As anyone in the network security world will tell you, it is an extremely intense and stressful job to protect the corporate network from ever-evolving security threats. For a security team, a 99 percent success rate is still a complete failure. That one time a hacker, piece of malware, or DDoS attack brings down your organization’s network (or network availability) is all that matters.
It’s even more frustrating when you consider that the proverbial ‘bad guy’ sitting in the basement of his mother’s house can spend less than $1,000 USD on a computer and malware and bring down a network that you have spent millions of dollars on state-of-the-art equipment to protect.
So, what’s the answer? It comes down to two things – prevention and acceptance. Security teams must continue to prevent security attacks while also accepting the reality that the network will eventually get breached. This doesn’t mean accepting the role of victim. Network security resilience as a concept is focused on this endeavor. It asks the question, once an attack has been successful, how can you make your network more resilient to limit the damage that a bad actor or malware can do in the future?
Successful implementation of network security resilience relies upon making a fundamental shift in both security strategy and mindset. Organizations cannot expect to see the benefits if they don’t embrace change. However, change is easier said than done. It seems like many security engineers, architects and CIOs are caught up in a philosophy that is primarily focused on prevention. So how can you start the shift towards resilience? There are three simple tenets that must be embraced. They are as follows:
- Accept the Network Security Resilience concept
- Accept the belief that you can make real changes
- Commit to making the change.
First, security teams need to accept that it is not a question of if, but when your network will be breached. While prevention should always be a key security architecture goal, a resilient strategy focuses on recognizing the breach, investigating the breach, and then remediating the damage as quickly as possible. While the concept is straight forward, it can feel like there is an “arms race” that requires you to spend all of your security budget to continually upgrade defenses. This threat is real, but teams also need to set aside some budget for security resilience.
If budget is truly a problem, it may be that you can put together a plan to convince your Chief Information Officer (CIO) or Chief Information Security Officer (CISO), that the security risk is real to your company’s personally identifiable information (PII) and that you need some extra budget to remediate the risk.
The average amount of time it takes to identify a data breach is 197 days, according to a 2018 study conducted by Ponemon Institute. A second data point reveals that over half of victimized companies never discover the breach themselves—they are informed by law enforcement, business partners, customers, or someone else (according to a 2018 Trustwave report). Meanwhile, 87 percent of breaches occur in just minutes, a 2018 Verizon DBIR found, meaning that finding and responding to breaches quickly is imperative. So, a rapid response can have an effect and limit the exfiltration of some, or maybe even all, personally identifiable data. Limiting this data exfiltration is what will limit the cost of a breach because it limits the company’s liability – no data loss means no fines and no public reporting of the incident.
The second step toward network security resilience is to overcome any pessimism in order to make positive change in this area. Some people get caught up in the mindset that there is nothing they can do that will be effective, so why waste the time. This mindset is often cleared up once a breach happens, PII is stolen, the company is faulted for their lack of prevention techniques, fines are then assessed by government agencies (like the FTC and HHS departments in the United States), and lawsuits are filed against the company. Unfortunately, a mindset change at this point is too late.
The implementation of changes to the network that can increase resiliency is definitely possible. If the average length of time from intrusion to detection is 197 days, then there are definitely some “low hanging fruit” improvements that can be made to reduce that amount of time.
The third thing that organizations must do is to act on the change. There are always new tools to implement, but you need to make a “planned” start. The reason I say planned is that while there are several things security teams can do, they need to follow through on the new processes. Some activities require less effort than others, if implemented correctly.
For instance, application intelligence with geolocation can be used to expose indicators of compromise. Consider the example that there is someone in Eastern Europe accessing your FTP server in Dallas and transferring data back to the Eastern Europe location. If you have no authorized users in that geographic area, there is a good chance that your network has been compromised and you should act on that immediately. However, you need the setup and inspection of that data to be easy in the first place. This typically requires some sort of dashboard that can quickly and easily expose the relevant information—no log file inspections, no physical correlation of data points on your points, etc. Any manual activities like that will slowly kill the use of any resilient tactics, unless you have the staff for this kind of activity.
Another simple tactic is the use of a threat intelligence gateway that blocks the exfiltration of data to known bad IP addresses. The trick here is that you need a gateway that has constant updates that are easy to load. This gives you a formidable defense that does not consume an exorbitant amount of your time.
When you put these facts together, you have a solid approach. Invest in the right set of capabilities that let you know that you have, in fact, been breached and implement those capabilities so that you know in a reasonable amount of time. Six months is not reasonable and even one month is probably too long. At the same time, you do not have to know within seconds or minutes (although that would be very nice). You pick that interval.
Network security resilience is a concept focused solely on this endeavor. It is all about trying to minimize corporate risk and the cost of a breach. The intent is to create a solution that identifies indicators of compromise and gives you actionable information to get the network back up and running (after a breach has occurred) as fast as possible.
Unfortunately, security teams will never achieve full peace of mind. There will always be new hackers, new malware and new security threats to a network. But by adopting a strategy focused on network security resilience, you’ll be taking an approach that will help to limit the damage of a breach and learn from it in the future.