Traditional Network Defenses Can’t Mitigate the Majority of Data Breaches.
If there was ever a year to talk about data breaches and evolving threats, it’s 2016. From the Yahoo to the DNC to (another) hack of the Ukraine power grid to Mirai, the hits kept coming. It’s undeniable that cyberattacks are a growing problem, but the real question is: why?
Part of the issue is that most organizations are still working to build impenetrable forts that keep attackers outside the (fire)wall. Yet the vast majority of attacks are occurring at the application layer, either through identity and access management or through vulnerabilities in the application itself.
Traditional network defenses can’t mitigate the majority of these data breaches. Instead of focusing entirely on building a stronger fortress, we need a new type of counterinsurgent security that can move out into the jungle to protect users and sensitive data in the wild against the guerilla attackers who target identity and disguise their exploits with the very encryption that we think keeps us safe.
Identity and Access in a SaaS World
When a company moves its project management tool to the cloud, for example, the potential pool of people who can access that data goes from a limited group of contractors and employees to all 3.2 billion people connected to the internet. Often all an attacker needs is a user’s email address and password to gain access.
On a normal day a typical worker might visit a web-based CRM system, a project management tool, an HR portal and an office productivity suite. These used to be internal apps that lived on servers within the company data center. Today they’re accessed as a service through the web, providing a significant opportunity for data to be compromised.
So what can CISOs do to mitigate the risks involved with our increasing reliance on SaaS solutions? The first strategy is to focus on identity, which is the key that unlocks the new network’s gateway. CISOs must be looking at their authentication, authorization and accounting of what actually happens with each user’s identity. There is much work to be done with identity and access management (IAM), and CISOs should be looking for a more sophisticated approach in correlating access with risk.
The industry has been talking about two-factor authentication for some time, but we really should be talking multi-factor — and enabling it to the extent that even if identities do get compromised (because they will), we have mitigations in place. Some organizations today are addressing this at the rule level. Logging in may provide basic access to the app’s functions, but as soon as the user touches a field with sensitive data behind it, the application invokes multi-factor authentication, similar to creating higher clearance levels based on what users are trying to access. We must continue to find ways to make IAM much more granular and intelligent.
Protecting Against the Application Ambush
While identity and access management protect the keys to the gate, there’s still the problem of securing the new network perimeter — all of those web-based applications and systems. If even one app contains a vulnerability, a SQL injection may be all it takes to punch through and access the company’s database. Ensuring you have defenses that can address the current threat landscape to protect the integrity and availability of each application is vital.
Complicating matters is the sheer explosion of apps and services on the web today. According to Netcraft, the number is well north of a billion. Consider also that the Internet of Things is connecting millions more devices to the web, each carrying its own app. With such an increase in demand, it’s no wonder the market for security professionals is heating up, and those who specialize in app security are more scarce than ever.
In the days when applications arrived in shrink-wrapped boxes to be deployed inside the firewall, the software development lifecycle was the critical element to minimizing vulnerabilities. But today the risks are distinctly different. That’s why we’re seeing more organizations turn to sophisticated app security measures like web application firewalls, DDoS protection, and DNS Security Extensions. CISOs should be looking at these and other approaches as they work to lock down the all-important application layer.
What’s Hiding in Encrypted Traffic?
Today encryption is ubiquitous in the business world, and in the next five years, web traffic will be close to 100 percent encrypted, with emerging tools like elliptical curve cryptography making the codes even harder to crack. SSL is another critical asset that CISOs should be looking at for security, but it’s also an increasingly dangerous vector for attacks and exfiltration. CISOs need to better understand these risks.
Encryption offers protection for data in transit, but it also introduces the risk that malicious entities are leveraging it to sneak their code in and out of the network — and most intrusion prevention systems can’t see attacks that are encrypted. In addition to obscuring malicious code and stolen data, this trend can also delay a company’s understanding of the evolving threat landscape: Because they are not able to see all of the traffic, security operations teams are not able to recognize and log threats as fast as they are morphing.
Somewhere along the line, the security architecture must be able to interpret the encrypted traffic and ensure it’s not forwarding a malicious payload, or allowing sensitive data to leave the organization. The best way to do this is to have a central inspection zone with the ability to terminate and inspect traffic — including a location that can store encryption keys and a location that can terminate and then re-encrypt with a very minimal footprint.
The security architecture of the future will incorporate DLPs, data lakes, next-generation firewalls, IPSs and a related ecosystem of intelligence services. It will require a deep understanding of SSL and its associated risks, and involves much more sophistication in terms of identity and access management.
In security’s new paradigm, the enterprise network remains a fortress to guard against invasion. But with applications, users and data scattered all over the globe, and advanced attackers who are always working on the next exploit, the new world of cybersecurity requires counterinsurgency measures that can follow those assets and keep them secure wherever they may be.