Hackers’ increasing sophistication means perimeter security is failing. Organisations must switch tactics and turn to tools which can stop intruders once they’re inside the network, argues Tufin’s Reuven Harrison.
In the past, most companies felt the best way to minimise the risk of a data breach was to invest in better perimeter security defences such as antivirus software. They considered this “good enough” security and didn’t worry too much about what went on inside the firewall. But as the value of information stored our networks has become more valuable to hackers, the nature of attacks has become more targeted and sophisticated. Hackers will employ a variety of wily technical and social engineering tricks to find a way in, and often won’t stop until they succeed. Many IT security professionals realise that perimeter defences alone no longer afford their organisations adequate protection.
Some notable examples include Ke3chang, which infiltrated high-profile government and private-sector networks between 2010 and 2013; Icefog, which since 2011 has hit a range of sectors from the military to the media; and the attack on US retailer Target which infected point-of-sale systems in late 2013 and stole millions of customers’ card details over the subsequent year.
While the specific methods employed in these attacks (and others) were different, they nonetheless follow a similar pattern. First, hackers target a weak point at the edge of the network, generally by spear-phishing – a social engineering technique that sends a targeted message to specific people, often after researching them online and disguising it to look like it’s from a trusted party. This then either tricks them into revealing access credentials or entices them to open a link or attachment which installs one or more exploits. These could be known vulnerabilities that take advantage of an unpatched system, or – trickier still – ‘zero-day’ exploits (those which anti-malware software can’t yet detect).
Once inside, hackers use whatever techniques they can to gather further information about the network, elevate their access rights and continue to move laterally to other parts of the network. When they manage to break into a system that handles sensitive or valuable data the attackers put in place a way to extract, conceal and save that data somewhere on the network. Finally, they surreptitiously upload it to their own systems.
So the threat model essentially has five stages: infiltration, attack, lateral movement, data gathering and data exfiltration. The increasing use of social engineering and zero-day exploits to bypass perimeter defences at the first two stages means firms must take a fresh approach to security. The new mantra needs to be: assume attackers can infiltrate your network and focus instead on minimising the damage if they do.
That means working to minimise the opportunity for hackers to make further incursions into your network once they’re inside. It’s essential to segment different zones of your network effectively and minimise the ‘attack surface’ available to attackers (for example, by ensuring any disused open doors between different parts of the network are firmly shut).
In today’s highly complex, heterogeneous networks – with multiple firewalls, devices and applications that must all be configured correctly to minimise the risk of attack – it is impossible to do this properly without using tools for security automation. To be effective, these should allow you to define and apply a consistent security policy across the entirety of your network, spanning physical, virtual and cloud infrastructure from multiple vendors. They should also offer unparalleled visibility and control over the network, giving you an up-to-date view of security across your entire estate and allowing you to monitor any changes and manage your security policy through a single ‘pane of glass’.
By implementing tools that can orchestrate your security policy in this way, you can dramatically improve your defences against today’s targeted threats by containing any intruders at the point of attack and preventing lateral movement – effectively stopping them in their tracks before they can burrow deeper into your systems. Not only that, but since orchestration and automation greatly speeds up the time it takes to implement security changes, you will no longer have to make the traditional trade-off between security and agility. With this approach you get both.
[su_box title=”Reuven Harrison, CTO of Tufin” style=”noise” box_color=”#336588″]
In his role as CTO and co-Founder of Tufin, Reuven is responsible for the company’s future vision, product innovation and market strategy. Under Reuven’s leadership, Tufin’s products have received numerous awards and wide industry recognition.Reuven brings more than 20 years of software development experience, holding two key senior developer positions at Check Point Software, as well other key positions at Capsule Technologies and ECS.[/su_box]
Reuven Harrison, CTO at Tufin
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.