There’s a new reality to network security, driven by the fact that the perimeter is vanishing.
The concept of a network being fully enclosed within a building or virtual organization, and therefore easier to defend, is gone. The concept of a defensible, impermeable perimeter is dead. This is not news to anyone who is in the position to protect an organization from cyberattacks, and we understand the challenges security teams face under these circumstances.
What are the implications in terms of attacks that evade perimeter defenses and that security teams must defend against, and what techniques are needed to be successful?
What is causing the perimeter to vanish?
I want to start by being clear about what I mean when I say the perimeter is vanishing. It is the expansion of an organization’s network to include far more devices and locations, many of which are outside what used to be considered the perimeter, and many of which are outside the control of the security team.
- The number of IoT devices, which are notoriously poor in terms of security and vulnerabilities, is expected to nearly triple in the next 6 years, from 26.7B in 2019 to 75.4B in 2025.
- Gartner predicts that by 2021, 27 percent of corporate data traffic will bypass perimeter security, and flow directly from mobile and portable devices to the cloud.
- Personal devices risk being compromised off site and then brought onsite where infections can spread. Mobile has surpassed desktop as the primary way to access the Internet (Comscore Digital Future in Focus report).
- According to LogicMonitor, 83 percent of enterprise workloads will be in the cloud by 2020. The cloud requires new security tactics to address the inherently different nature of the cloud as an environment; security that is not delivered by cloud providers nor on-premises security tools.
The good news is that these are, generally speaking, great productivity tools for employees. People can work from anywhere, share data and work collaboratively, and simplify the management of technology resources by migrating to the cloud. But the result is a tremendous increase in the volume of data flowing into and out of an organization.
When security teams needed only to patrol the perimeter, the volume of ingress and egress actions was manageable. Now add all of the activity taking place within the network, whether on-premises or in the cloud, and across the expanded set of devices. The volume of data generated is orders of magnitude larger, outstripping security teams’ capacity to monitor it all.
This expanded attack surface – IoT, personal devices, and cloud – plus the fact that remaining perimeter security is easily bypassed by advanced threats that evade detection, introduces new risks for overtaxed security teams to mitigate.
- Drive-by and watering hole attacks are harder to defend against when employees are working offsite on personal devices.
- Cloud environments are relatively new and not everyone understands how to secure them. In addition, once a criminal is able to compromise a public cloud platform he can attack a large number of organizations using that platform.
- Criminals are exploiting vulnerabilities in IoT devices then moving laterally to more valuable hosts.
Best practices for securing a perimeterless network
There are several techniques and technologies that will enable security teams to effectively secure their network once they come to terms with the fact that the perimeter is easily bypassed. They’re all related in that they’re focused on detecting malicious lateral movement within a network, which is the most important goal for organizations today. Firewalls, endpoint protection, and other perimeter defenses are still important, but they’re insufficient.
Each node is any computer, device, or system connected to the cloud or the network, such as a notebook computer, a smart phone, and a shared printer. Monitor and analyze the communication among these devices for anything unusual or malicious. If a criminal can hack an iPad, he then can jump from there to other devices in your environment, other nodes of the network. Given the volume of activity among all of the nodes of an increasingly large network, security teams may find it challenging to keep up with all of the alerts.
One option is to simply hire more analysts, but with the skills shortage this too may prove challenging. Some network analytics tools allow users to set the threshold for what will generate an alert.
Elevating the threshold will decrease the number of alerts, but possibly with the risk of an attack slipping through. Another option is to employ artificial intelligence (AI). An AI-powered security solution can create models of what is normal activity and automatically highlight what is unusual or anomalous that could be indicative of malicious activity.
Inspect what is being exchanged
Knowing that something is being passed between two devices or nodes is not enough. You also must analyze the nature of the communication. Maybe a scan is started from a compromised device to neighboring computers, suggesting malicious lateral movement. Maybe someone is sending a confidential document to another machine, which could be staging data for exfiltration.
Perhaps something is being downloaded to a laptop that usually doesn’t connect to the outside and is suddenly transferring 3GBs of financial data to an IP address in China. Knowing if the nature of the communication, and the data being moved, is normal for the device (and user) from which it’s being sent will help you intercept malicious activity.
Anomalies with malicious behavior
Knowing that some lateral movement is anomalous or unusual when compared to established baselines is helpful. This is the first step in detecting threats operating within your network. But there’s a flaw with using just anomaly detection: not all anomalies are malicious. Indeed most are not.
Including data about known malicious behaviors into the previously mentioned AI-powered analysis can separate the malicious anomalies from the benign ones, nearly eliminating false positives and focusing the security teams’ efforts on the lateral movement that presents the highest potential risk.
In summary, I encourage you to manage your security strategy under the assumption that the perimeter is vanishing. Securing a network now requires monitoring and analyzing lateral movement within the expanded network. And this is optimally achieved with the use of AI that can streamline the initial analysis of network activity, filter out what is normal, and – with the help of malicious behaviors – focus investigation and remediation efforts on high-risk threats before a costly and damaging data breach.