Effective Security Posture


For many years, businesses have been building their security infrastructure around loosely affiliated point products from multiple vendors, opting for best-of-breed solutions that often proved difficult or impossible to integrate. And, over time, security practitioners have gotten used to working with the inconsistencies between products.

As digital transformation brings more users, devices and applications online, companies are challenged to protect an expanding attack surface. With more space to operate in and greater opportunities to generate a profit, active adversaries are relentlessly targeting businesses, organizations and people.

In response, we've ended up deploying disparate security products to address a variety of needs - a practice that can be difficult to manage and often leaves businesses more vulnerable.

Security services become a complex mix of technologies, endless alerts and false positives - Noise - that we filter out in the hope that the security layers we have in place are doing their job.

The Network Perimeter; once easily defined behind your corporate firewall is now stretched to wherever your users happen to be working. The prevalence of 3rd party systems and cloud services has decentralised your users and the information systems they have access to. Excellent for an increasingly mobile and flexible workforce, but a growing headache of complexity for Information Security.

Anti-Virus is an Industry standard. We all have it in one way or form, we accept that we need it and we trust it to protect us. The problem is that the AV industry is playing catch up against a more agile, faster growing, malicious trend. The reality is that Anti-Virus cannot keep up. In the 1st quarter of 2016, the industry average time to detect a new threat variant was 170 days. 39 days to contain and 43 days to remediate. Signature based Anti-Virus in that form is almost useless. New Malware variants are mutating and impacting services world-wide every other week.

But for so much of the IT industry; this is what we know and this is how we work. Keep your Operating System patched and up to date. Get your AV definitions out as often as possible. Make sure you have backups of your critical data in place.

Ransomware dominated the threat landscape in 2016. In January of 2016, ransomware accounted for around 18% of the global malware delivered by spam and exploit kits. By November 2016 that number exploded to account for 66% of malware payloads. The threat landscape has changed rapidly because it's been so effectively monetised. Your files are encrypted. You pay the ransom (and hope to recover your files), or you lose the files and hope to restore everything from backup. There's no need for a targeted approach. The malware is sent far and wide, the more systems impacted, the more monetary opportunity.

The Cisco 2017 Annual Cyber Security Report revealed the potential financial impact of attacks on businesses, from Enterprise to SMB.

More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. For organizations that experienced an attack, the effect was substantial.

  • Twenty-two percent of breached organizations lost customers - 40 percent of them lost more than 20 percent of their customer base.
  • Twenty-nine percent lost revenue, with 38 percent of that group losing more than 20 percent of revenue.
  • Twenty-three percent of breached organizations lost business opportunities, with 42 percent of them losing more than 20 percent.

Small business can no longer hide behind the mantra of "Why would any target us?" The global reality is that if you haven't been hit by some form of crypto or malware, and you do not have an effective security posture, it's only a matter of time until you are impacted. Ransomware attacks are opportunistic. Profit with as little effort and risk as possible.

If you operate a large enough network environment, it's likely that you have already deployed a hierarchical network architecture consisting of access, distribution, and core layers. Potentially with multiple security products, deployed in a DMZ or local services zone, such as a firewall and/or web proxy server. It's the model we've pushed for almost 20 years.

Unfortunately, this has become an outdated security model. As our businesses and users change and digital disruption continues to influence business direction the attack surface increases leading to more opportunistic threats. The traditional model no longer gives us any true defence in depth.

With more remote and roaming on-the-go users working directly via the cloud on various devices, perimeter-based security technologies and virtual private networks are no longer able to fully protect devices and corporate data. Many cloud-based services are accessed directly over an internet connection, leaving these applications and data with only basic security. According to Gartner, by 2018, 25 percent of corporate data traffic will bypass perimeter security and flow directly from mobile devices to the cloud. For New Zealand SMB's that number is already a lot higher.

We start to lack integration or correlation. We rely on multiple stand-alone products designed to provide best effort protection for users on the go. We lose visibility of the devices using our resources.

To better safeguard our businesses and data against ransomware and the emergence of new threats we need to re-define our security architecture.

