Analytics
12/27/2012
11:16 AM
50%
50%

Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies

As attacks become more sophisticated and breaches abound, it's time for enterprises to change their cybersecurity thinking from the ground up, experts say

Layered security. Security integration. Defense in depth. For years now, cybersecurity professionals and vendors have been preaching sermons on the merits of an enterprise security strategy that mixes a variety of tools and technologies to create a complex barrier that hackers can't penetrate. "Layered security" has become as much a part of industry parlance as authentication or encryption.

There's just one problem: It isn't working.

While enterprises and government agencies have invested unprecedented resources in cybersecurity over the past few years, the incidence of new data threats and breaches remains at record highs. The most recent Verizon Data Breach Investigations Report (PDF) indicates that breaches involving hacking and malware were both up considerably last year, with hacking involved in 81 percent of incidents and malware involved in 69 percent. According to the Cost of a Data Breach Report, malicious attacks on enterprise data rose last year, and the cost of a breach is at an all-time high ($222 per lost record). According to figures posted this month by Panda Labs, more than 6 million new malware samples were detected in the third quarter alone, and more than a third of machines across the globe are already infected.

Is it time to hit the "reset" button on cybersecurity strategy? Should organizations challenge current thinking around security architecture -- and, particularly, the effectiveness of layered defense? Many experts think so.

"Organizations are implementing incremental improvements to their information security capabilities to provide short-term solutions -- without tackling the issues associated with the overall information security threat," says research and consulting firm Ernst & Young in its Global Information Security Survey 2012, published in October. "The need to develop a robust security architecture framework has never been greater."

However, 63 percent of organizations have no such framework in place, the study says. "For years, companies have been approaching security as a technical problem, usually by buying products to solve specific problems," says Jose Granado, principal and practice leader for IT security services at Ernst & Young and one of the authors of the new report. "There hasn't been much thought put to how those technologies will work together, or to the people and process sides of the equation."

While many large organizations have systems architects or network architects who help create the framework for the evolution of hardware and communications technology across the enterprise, most of E&Y's large clients do not have security architects, Granado says.

"There is a huge [difference] between organizations that have a security architect and those that don't," he comments. "When there is an architecture that's tied to the company's business goals, then there's a realization that security problems can't be solved in a silo." A well-defined architecture helps dictate how the various single-function security technologies will work together -- and makes it easier to find the weak spots in enterprise defenses, he says.

Vinnie Liu, partner and co-founder of Stach & Liu, a consulting firm that works with large enterprises on security architecture and tests companies' defense strategies, agrees that enterprises' historical focus on point solutions has prevented many organizations from developing a broader security strategy.

"The industry has been approaching the cybersecurity problem like the TSA has been approaching the air-security problem," Liu says. "First the bad guys brought guns on board, so they put in metal detectors. Then somebody put a bomb in his shoe, and now we all have to take our shoes off. Then they found liquid explosives, so now we can't bring on any liquids. It's one problem, one solution, with no real thought to the big picture."

If enterprises do have a broader defense strategy, then it's usually focused on "layering," in which the organization buys a variety of different point products, essentially creating an obstacle course that the attacker must navigate to get to the sensitive data, Liu observes. By implementing a patchwork of firewalls, antivirus software, intrusion prevention systems, and the like, the enterprise hopes to detect a wide variety of attacks and mitigate them before they can do much damage.

"The problem is that most of these tools are still signature-based, which means you're taking a known threat and blacklisting it. So what you're doing is essentially layering one technology with another layer of the same type of technology," Liu says. "It's sort of like putting on a coat, and then putting on another coat that covers the exact same parts of your body, and then wondering why you're still cold."

Stach & Liu recommends that rather than buying more point technology, organizations should perform a risk assessment that identifies the most sensitive areas of the business, the most likely threats, and a holistic defense strategy -- an architecture of technology and processes -- designed specifically to protect the business. The risk assessment, along with the definition of the business' specific security requirements, helps identify top priorities and most likely threats, as well as key goals -- such as compliance -- in order to develop a comprehensive, practical defense strategy.

"You need to define your [security] requirements, just as you would with any architecture," Liu says. "Most companies don't take this step, so when it comes to building out the architecture, they have a hard time. They're trying to defend against everything without really knowing what problems they're trying to solve."

Next Page: The most important piece of developing a security architecture. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
CaryBarker
50%
50%
CaryBarker,
User Rank: Apprentice
12/27/2012 | 8:33:07 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies


The article title and the article itself don't seem to
match.- The quote from Steve Pao about
M&M security no longer being valid has been well known by the Information
Assurance community for over a decade.-
The M&M quote also conflicts with the article title; is layered
security old hat or isn't it?
While the article touches on everything from Risk
Assessments to cloud security, it misses one critical component most of these
articles miss - the human element.- All
of the security in the world isn't going to matter if people can be tricked
into giving out their password or executing the code at the other end of the
HTTP link.

<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.