Would you do security differently if you knew that attackers have already compromised your network?
In the late 1990s, it made sense to emphasize perimeter security such as firewalls and network intrusion detection solutions. As the corporate network perimeter has dissolved over the past few years, however, other technologies such as data loss prevention, user behavior analytics, and encryption have become important.
I tend to reduce the security space to three main categories:
• Trying to keep attackers off your network
• Trying to detect attackers that are on your network
• Trying to keep attackers from stealing data
The challenge for any Chief Information Security Officer is to allocate the proper budget and resources to these three categories. Trying to keep attackers off the network is a necessary pursuit but it is only effective for unsophisticated, non-targeted attackers. Next Generation firewalls are flying off the shelves but many security professionals I talk to are buying them for the costs savings associated with consolidating hardware; they are not expecting any fundamental improvements in their ability to stop sophisticated attacks.
Trying to detect attackers that are on your network is a promising and relatively new approach. There are several user behavior and security analytics solutions available and some enterprises have been able to successfully integrate their Security Event Management solutions with other technologies to build effective event correlation platforms. There is still a lot of work to be done, however, as the time to detect a compromise is measured in months, not minutes.
Which brings us to the third initiative – securing data. This is arguably the hardest thing to do as applications, workflows, and other processes don’t always lend themselves to the insertion of automated technical controls. Having said that, information is ultimately what most attackers are trying to steal so organizations should locate the information most likely to be a target for sophisticated attackers and put in the effort required to reduce the risk of that information “sprouting legs.”
Effective security architectures require a combination of these three initiatives. I believe that the best way to decide the proper mix of the three is to assume that attackers are already on your network, you won’t find them until it’s too late, and they are trying to steal data while you’re reading this blog. Starting with that mindset is much more effective than beginning with how to keep attackers at bay. This shift in thinking is also effective for helping executive management better understand the need for increased investments in security.