  • We need to look at creating a Defense in Depth strategy providing us with an Effective Security Posture that reduces the gap between time to detect, contain and remediate.
  • We need to leverage integrated, open and automated systems that Automatically shares threat intelligence and provides aggregated, correlated context with other security products and services, both on premises and in the cloud.
  • We need reduced complexity and better visibility across the entire environment.
  • We need better integration with new and existing security investments using open, extensible standards and technology.

Knowing what we need, the panacea starts to take shape.

  • NGFW/NGIPS - "Next Gen" Firewalls and Intrusion Prevention with visibility into who is accessing the network and what they are doing. Policy enforcement, analytics, file and device trajectory.
  • DNS Security - Extend protection beyond the organizations firewalls by leveraging threat analytics at the Domain Name System layer to analyse outbound network calls, intercept and prevent active connections to Command and Control services. Immediately preventing access to URL's containing malware.
  • SDN - Granular, Software Defined Network segmentation and role based policy enforcement regardless of the location, device or IP Address.
  • Email Security - On Premise, Hybrid or Cloud based multi-layer malware and spam detection and prevention.
  • Sandboxing - Network, Cloud, or Host based advanced analysis of unknown data in or out of the organisation.

Now comes the critical component - Analytics.
The ability to take all the information we're getting from these security pieces and do something meaningful with it. Traditionally, by developing baselines, we can start alerting or reacting to anomalies. We can define what is normal so we can identify the abnormal. The issue we're faced with today is the sheer amount of data to process.

We solve this with Cloud Based Threat Intelligence.
Security sources which are constantly fed, updated, analysed and quantified. Analytics from millions and millions of devices reviewed in near real-time using advanced AI techniques and security teams from around the globe to identify and detect emerging threats. We know we're always going to be on the back foot trying to prevent or contain new threats but as we build up our analytics and enhance AI learning our time to detect gets lower and lower and our chance of predictive heuristics used to detect emerging threats get better.

So now we have what looks like a model for an all-encompassing network perimeter and an effective security posture. Through continuous analysis we're detecting and blocking threats within hours instead of days, weeks or months. We're using our Cloud Based Threat Intelligence to get protection in place on all our interconnected systems as soon as a new threat is identified.

Our time to detect is reduced considerably and our Security Posture is feeling quite Effective. We can block known threats faster than ever before! We're feeling confident that when the business owner asks if the network is now secure we can respond with certainty that we have secured the network.

But Security is not static, we know that time quickly moves forward. Let's say that in 30 minutes time a new exploit is released into the wild. Through sheer bad luck the organisation you are being trusted to protect is one of the first places in the world hit with a new zero-day exploit. An invasive little bug has slipped by all your carefully constructed security, despite you doing everything possible to prevent it.

This is where the final piece of the security puzzle needs to fall quickly into place.
We've built our analytics, we've narrowed our time to detect, now we need to rapidly and retrospectively remediate the issue.

Traditional point based security has always worked on the premise of known good and known bad. Data with an unknown disposition is typically let through with the hope that the next layer of security will deal with it. If we're going to be able to deal with the unknown we need to be able to track it. Not just vertically, but also horizontally through the network. We need both our Network and Endpoint protection watching, analysing and recording activity so we can track data of an unknown disposition. Until that disposition is clarified our position on that data is fluid. We can sandbox, we can monitor and then we can classify.

If we've tracked that data through the organisation while our sandboxing and analytics engines are running then we have the all-important component of visibility within the network. The moment that the disposition of that data changes from unknown to known bad, we can retrospectively follow that data throughout the network. Isolating, triaging and remediating wherever necessary.

This is the security model that we're adopting to provide an Effective Security Posture for ourselves and our customers. Seamless end to end analytics, with context, to narrow the mean time to detect, protect and remediate. To ensure that the network security perimeter is extended as the business evolves.

Latest Posts

  • Effective Security Posture

    10 July, 2017

    For many years, businesses have been building their security infrastructure around loosely affiliated point products from multiple vendors...

  • New Website!

    10 July, 2017

    Our new website is now live!

  • The New Security Perimeter

    10 July, 2017

    Everybody has an opinion on security. The following article which is now available for download in a distributable PDF is my opinion based on the trends, issues and responses within the industry.