Good security hygiene is essential, and IT managers who don’t practice them are guilty of malpractice, plain and simple. However, even perfect security hygiene can’t prevent all attacks. For example, timely application patching can’t fix zero-day vulnerabilities for which fixes haven’t been issued or vulnerabilities that haven’t been discovered yet. Strong password practices also can’t prevent malicious behavior from insiders with authorized access.
As a result, administrators who focus on prevention won’t be adequately prepared with an effective incident response plan when an attack eventually succeeds. After all, 64% of companies worldwide have experienced at least one form of cyber-attack. Security professionals must start thinking beyond hygiene and get real about ensuring that they have the information, people and processes in place to respond quickly and limit the damage.
Zero Trust and Endpoint Protection Are Still Not Enough
Security teams looking beyond security hygiene often start with two critical practices:
- With zero trust, every network access attempt – whether inside or outside the firewall – needs to be authenticated to ensure users are who they say they are. Zero trust may also include authorizing every access attempt to apply governance and compliance policies that restrict who has access to sensitive systems and data.
- Endpoint protection, an essential strategy for achieving zero trust, is a software approach to identifying access attempts by unsecured remote devices – personal PCs, mobile phones, etc. – and managing them for authentication and authorization purposes.
However, while zero trust and endpoint protection are now a must for large networks, they too can’t guarantee that an attack will never succeed, especially given the ever-expanding attack surface and the speed with which new threats evolve.
To truly protect their organizations, every cybersecurity stakeholder must accept the inevitability of a breach and be prepared to limit the damage. The most effective way to do this is to:
- Accelerate detection and understanding: Use AI-powered tools like machine learning (ML) and behavioral analytics (BA) for rapid identification of attacks
- Substantiate containment: Segment the network
- Effectively remediate risk: Ensure the security team has the certified analysts, threat intelligence and experience to determine and implement the right response
AI, ML and BA for Fast Detection
Organizations can now monitor network activity across the entire hybrid IT environment – on-premises, virtual private cloud and multiple public clouds – and then use ML- and BA-powered tools to analyze the collected data to develop a correlated picture of the network security posture. By understanding what “normal behavior” is for the network, the system can instantly identify abnormalities, allowing the security team to determine whether the anomaly is genuinely a threat.
For example, suppose an employee who normally accesses the network from San Francisco during business hours suddenly attempts to access the network from Russia at 2:00 a.m. In that case, the security team can receive an alert and determine if the employee is traveling in Russia or if the activity is likely an attack. Similarly, if a computer used by a receptionist is suddenly downloading data from an engineering server, the security team can be alerted.
Network Segmentation Helps Stop the Spread
The most severe breaches are typically ones where the attacker gains access to a vulnerable peripheral area of the network – an HVAC system in retailer Target’s case – and then traverses the entire network stealing valuable data, deploying ransomware or otherwise wreaking havoc.
Network segmentation can limit the damage, making it harder for an attacker to move from one area to another, allowing more time to mount a security response. Unfortunately, many companies resist segmentation because of concerns over increased network management complexity and fees. However, network strategies like SD-WAN can make segmentation a viable security approach.
An Expert Incident Response Team
Expert security practitioners have a vital role to play. While ML and BA tools can detect anomalous behavior, they cannot yet decide whether there may be a good reason for that behavior. Technologies also can’t always decide how best to respond to incidents. They just aren’t there yet.
As a result, certified security professionals are still 50% of the success equation. Reducing the time to contain a threat still requires human resources. Teams must have the threat intelligence and experience to understand the nature of an attack and determine the best course of action. And since we live in a world of 24/7 threats, we must have a 24/7 security team. Businesses that can’t afford to build a 24/7 in-house security team with the required level of expertise must consider contracting with a managed security provider.
Good cybersecurity hygiene is essential but insufficient. Only by preparing to limit the damage of an inevitable breach can we truly protect our data, customers, employees and companies.
Jay Barbour Director of Security Product Management at Masergy | infosecurity-magazine.com