The networked enterprise is often compared to a fortress: Guard your perimeter, build a secure wall, keep out intruders, beware spies and traitors. Like many of our approaches to cyber security, this metaphor is outdated and doesn’t help clarify the complex of challenges we are facing.
The new reality is that blocking and prevention mechanisms are not enough to stop the more targeted types of threats we’ve seen. If massive, multinational corporations can put millions of dollars and hundreds of people on cyber security patrol and still be spectacularly breached, we obviously need to make some adjustments. Security professionals are realizing that they need to defend in three dimensions:
- What we do before an attack
- What we do during an attack to understand that one is happening (before the dwell time leads to significant loss in IP)
- What we do after an attack to ensure it doesn’t happen again
This multidimensional view operates on the assumption that the attackers will eventually get in (or are already inside as Gartner reminds us). It's a paradigm shift that is quickly becoming the new norm and must be at the heart of your plan to adapt to emerging attack vectors by proactively and rapidly detecting and then remediating threats on all components of the networked enterprise: servers, appliances, endpoints, and applications.
To draw a parallel to something that we all experience every day, the secured networked enterprise is comparable, in its complexity and mutability, to the human body. Unless you’re a member of a SWAT team, most of us don’t put on Kevlar each morning, pop a magic pill, and venture out into the world thinking we’ll be safe. Likewise, a firewall and anti-virus/anti-malware software aren’t nearly enough to keep our networks safe, especially against targeted attacks.
Healthy bodies are well cared for on a continuous basis with preventive measures. Day in and day out, they are nourished properly, exercised to avoid weakness and stress, cleansed, and replenished by rest. Healthy people respond to pain or illness with much greater vitality than sick people. But when they get sick, they will usually respond with professional diagnosis and targeted medication.
What’s more, people continuously monitor all their faculties -- skin, digestion, cognitive function, respiration, and mobility -- for changes and warning signs and adjust their behavior and nutrients to get back to an optimal state. But even healthy people, like healthy networks, are not impenetrable. They never know when they will eat bad food, pick up viruses, or get hurt in an accident, but when they do, they don’t sit idly by; they do something about the malady that is impacting them.
Similarly, although up to date anti-virus and anti-malware defenses are important to keep out the normal day-to-day threat, companies need also to focus on technologies and practices that will quickly find intruders and mitigate the damage they can do. Just as there’s no magic pill to protect our bodies, there’s no silver bullet in cyber security. Even the latest and greatest technologies are deployed to detect threats only, not to block them.
This was the case at Target where one mitigating factor was a significant dwell time of the threat once it got inside. The detection took a long time, response was delayed, and the damage was done. Imagine you are diagnosed with a tumor and instead of taking an MRI that day, your oncologist uses one from 12 months ago to determine the current size and nature of your tumor. Unfortunately, by the time many of the advanced threat detection technologies on the market today deduce that action is needed, the intruder more than likely will have moved on deeper in to the network, spreading like a cancer.
We don’t go about our day assuming we are in perfect health; instead we continuously check, remediate, and replenish. We usually know something is wrong because we notice a cut is not healing, or that a rash is getting bigger, not because a medical test indicates a problem but because we detect it, we investigate it. This is how the new standard of cyber security should look.
Towards a consensus on due care
This standard of care isn’t just a good idea, it is steadily evolving into a necessity. Even the federal government’s NIST Cybersecurity Framework urges a shift in the way we think about risk management and adapt to ever-emerging threats. (See Section 2.2 "Framework Implementation Tiers, Tier 4: Adaptive" for a vision of what we should be working toward.) While each company and industry has its own set of standards, a consensus on due care has begun to coalesce. At its essence, due care is the amount of caution a reasonable person would have exercised to prevent a foreseeable bad thing from occurring. If we assume attacks are always happening and intruders are already in, then a data breach becomes a "foreseeable bad thing."
Today, the job of security teams, boards, and executives is to determine and deploy reasonable precautions: Protect your brand, prioritize your most mission-critical assets, nurture a culture of security from the bottom up, educate key stakeholders, and plan your incident response in detail. But traditional perimeter defenses only get you part of the way there. Constant, integrated, and holistic monitoring of the organization from network core all the way to endpoints is what will bring you much closer to becoming a truly healthy and protected enterprise.