Monday, 9 June 2014

The importance of introspective security

Hundreds of years ago, security amounted to the biggest wall that could be built.  This was seen with castle walls, but as these were penetrated, additional security measures were added, such as moats and draw bridges.  As these were compromised, towers with lookouts were built, then then armed guards, then the defensive measures became offensive measures with heavy weaponry used as part of the defence mechanism.  These measures were in place to protect a central keep, where typically the crown jewels were kept.

(Warwick Castle - Photo by A.Tang) 

Fast forward many hundreds of years, and IT security took the same attitude.  Firewalls were deployed to protect the organisation, but as these measures failed or were penetrated, additional layers of security were added, in the form of anti-virus and anti-spam, when the threat was delivered within internet traffic, web content filtering was employed, then application white-listing/filtering.  When more intelligent and proactive approach was required, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) were used.  Despite all of these functionalities, there are still reports about breaches where the company loses its Crown jewels, their data.

How can all this security be breached? Much like the castle, the defences look outwards not inwards. Once inside, there is rarely the same level of security in place monitoring the outbound. With Edward Snowden, he must have undergone security checks prior to beginning his contract the NSA. Although once inside it is believed that very basic and "noisy" exfiltration techniques were used to remove data. Even the NSA shows that the security is predominantly external facing, but once inside there are much lower levels of security.

The breaches from an external source typically (although there are surveys to suggest, all breaches) used privileged credentials to access the data. Not only are the threats going through the perimeter security using trusted user credentials, once in they have access to the network as the credentials will have privileged rights, the data can leave as most security solutions look at inbound, not outbound traffic.

Organisations need to look at what data is important to them, who can use it and how they are going to use it.  The security should be applied intelligently to control the elements of concern, rather than tar all data in the same fashion.  The protection needs to be centrally managed, but decentralised in its approach to protection.  Data can reside on servers, corporate computers, removable drives, in email systems, private cloud solutions, public cloud solutions, mobile devices, tablets and these environments will be both trusted and untrusted.

The safeguards need to go beyond the firewall and our mind sets need to move on from a firewall rule mentality.  We need to give much greater consideration to our data and the rights we issue to users. The protection should not only work from outside-in, but also from inside-out.

Technologies are starting to use behavioural analysis, as this will analyse computers, users, data, time, access and many other factors to then decide if your network is under threat or not. This requires an even greater mindset change as we no longer look at rules to prevent hoping all bases are covered, but to analyse a number of actions before deciding on the appropriate course of action. 

I've heard many times, it's a case of when, not if your network gets breached. If this is true and the layers are going to fail, then the requirements are to slow down the intruder and prevent the exfiltration of your data, while understanding what has occurred.

Don't think of security in terms of a castle's protection, think of it as complex maze.

No comments:

Post a comment