Potential attacks, software and platform vulnerabilities, malware and misconfiguration issues can pose serious threats to organizations seeking to protect private, confidential or proprietary data. Fortunately, various technologies – collectively known as Unified Threat Management (aka UTM) – make it easy to use appliance-based tools to provide thorough and comprehensive security coverage.
When coupled with regular updates, monitoring and management services, and key security research and intelligence data, organizations can erect defenses using UTM and sound security policy to cope with this array of threats.
What goes into unified threat management?
The history of information security and palliative technologies goes back to the 1980s when the elements of perimeter security (through firewalls and screening routers) and malware protection (primarily in the form of early antivirus technologies) became available. Over time, as threats evolved in their sophistication and capability, other elements designed to secure business or organizational networks and systems became available to counter such things, including email checks, file screening, phishing protection, whitelists and blacklists for IP addresses and URLs, and so forth and so on.
From the mid-1990s and into the first decade of the 21st century, there was an incredible proliferation of point solutions to counter specific types of threats, such as malware, IP-based attacks, denial of service attacks, rogue Web sites with drive-by downloads, and more. In turn, this led to a proliferation of software packages and hardware appliances designed to counter individual classes of threats. Unfortunately, a collection of individual-focused security systems cannot help but lack consistent and coherent coordination of their efforts.
Alas, this confers no ability to detect and deal with hybrid attacks that might start with a rogue URL embedded in a tweet or an email message, continue with a drive-by download when that URL is accessed, and really get underway from a surreptitiously installed keylogger teams up with timed transmissions of captured data from a backdoor uploader. Worse yet, many of these applications are Web-based and use standard HTTP port addresses, so that higher-level content and activity screening becomes necessary to detect unwanted influences at work, and then to counter them.
Simply put, the basic premise of UTM is to create powerful, customized processing computer architectures that can handle, inspect, and –when necessary-- block large amounts of network traffic at or near wire speeds. The same data that must be reviewed to look for blacklisted IP addresses or URLs must also be inspected for malware signatures, proofed against data leakage, and checked to make sure that the protocols, applications, and data involved are both allowed and benign. That’s why typical UTM solutions typically bundle a great many functions, including:
Modern UTM devices incorporate all of these kinds of functions, and more, by combining fast, powerful special-purpose network circuitry with general-purpose computing facilities. The custom circuitry that opens up network traffic to detailed and painstaking analysis and intelligent handling does not slow benign packets down in transit. But it can, however, remove suspicious or questionable packets from ongoing traffic flows, and turn them over to programs and filters to perform complex or sophisticated analysis to recognize and foil attacks, filter out unwanted or malicious content, prevent data leakage, and make sure that security policy applies to all network traffic.
Unified threat management providers
Unified threat management (UTM) devices usually take the form of special-purpose network appliances that sit at the network boundary, straddling the links that connect to external networks via high-speed links to service providers or communication companies.
By design, UTM devices coordinate all aspects of security policy so they apply a consistent and coherent set of checks and balances to network traffic coming and going. Most UTM device manufacturers build their appliances to work with centralized, Web-based management consoles so that network management companies can install, configure and maintain them for their clients, or centralized IT departments can take over this kind of function for themselves. This approach also ensures that the same checks, filters, controls, and policy enforcement applies to all UTM devices equally, and avoids the kinds of gaps that integrating multiple point solutions (discrete firewalls, email appliances, content filters, virus checkers, and so forth) can expose.
Choosing best-of-breed UTM providers
Gartner forecast over $1.2 B of sales in this market for 2012, and expects this market to continue growing in tandem with overall IT investment for the foreseeable future (rates in the 2-5% range apply for most economies, but are higher for leading economies like the BRIC countries and their ilk). Savvy buyers look for features like those described in the previous section (sophisticated firewalls with deep packet inspection, intrusion detection and prevention, application control, VPN, content filtering, data loss/leakage protection, malware protection, and so forth). These days, buyers also look for:
Finally, advanced UTM devices must also support flexible architectures whose firmware may be easily upgraded to incorporate new means of filtering and detection, and to respond to the ever-changing threat landscape. UTM makers generally operate large, ongoing security teams that monitor, catalog, and respond to emerging threats as quickly as possible, and provide warning and guidance to client organizations to avoid unnecessary exposure to risks and threats.
