With 783 Breaches Reported in 2014, Isn’t it Time to Admit That Perimeter Defense is No Longer Enough
The scary part is that 783 breaches only represent what was reported. Undoubtedly many more incidents occurred, but were never publically disclosed. Whether you count the disclosed or undisclosed number, it would be hard to argue the fact that cyber-attacks are growing in frequency and are getting increasingly more complex. Current security solutions are proving ineffective and breaches continue to be a deadly threat to enterprises where valuable data can be compromised, often generating millions of dollars for the attackers. Just this week alone, authorities charged nine individuals with insider trading in a scheme where overseas hackers, mostly from the Ukraine, have been infiltrating newswire sites for over five years. They were providing earnings announcements to rogue traders before the news became public.
A Symantec study released in April notes cyber-attacks on large companies are up by roughly 40 percent, and in a recent CBS 60 Minutes segment, Dave DeWalt, FireEye CEO stated, “Literally, 97 percent of all companies have been breached,” defining a breach as at least one attacker bypassing all layers of an organization’s security architecture.
Typically, organizations employ a “defense-in-depth” strategy that includes multiple layers of perimeter security supplemented with intrusion detection (IDS) and intrusion prevention solutions (IPS). While the layers have the goal of preventing any and all hackers from gaining entry, you would have to agree it is proving nearly impossible to keep all potential intruders out. Once an intruder passes through the perimeter defense, most companies are not equipped to detect the breach until it is too late.
However, a modern day approach to network security is taking place where organizations are assuming that attacker will penetrate the perimeter and that detection needs to also occur within the network. A new category of deception based threat detection is being deployed to close the gaps left open with traditional security solutions and filling an undisputed market need.
New deception-based detection technologies can reveal BOTs and advanced persistent threats (APTs) in real-time across the network, data center and cloud environments before the data can be breached. Traditional threat detection solutions are looking for suspicious attack behavior based on known signature patterns. Instead, these deception solutions can instantly detect the presence of attackers, identify their intent and provide intelligence to shut down current and thwart future attacks. Because alerts are only generated when an attacker has engaged with the deception server, there are literally no false positives.
But not all solutions are alike and there are four tips you need to consider in making a purchase.
- With deception it is all about authenticity and the choice of deception technology based on how believable is the decoy and deception bait used to lure attackers. Some providers use emulation , however given that this may not look or operate like a real environment, attackers may easily figure out and work around an emulated device. , Deception technologies based on real operating systems and running full services are much more authentic. Additionally, solutions that can load a golden image, the same as the production environment on a live server, will create an undistinguishable decoy system to the attacker. The type, quality, and pervasiveness of bait will also play a critical role in luring attackers.
- Of course, the solution needs to be easy to integrate and deploy, provide the least amount of friction to the network and be able to scale across the enterprise, private, and public cloud deployments. Compute consideration needs to be made and many may find that an inline device in a data center would require a heavy investment for organizations seeking to detect east-west data center traffic. A non-line non-compute intensive solution will provide a streamline non-disruptive way to detect intrusions and breaches within large networks.
- In addition, in order to be truly efficient and pervasive throughout the enterprise environment, the best deception and detection solutions must be able to turn any endpoint and any subnet into attractants that lead intruders back to the deceptive server. Detection alone also does not create a comprehensive solution. An enterprise-class detection system will also provide the ability to engage with an attacker so that forensics can be run and the attack examined for characteristics that can be help shut down current and prevent further attacks.
- Cyber security threat management relies on capturing threat intelligence and its usefulness dependent on how well this information is managed and shared. For the highest value, deception based solutions should provide forensics, a threat intelligence dashboard, and a variety of Incident of Compromise (IOC) reporting formats so that security teams and perimeter security devices can be updated with lessons learned.
This very efficient and cost-effective additional layer of security complements existing measures by accelerating threat discovery and providing an entirely new defense, making it more difficult for attackers to reach or compromise valuable assets. As a result, the addition of post infection deception and detection is a necessary component to any security strategy, uncovering intrusions and breaches that can go unnoticed for months, moving laterally throughout the network to compromise the most sensitive data. Of course, existing firewalls, secure Web gateways and other perimeter solutions will always continue to serve a clear role, but breach detection systems focusing on inside the network detection will be an essential complement to a complete security solution.
Calling the security evolution from “if a breach will occur” to “a breach has already occurred” is like calling Hurricane Katrina a rainy day. Today’s sophisticated BOTs and APTs have completely reshaped the environment in which IT and security teams must operate. The more progressive enterprises and government agencies have accepted the change in the security paradigm and are embracing the need for detection of threats within the network as a critical part of their security strategy.
At Attivo, I have seen many organizations start by putting a BOTsink threat detection device on the subnet where their most critical assets reside. This provides the additional peace-of-mind that their most important data or crown jewels have the highest degree of protection and that they have technology in place to detect zero-day attacks. From there, it is common for organizations to expand to making their entire network a deception platform with every endpoint and node land-mined with traps to bait and detect intruders.
As one person told me, it is unquestionably more cost effective to put in Attivo deception than it would be to have to clean up after a breach. With an average breach costing $3.5M, it is easy to say that we agree!
Chief Marketing Officer