For the good guys to get a leg up on increasingly brazen cyber criminals, we must share breach intelligence. The bad guys do it and we are at a significant disadvantage because we don’t. Or at least we don’t at the level we should. I’ve said this many times before but the road to cyber security legislation has been long and difficult. But we can’t afford to remain focused on rhetoric. While sharing breach data may feel counter-intuitive, we need to change our perspective.
In the State of the Union address last month, President Obama said, “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.” Unfortunately, compliance with the information sharing called for in this Executive Order is voluntary but I at least agree with the premise. And of course, this approach must also extend to security vendors.
As outlined in a recent Dark Reading article, the security industry currently shares limited detail on data breaches. To temper supply-chain attacks that extend to our customers, etc., we need more of this good faith information sharing.
Another needed mind shift in security is thinking there is one silver bullet to fending off the bad guys. Just because your AV is switched on, you’re not immune to attack. It takes smart consideration across layered technology, strong process and educated people. Let’s start with technology.
Unless you were born yesterday, the defense-in-depth approach to security is not a new idea. The concept is to of course provide redundancy. Meaning, if one layer of security fails for whatever reason, there is another security measure behind the next door, so to speak. While this approach is not new, where risk now resides has changed the game.
Infosec defense-in-depth historically referred to gateway defenses like firewalls and such. If the attacker was able to bypass the firewall, there were other layers of security (which often included technology by a different manufacturer) on the inside. As risk moved to the endpoint (laptops, tablets, smartphones, etc.) thanks to issues like multiple cloud environments, wi-fi and even end-users who have an affinity for unknowingly sharing too much about themselves, defense-in-depth security has taken on new meaning. And criticality.
Along those lines, if you want another reason for why defense-in-depth security is more important today than ever, read the news headlines. Advanced persistent threats, or APTs, are much more prevalent. And increasingly concerning.
What kills me is when people position a solution that “blocks APTs.” Come on folks, let’s be realistic; that simply isn’t possible, as my colleagues have blogged about here on Optimal Security. It isn’t possible given what an APT really is. Let’s do a quick review.
Advanced. Attackers using APTs are just that…advanced. The bad guys are often well resourced, savvy and, as the next section indicates, patient.
Persistent. There are usually many different types of attacks built into a single APT. Attackers go to work on you and users because, for any multitude of reasons, they chose you. They often start by targeting your lowest hanging fruit – your users – with clever spear phishing emails that include personal information painstakingly gleaned from Linkedin or Facebook. They are counting on the fact that your users’ willingness to click results in the download of malware. They may also look for known vulnerabilities in your OS or any third party aps you use. Zero days are expensive to develop; attackers won’t use them if they don’t have to.
Threat. Don’t make the mistake of thinking you are too inconsequential to be bothered with. While attackers’ motivations vary widely…some are after cash, others your intellectual property, or in what’s now referred to as supply chain threats, access to your customers…they will find reason to hit you.
The above is obviously not an all-inclusive representation of APT but it does outline the impossibility of one technology “blocking” them. Where one solution may stop one type of attack, another will be needed for what follows. Even our colleagues at Bit9 who recently suffered a tough break via APT reportedly aimed at some of their customers said in KrebsonSecurity “we all have to remain diligent and deploy defense –in-depth.”
My intent isn’t to hype up fear where it isn’t warranted. But there is no denying recent breaches are scary. Continued reliance on doing what you’ve always done is comparable to playing with fire. Every CIO out there should be following the news and enhancing their security posture with a defense-in-depth approach. That, coupled with increased information sharing, may not solve all your problems but it will make it exponentially more difficult for the attackers to gain a foothold.
As I mentioned above, two other critical components to protecting your information is of course strong policy enforcement and user education. Those are topics for my next post.