You hear this quip ever louder at gatherings of security professionals. There are two kinds of organizations. Those that have been breached and liars.
Ask yourself: Which are you?
A storm is gathering that is raining pessimism on traditional security which, for the most part, puts its biggest budgets and energies on securing the perimeter against intruders with, among other things, robust firewalls and complicated passwords.
The intent was to keep the bad guys out and thus to keep the crown jewels safe.
The problem is that this strategy no longer is working.
More and more the opinion of security professionals is that if professional hacker organizations – funded by, among others, China, Israel, possibly a few affluent criminal groups – want into a network, they will find a way.
It will take time, possibly months, but they are patient – thus the name Advanced Persistent Threats (APT) – and, eventually, they will get in.
“The perimeter is dead,” said David Knight, an executive with security firm Proofpoint. He made his claim vivid by pointing to extensive Proofpoint research into the ever-more sophisticated “spear phishing” campaigns that seek to get log in details from targeted victims.
According to Proofpoint’s data, about one in every 10 spear phishing emails is clicked on and in many cases malware and more winds up on a target’s computer.
And that means a bad guy can jump over all the perimeter defenses because he has a valid log in.
Even worse, said Mike Lloyd, chief technology officer at security firm Redseal Networks, “The attackers are using automation. They can attack on a grand scale. If we just use bows and arrows we will lose.”
Hackers today are unleashing blitzkrieg attacks that bombard targets with many, many intrusion attempts. The thinking is that some will get through. And, usually, that proves true.
“We need to respond strategically,” said Lloyd.
That is next-generation security and it’s explained below.
A first reality however is that no one is seriously proposing ending perimeter security.
“Perimeter security is like your front door -- if you leave it open flies, gnats and other pests will get in your house. Shutting the door keeps these pesky bugs out the same way a firewall can keep out the attackers that don’t have higher level technical skills or automated tools. Perimeter security is not going away, it will continue to be the first line of defense,” explained Lamar Bailey, director of security research and development for nCircle.
The vast majority of attacks aimed at financial institutions are clumsy efforts and those are the ones that will be deflected by simple firewalls.
Added the director of information security at one of the nation’s largest credit unions: “Some folks will bark on this one but I would use a firewall that leverages geo-location to reduce the locals capable of connecting externally.” He requested anonymity because he was not authorized to comment on the record for his credit union.
His point: He believes his institution’s security is significantly augmented by blocking access from entire geographies. That is a hotly debated topic and, yes, skilled hackers can hide their true location. But his point is that if an institution is getting no legitimate traffic from, say, Iran, just shut that nation off entirely.
But beyond the firewall, then what? Matt Lane, a vice president at security firm 41st Parameter, wrote his recipe in an email: “While there is no panacea when it comes to account security, a layered defense is the best way for a financial institution to ensure they are as protected as possible.
“Layering a strong authentication system at the front door, an account surveillance and anomaly detection system to monitor activity inside the account that may precede a monetary event, and a transaction monitoring system scrutinizing suspicious money movement will ensure a financial institution has eyes in all of the right places regardless of how a fraudster chooses to perpetrate a particular attack.”
A key ingredient in new style protection, agrees just about every security expert, is this “anomaly detection,” that is, when is a user – even one with what appears to be valid credentials – behaving oddly?
Said Jim Bearce, an executive with security firm Vigilant Technology, “How do you identify anomalies? To do that you have to know what’s normal.”
He ominously added: “It’s not an IT problem. It’s a business problem. You can’t look to IT to solve this problem.”
Question: If your CEO logs on at 3 a.m. on a Saturday night and begins downloading hundreds of account records – is that an anomaly?
Should the CEO’s access be locked down, immediately – and if in fact it is the real CEO, let him call in and explain why he needs this anomalous – that is, extraordinary – access.
But you see: that thinking is not inherently IT in nature. It’s more rooted in business process and, to work, this defense has to start in rapid detection of something unusual happening.
Frankly, it’s of little use to detect an intrusion the next day in checking logs. Detection has to occur in real time, as does decision-making on how to minimize any losses.
Is that possible? The oddity is that although many security professionals express profound depression about the failure of the traditional safeguards, there is mounting optimism that new tools – big data analytics in particular – will bring ever more security to networks.
Bottom line: this is a time for in-depth reassessment. What is working, what needs to be beefed up, what new weapons need to be added.
Do that, suggest the security pros, and just maybe there are good reasons for believing that in fact the sky is not falling.
At least not just yet.