Part I – Visibility
As has been made abundantly clear by the 2016 presidential election, hacking has entered new territory. This land grab shouldn't come as a surprise to anyone responsible for cyber security but, if it does, what they need to realize is cyber security today is about a lot more than protecting a few credit card numbers. Thankfully, the seriousness of countering these bad actors is finally getting the Board Room notice it deserves. So now that a beachhead in the battle for basic awareness is finally being established, the focus can shift to mounting an effective counter-offensive? We use this term deliberately. Up until the past few years, most cyber security measures have been defensive in nature: firewalls, IDS/IPS, anti-virus, monitoring, alterting, etc. According to analyst Zeus Kerravala writing NetworkWorld, the average company deploys security products from 32 different vendors.
Obviously, given the never-ending parade of pilfered documents and data, the build-the-walls-higher approach hasn't worked so well. What's needed is a strategy that embraces and brings together the three fundamental pillars of cyber security: network visibility, identity management, and an acceptance of risk. In the first part of this three part series we're going to explore each of these pillars starting with visibility.
Visibility as a Strategy
While the term visibility may conjure up visions of network monitoring and deep packet inspection, monitoring the corporate network is nothing new. IT has been doing this for years. But, given the many different attack vectors in use – often simultaneously -- today to defeat perimeter defenses and infiltrate the network core, this approach alone is too myopic, too event-focused to provide the kind of visibility we're talking about here. You need to think about visibility strategically, not as a set of tools or dashboards. How an attack occurred – buffer overflow, cross-site scripting, SQL injection – is less important than understanding how it is impacting the overall risk posture of the organization as a whole and, from that awareness, where the greatest risk lies: Regulatory? Transactional? Operational? Existential? Reputational? etc.
Of course, you need to know how the network was hacked to stop and analyze the attack, that goes without saying, but you also need to know the identities of those compromised; the systems compromised; the data that was exfiltrated, if any; how long the attack has been going on; and the criticality of each. If you don't have this information you will not be able to answer the important business questions you will no doubt be getting in short-order from the Board of Directors and the CEO. If you can’t find the common thread, you will never understand the entirety of the threat you are facing.
Top Down vs. Bottom Up
Visibility as a strategy is top-down not bottom-up. While it incorporates all the tools, techniques, and data you currently employ, its starting point isn't securing a port or scanning event logs for abnormal traffic. It's an approach that eliminates the patchwork of separate tools, alerts, and dashboards that dominate the cyber security landscape today and turns them into something far more useful. The expression "the whole is greater than the sum of its parts" applies well here.
As the edge of the corporate network continues to get more porous and encrypted traffic comes to dominate and cloud becomes more pervasive the attack surface of every company is going to expand exponentially. Cyber security is getting harder not easier. But, by focusing on the entirety of the problem from the start, its complexity can be greatly reduced and made manageable. Against this fundamentally changed threat landscape, you need to spend less time building higher walls and, instead, focus on ensuring that attacks do not result in business damage or loss.
Learn more about Reducing Dwell Time with Behavioral Analytics