Some of the best-known names in the computing industry offer UTM solutions to their customers, but not all offerings are alike. Look for solutions from companies such as Cisco, NetGear, Dell/SonicWALL, and Juniper, and you’re sure to find offerings that provide the proper mix of features and controls, along with size, speed, and cost characteristics designed to meet your security needs without breaking your budget.
IT infosec certifications that address UTM
As a visit to the periodic survey of information security certifications at SearchSecurity will confirm, there are more than 100 active and ongoing credentials in this broad field currently available.
Not all of them address UTM directly or explicitly, however. And while there is no credential that focuses exclusively on this aspect of information security, the following well-known certifications include coverage of this subject matter in their exam objectives or associated common body of knowledge that candidates for such credentials must master:
Of these credentials, the generalist items such CISA, CISSP, CHS and the two SANS GIAC items (GCIH and GCWN) provide varying levels of coverage on the basic principles that govern DLP, and best practices for its application and use within the context of a well-defined security policy. Of these, the CISSP and CISA are the most senior and demanding. On the other hand, the Cisco and Juniper credentials concentrate more on the details involved with specific platforms and systems from those vendors designed to deliver working UTM solutions.
When coupled with regular updates, monitoring and management services, and key security research and intelligence data, organizations can erect defenses using UTM and sound security policy to cope with this array of threats.
What goes into unified threat management?
The history of information security and palliative technologies goes back to the 1980s when the elements of perimeter security (through firewalls and screening routers) and malware protection (primarily in the form of early antivirus technologies) became available. Over time, as threats evolved in their sophistication and capability, other elements designed to secure business or organizational networks and systems became available to counter such things, including email checks, file screening, phishing protection, whitelists and blacklists for IP addresses and URLs, and so forth and so on.
From the mid-1990s and into the first decade of the 21st century, there was an incredible proliferation of point solutions to counter specific types of threats, such as malware, IP-based attacks, denial of service attacks, rogue Web sites with drive-by downloads, and more. In turn, this led to a proliferation of software packages and hardware appliances designed to counter individual classes of threats. Unfortunately, a collection of individual-focused security systems cannot help but lack consistent and coherent coordination of their efforts.
Alas, this confers no ability to detect and deal with hybrid attacks that might start with a rogue URL embedded in a tweet or an email message, continue with a drive-by download when that URL is accessed, and really get underway from a surreptitiously installed keylogger teams up with timed transmissions of captured data from a backdoor uploader. Worse yet, many of these applications are Web-based and use standard HTTP port addresses, so that higher-level content and activity screening becomes necessary to detect unwanted influences at work, and then to counter them.
Simply put, the basic premise of UTM is to create powerful, customized processing computer architectures that can handle, inspect, and –when necessary-- block large amounts of network traffic at or near wire speeds. The same data that must be reviewed to look for blacklisted IP addresses or URLs must also be inspected for malware signatures, proofed against data leakage, and checked to make sure that the protocols, applications, and data involved are both allowed and benign. That’s why typical UTM solutions typically bundle a great many functions, including:
Modern UTM devices incorporate all of these kinds of functions, and more, by combining fast, powerful special-purpose network circuitry with general-purpose computing facilities. The custom circuitry that opens up network traffic to detailed and painstaking analysis and intelligent handling does not slow benign packets down in transit. But it can, however, remove suspicious or questionable packets from ongoing traffic flows, and turn them over to programs and filters to perform complex or sophisticated analysis to recognize and foil attacks, filter out unwanted or malicious content, prevent data leakage, and make sure that security policy applies to all network traffic.
Unified threat management providers
Unified threat management (UTM) devices usually take the form of special-purpose network appliances that sit at the network boundary, straddling the links that connect to external networks via high-speed links to service providers or communication companies.
