Anyone responsible for keeping their Enterprise information secure has to understand three events that have changed the nature of Cyber-Security forever:
1. The Perimeter has Disappeared
There used to be a strong perimeter defined by the network endpoints, which were all inside secured corporate buildings or inside highly secured corporate data centres. But over the past decade, a lot has changed. Adding Internet Gateways required firewalls, IDS/IPS, and more. Teleworking required better VPN encryption and security. Mobility – in the form of wireless access for mobile workers’ laptops and smartphones and pads, dissolved the concept of a network perimeter and required significantly greater device and data protection. And cloud services have expanded the highly secure corporate data centre into vendor data centres that provide varying (and often unknown) levels of security (and regulatory compliance). Infrastructure cyber-security has gotten so advanced that, as long as they’re kept well patched and up to date, they will stop almost all standard attacks. That’s why today most successful attacks go around the standard perimeter defenses by finding trusted people to let them (and their malware) into the network via email and cloud. (As an example, Cisco folks visit 350M websites per day – and about 2% are blocked. We avoid over 500K malware downloads a day. We also get about 4.5M emails per day from outside. Some point to infected web sites. And about 200 emails per day carry virus payload attachments.)
Cisco’s main security efforts, along with enabling the sophisticated security tools that still protect the traditional perimeter, has grown. We are now protecting end users on the Web, and on their devices – and protecting the network from trusted employees who unknowingly bring in malware via web and email. This task makes OpenDNS, and ESA and WSA and Cloud Web Services, as well as Identity Services Engine to identify & validate the trustworthiness of IAM critical to our security.
2. Everyone Has Been Hacked, is Being Hacked, is Currently Infected
You can’t give up hardening, but you have to accept that you have been successfully hacked. The only customers who think they are free of Advanced Malware Threats (AMTs) are the ones who have not started looking for them. They are there, in every business, well hidden and looking for secured information. The best strategy is to assume that there are successful AMTs already embedded within your infrastructure (usually your data centre). While you can reduce the number that get in, you have to understand that some will get through, and work to reduce the damage they can do once they get through. That means adding to your security process, in addition to “block as many malware exploits as possible” another equally important goal: “find and contain threats as quickly as possible”. Monitoring tools like Cognitive Threat Analytics, ThreatGrid (sandboxing+), Stealthwatch, and now Tetration Analytics are critical in finding them. Without this continuous monitoring, successful AMTs are only identified when they get stumbled across while doing something else. Average identification & containment time for successful AMT can be 200+ days, with identifying it taking up almost all that time. As a counter-example, Cisco IT/Infosec’s average for identification and containing AMT is 17 hours for the past 4 quarters, and getting better. So internal monitoring and analysis, beyond hardening, is critical.
3. Identifying the New AMTs Requires Global Unified Cooperation – a Widely-Cast Net with a Fine Mesh
Cisco SourceFire/Snort pulls in and analyses info from AMP NGIPS, ASA firewall, AMP for endpoints on laptops and mobile phones/pads, Email (ESA), Web (WSA), CTA, and Threatgrid – to cast that net wide. And since the “signatures” for day-zero attacks for AMP products are updated from Talos, which pulls malware signature data from every customer’s SourceFire, every ESA/ESA/AMP Firewall and NGIPS and Threatgrid, and from OpenDNS with its 3M+ end users, everywhere in the world – that’s a wide and fine net indeed. Talos also works with other similar groups to share this information. Individual isolated firewalls cannot compete with this. So an organised, unified security architecture, is critical.
Knowing, understanding, and acting upon these three facts will enable a more prepared and more secure corporate infrastructure.