls and even worse as secondary detective or responsive controls. Worst of all, they are terrible at deceptive controls.

We have been looking at controls as ISO 27001 or its predecessors wrongly for two decades or longer. It's also not about "security beyond the firewall". Cyber security is really all about our economic and geopolitical investments in ICT coming back to bite us. Until we get out of the chaotic mode of fire fighting, the 1 in 40 chance per year your organization will have tons of earnings lost and shown in something like a 10-K SEC filing will rise to 1 in 4. How can a business sustain itself when it has 40 partners and at least one of them will be breached? Is that partner core to its business, core to its information security? Can you protect that with your UTM, your Palo Alto Networks, your FireEye, and your Vontu? No, you can't.

We must rebalance the ICT equation through diplomacy, through treaties, through counter denial and counter deception practices including game theory that deter and prevent cyber warfare. We must rebalance ICT through programs such as CYBERPOL and internationalizing it through the rule of law. We don't even have a working CFAA in the US! It is difficult to ascertain how long these cyber risk problems will go on for, but we're not working the root-cause issues. Good luck with your perimeter defenses, losers!!!
aws0513
50%
50%
aws0513,
User Rank: Ninja
12/8/2014 | 11:40:03 AM
Reports of death are greatly exaggerated
Boundary defenses are here to stay. 
DDoS attacks and overt port scanning are still tools used by malicious actors today.  This stuff isn't gone folks...  it just doesn't catch the headlines that it used to.  Heck, these activites happen so often that such events have become analogous to people who exceed the speed limit when driving.
Newer methods like MITM and watering hole attacks are making boundary defenses seem out of date, but these are methods are just different in nature and do not preclude the need for boundary defenses.  In some situations, boundary defenses can still assist in mitigation of newer external risks.

What has changed is the defense-in-depth mindset that the industry is beginning to embrace.  Back in the day, internal (within the boundaries defenses) protections were usually relegated to AV and Spam protection mechanisms.  
Current security programs will have DLP strategies, DAR protections, whitelisting practices, and SIEM implementations.  New "nex-gen" malicious activity solutions are also coming to the fore as security product vendors find new ways to monitor the secure operations of "all the things".

The idea that a "fence around the things" is not dead, it is just part of a much deeper and more complex security puzzle that will (hopefully) make malicious actors work harder for more limited success.

Of course, the greatest weakness of any security program is people. 
How people use systems and data will likely be the endless frontier of risk management.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.