By design, UTM devices coordinate all aspects of security policy so they apply a consistent and coherent set of checks and balances to network traffic coming and going. Most UTM device manufacturers build their appliances to work with centralized, Web-based management consoles so that network management companies can install, configure and maintain them for their clients, or centralized IT departments can take over this kind of function for themselves. This approach also ensures that the same checks, filters, controls, and policy enforcement applies to all UTM devices equally, and avoids the kinds of gaps that integrating multiple point solutions (discrete firewalls, email appliances, content filters, virus checkers, and so forth) can expose.
Choosing best-of-breed UTM providers
Gartner forecast over $1.2 B of sales in this market for 2012, and expects this market to continue growing in tandem with overall IT investment for the foreseeable future (rates in the 2-5% range apply for most economies, but are higher for leading economies like the BRIC countries and their ilk). Savvy buyers look for features like those described in the previous section (sophisticated firewalls with deep packet inspection, intrusion detection and prevention, application control, VPN, content filtering, data loss/leakage protection, malware protection, and so forth). These days, buyers also look for:
Finally, advanced UTM devices must also support flexible architectures whose firmware may be easily upgraded to incorporate new means of filtering and detection, and to respond to the ever-changing threat landscape. UTM makers generally operate large, ongoing security teams that monitor, catalog, and respond to emerging threats as quickly as possible, and provide warning and guidance to client organizations to avoid unnecessary exposure to risks and threats. Guild wars 2 graphic mod.
Some of the best-known names in the computing industry offer UTM solutions to their customers, but not all offerings are alike. Look for solutions from companies such as Cisco, NetGear, Dell/SonicWALL, and Juniper, and you’re sure to find offerings that provide the proper mix of features and controls, along with size, speed, and cost characteristics designed to meet your security needs without breaking your budget.
IT infosec certifications that address UTM
As a visit to the periodic survey of information security certifications at SearchSecurity will confirm, there are more than 100 active and ongoing credentials in this broad field currently available.
Not all of them address UTM directly or explicitly, however. And while there is no credential that focuses exclusively on this aspect of information security, the following well-known certifications include coverage of this subject matter in their exam objectives or associated common body of knowledge that candidates for such credentials must master:
Of these credentials, the generalist items such CISA, CISSP, CHS and the two SANS GIAC items (GCIH and GCWN) provide varying levels of coverage on the basic principles that govern DLP, and best practices for its application and use within the context of a well-defined security policy. Of these, the CISSP and CISA are the most senior and demanding. On the other hand, the Cisco and Juniper credentials concentrate more on the details involved with specific platforms and systems from those vendors designed to deliver working UTM solutions.
It will be good if the networks are built and managed by understanding everything. The problem is that there are users who are familiar and who stole the data, embarrass the company and will confuse everything. It needs little effort to fight against with the threats on the computers and networks. The vulnerability will make the threat as reality and helps to mitigate that threats are discussed below. It includes wireless network security, threats and mitigation techniques which helps perform better.
Wireless
Nowadays, due to its popularity and wide range of advantage the wireless plays important role everywhere from large organizations to individual personal use computer and networks. Here listed below are some of the threats which are specific to the wireless networks to recognize and to mitigate the threats.
War driving
The war driving is an act of searching for the wireless network in the moving vehicles with the help of the PDA or portable computer. It introduce with the earliest of the wireless network because it was more popular among many organizations are also setting this wireless network that they really did not know to secure it. To keep the wireless network more secure, implement the measures which needed for the wireless network.
War chalking
In the year 2002, a group of people developed the series of symbol which indicates that a network was nearby as well as whether it was unsecure, secure, protected by the WEP. They marked the symbols onto the street sign or wall to indicate the network location. This method has gone away and the people started using Wi-Fi when it need and various cell phones are looking for it.
WEP cracking
The wireless network, which is protected by the WEP is not secure as per today's technology. All the attackers have to determine a WEP key and it can be done in a fraction of a second. Once the attacker determined the key, then he can get into the system and also monitor the traffic or can take the administrator's role and change the settings.
