Today’s attackers are, well, persistent. They’re constantly improving their tools and tactics, employing new evasion techniques, and finding new methods to exploit weaknesses in your network infrastructure. For security teams to effectively protect their organizations they need to ensure their network security ecosystems are evolving too.
But with tight budgets and competing priorities, organizations are forced to make a choice: continue to invest in security people, process and technology, or accept the risk associated with cutting corners. Underinvesting may save money in the short term, but organizations have to consider how much risk is acceptable in light of the damage caused when someone slips through the cracks.
To fight an advanced threat, you need an advanced security arsenal. Here are three things to keep in mind when developing your network security that will help ensure you aren’t taking on more risk than your organization can bear:
You Need an In-depth Defense
With budgets tight, it’s too easy to focus on the low-hanging fruit, closing small gaps in a security ecosystem. But an effective defense requires awareness of the entire threat life cycle as it applies to what makes your particular organization unique. Checking off a box in a compliance audit or RFP doesn’t work against bad guys who probably understand traditional defenses at least as thoroughly as you do. Rather than focusing on specific kinds of threats, make sure you’re protected against whatever is getting thrown at you, whether it’s malware, botnets, targeted phishing attacks, or the next hot threat trend. APTs are called persistent for a reason – they will continuously try to find a way to get in and they don’t give up easily. Make sure you don’t leave any doors open for them, and include the ability to adapt to new approaches in your strategy.
And what about prevention? Ever since security companies started putting the “P” in IPS, enterprises have remained skittish about enabling prevention on their security devices. I’ve seen some industry observers backing away from the need to actively prevent unwanted network traffic and I think that’s a mistake given the increasing accuracy of certain kinds of detection systems, not to mention the consequences of failing to stop an attack in its early stages. How much time and money can you save on containment and remediation efforts if you can stop the infiltration in the first place? No one can promise 100% prevention in today’s climate but I still maintain some is better than none. Take it from Wendy Nather, research director at the 451 Group: “Enterprises
and government agencies can’t afford to take a reactive approach to network defense. In order to effectively combat threats, they have to be able to see more and stop more of the malicious traffic.”
In order to have an effective defense, it needs to be in-depth in nature: covering the entire threat life cycle, including prevention.
You Need a Playbook for Plan B
That being said, it’s not enough to simply establish a state of readiness. You also have to have a plan in place for the worst-case scenario. If (or when) you are breached, you need to move quickly and effectively. When it happens, you need to have an incident response plan that you can activate immediately to contain and remediate the problem. This requires advance preparation, so that you have the right steps and partners in place, to contain the damage and collect timely and accurate forensic evidence to understand your attackers and their goals. In fact, without an adequate incident response plan, your response to an incident can do your organization more harm than good.
For example, in one of the largest US credit card breaches to date, it took three months just to contain an attack after it was identified, and six months of remediation to rebuild the network and return to normal operations. During the first six weeks of containment efforts (while the incident response plan was still faulty and responders were flailing), the attackers were downloading tens of thousands of documents containing live credit card information, several times per week. The company lost more than half a million dollars during those first six weeks of “containment” alone.
In order to surpass a “good enough” security strategy and mount a truly advanced (and persistent!) network defense, you’ll need a thorough--and thought-out--playbook.
You Need Top Performing Partners
Then you need solid partners. When making your technology decisions, look beyond price tag and evaluate them on how well they can truly help you manage risk.
When assessing the “must haves” for your technology solutions, look to third party organizations for unbiased evaluations. For instance, NSS Labs, a leading information research and advisory company, recently conducted a Breach Detection System Product Analysis across leading industry
vendors focused on network-based breach detection and prevention. They identified and tested important benchmark criteria such as false positive ratings, overall breach detection rate for exploits and evasions, and stability reliability tests. These benchmarks for effectiveness should serve as a checklist for what’s needed in your technology solutions.
What about false positives? Indeed, in a recent Dark Reading piece by Robert Lemos, 3 Steps To Keep Down Security's False-Positive Workload, a solution’s false-positive rate will greatly impact networks’ security posture, as they’re a distraction that takes precious time and resources away from critical tasks. However, as the breach detection test by NSS Labs demonstrated, it is possible for solutions to achieve a 0% false positive rating. Make sure you’re striving for that level of accuracy, or you’ll end up being inundated with unsubstantiated alerts.
As security threats continue to evolve and the stakes continue to rise, our ability to combat these threats and correspondingly evolve our security posture needs to keep pace or even surpass those threats. This requires vigilance, perseverance, innovation, and never accepting “good enough” security.
To learn more about the criteria used by NSS Labs in their recent study, check out their report on General Dynamics Fidelis Cybersecurity Solutions, Ahn Labs and Fire Eye. And while you’re at it, ask FireEye about their results.