A traditional IT security model typically requires a defense-in-depth strategy. Organizations believe that if they put in enough layers of security boxes, they can deter or catch the bad guys and keep them out. Yet, in today’s security landscape, no one can be 100 percent protected. The bad guys are smarter and far more sophisticated than attackers of the past. Now, with the help of automation tools, we just have to assume bad things will happen to our network environment. So where does that leave an organizations’ security strategy today? Jon Kim, Director of Iron Bow’s Cyber Security Practice, sat down with us to give insight into a new Security Lifecycle Model developed for customers. Here is what he had to say:
Q: What has been the traditional strategy for security in most agencies and corporations?
Jon Kim: Traditional best practices have been focused on multi-layered security. In the Department of Defense, this is often thought of as a “defense-in-depth” approach. The best way to think of it is as an onion. It has many layers that you must peel back before you get to the center. In a defense-in-depth approach, the argument is that if one layer of security fails (i.e. perimeter firewall) there is another defensive layer or barrier, such as an IDS/IPS that will detect and protect. While this method has been effective in the past, what we’ve seen is that intruders have stepped up their game. Due to the enormous scale of our business systems today, there is more data to collect and much more at stake. From stealing corporate IPs and espionage, to national defense secrets that aid in cyber-war, to data breaches that scar brand image, attackers are not playing games. Yes, we’ve gotten better over time but attackers have become more tenacious than ever and are targeting everything that’s connected, from cloud to mobile. The methodologies they are now employing have evolved and gotten more advanced in nature. In return, our security strategy also has to evolve.
Q: What should organizations consider when evolving their security strategy?
Jon Kim: Survivability. What does this mean? Look at the attacks that have happened to defense and civilian agencies this past year. Similarly, financial institutions and some of the largest brands have been in the headlines reporting breaches and attacks. Cyber-war and cyber espionage are not speculations, they exist. Today, we need to build our security strategy around survivability, the continuity of our business operation and function.
We must give up the notion that we’ll outpace the attacker and achieve in managing our organization with zero security vulnerability and risk. That puts us at a disadvantage and we then are surprised when a breach occurs. If we concede that attackers will find a weakness and penetrate our systems, and malware will find its way inside and a breach will occur, then we can put in place strategies to quickly detect, respond, isolate and mitigate the threat. This is a more realistic view of security.
Q: Discuss the Security Lifecycle Model.
Jon Kim: When I joined Iron Bow Technologies, I wanted to develop an approach to help our customers better understand the security lifecycle and use it to bridge the gap between technology and security policy in their environment. There are multiple ways of addressing risk, but thinking longer term about the approach and developing a strategy that is cyclical ensures that security isn’t just a check mark in a box. Assessing and managing risk and then creating security controls and policies around those findings is an ongoing process. As attackers elevate and modify their strategies, we must do the same. We can’t sit back on our laurels.
The first step in a security lifecycle strategy is to focus on where we can get the biggest “bang for our buck.” We can’t begin by focusing on tackling everything. So prioritizing the top critical areas that are going to positively impact the vast majority of the user base is a great place to start.
Once you’ve looked at the risk and made assessments about the threats, the next step is to plan your network defenses to protect your perimeter. One simple important rule to protecting your perimeter is to clearly understand and define your organizational boundaries, which are on what you own and can control.
Discovery is a critical aspect of a lifecycle approach. It requires continuous monitoring of your network environment, which is an essential part of many regulatory compliance requirements and also a key element for the NIST Preliminary Cyber Security Framework. Why is this so important? You simply can’t fix something if you don’t know what you have or where it is. You must always maintain visibility of your assets (i.e. security health) and what is on your network environment so that when a change occurs, you can detect it and if needed respond effectively with appropriate steps for quarantine and/or remediation.
The next step to the lifecycle strategy is policy enforcement. Setting up a security policy is not the hardest part for most organizations. The real struggle is transitioning to enforcement. A recent MeriTalk survey of 200 federal security professionals and end users in agencies revealed that 31 percent of end users admitted to regularly circumventing what they see as unreasonable security restrictions. Not surprisingly, the security professionals estimated 49 percent of agency breaches are caused primarily by a lack of user compliance. Why were the users able to circumvent the policies? Most likely, there wasn’t enough manpower to monitor and enforce. This is where policy automation comes in. We need to automate the process with the real-time intelligence needed to alert, log or report, and enforce, in the case of any sort of policy violations, or even user mistakes.
Attackers today are not simply utilizing manual techniques to target on our systems. They are consistently developing and utilizing automation tools to increase the probability of attacks. In turn, we must work smarter, not harder, and leverage innovation and automation technologies to close the distance and help level the playing field in our favor.
The next step is protection. Once we have gained visibility into our network environment, to effectively enact policy controls and mitigate our vulnerabilities, we must deploy security enhancement technologies and solutions to ensure the same security incidents won’t occur again. For example, an organization would employ a malware detection tool to continuously protect and combat against new advanced malware, zero-day and targeted APT threats. With this, all the malware detection events could be quickly centralized. The intelligence would then be reported and would provide administrators with a risk-based view of the organization.
And when each of these steps is complete, the job still isn’t over. Stay vigilant, make the necessary calibration and repeat. The whole point of our simplified Security Lifecycle Model is to enable an organization to take action. Attackers are not going to stop. So in turn, we must consider our strategy and ongoing one that will continually adapt and evolve over time.
COMMENTS