WPA cracking
The WPA is the one which uses the security mechanism is known as temporal key integrity protocol. There are ways that the experienced and determined attacker can also decrypt the incoming traffic to the computers using WPA with the TKIP. It is not a secure option anymore and make use of the WPA2 with the AES for the secure network.
Evil twin
An evil twin is the bogus type Wi-Fi connection which fools users that believing that it is the legitimate connections to phishing attacks as well as exploitation of the data transaction purposes. These kinds of attacks are more common, it is necessary to aware of it and guard against it. It will affect it professionally and personally. Protect computer or network against the evil twin attacks by learning about such attacks. Make use of the VPN with TLS or SSL to ensure that the all passwords, emails and all sensitive information are encrypted while transmission. It is better to avoid sending highly sensitive and important information through wireless networks, which is not 100 % safe.
Rogue access point
The rogue access point is the wireless access point which installed without explicit permission of a network administration team. It creates the potential for the man in the middle attack where the security of a network has breached. To avoid the installation of the rogue access points, monitors the network for the newly installed access point with the help of wireless intrusion prevention system that will detect changes in a radio spectrum which indicate the new access point is operational and installed. Most of these systems will take automatic countermeasures by identifying a rogue and redirecting the traffic away from that.
Attacks:
The security threat to the network can be the attacker who attempts to grasp information to exploit the network vulnerability. This kind of attack is also known as passive attack. On the other hand, the attacker is attempting to disrupt the network communication and also affect the user productivity of a network. It is also known as an active attack. Here listed below are some of the most common types of the security threats.
DoS
The DOS- denial of service attack overwhelms the network host with the stream of bogus data which keep it to process the designed data. The DoS attacks will be launched against the computers and against the network devices. The DoS attack is the security threat which implies that the larger attacks are in progress. Then the DoS attack is a part of the attack that the hijacks communication from the user who already authenticated to the resource. When the users computers are blocked by a DoS attack, then the attacker access the resource and receive the needed information and returns the control to a user who does not know what occurred in it.
DDoS
The distributed denial of service is the attack occurs when the multiple system is used to flood the resources or bandwidth of a group of servers or one server. The main purpose of this attack is to saturate a resource so that it is not available longer for the legitimate use. It is used as the decoy to hide more malicious attack which attempts to steal sensitive information or other data. The specialized software called DDS can able to block the traffic that has a legitimate content but the bad intent.
Man in the middle
The man in the middle attack occurs when the person keep a logical connection or equipment between 2 communicating parties. These 2 communicating parties assume they are directly communicating with each other, but the information is being sent to a man in the middle who forwards it to the proposed recipient. This attack is very harmful to the organizations. Most of the organizations will adopt measures such as strong authentication as well as latest protocols, including IPSec/L2TP with the tunnel endpoint authentications.
Social engineering
A social engineering attacks are not relying on technology or protocols to succeed, but instead it relies on the human nature. Users generally trust each other and where the this type of attacks start. It may comprise of false sites that ask for the information from the unsuspecting web surfers. And this type of attack is known as phishing. A social engineering attacks might be prevented by just training the users not to provide their credentials who asks for the information on the web page.
The computer virus is the program which can infect the computer and copy itself without user knowledge. These viruses started infecting the computers in 1980 itself and also continued to evolve till date. Some of the viruses are able to change after it infects the computers to try to hide from the antivirus software. As the viruses changed over the years and years, companies like McAfee and Symantec have specialized in the software, which can eradicate and detect viruses from the computer system. There are nearly more than 76,000 known viruses and users can eradicate it by updating the antivirus software up to date on all the clients and servers.
Worms
The worm is the something different from the viruses, it is just a program and just not an infestation. These worms will use a computer network to send worm copies to the other computers without the user's knowledge. They are proposed to cause network problem such as resource utilization and bandwidth issues. The most famous worms such as sobig and mydoom worms have affected more thousands of servers and computers in the past. You can prevent the spread by maintaining the servers and clients up to date with latest security patches.
Buffer overflow
The buffer overflow is the attack created anomaly by the rogue program when writing data to the buffer intentionally overwrite the buffer memories and the adjacent memory. It may result in memory errors and erratic behavior and a crash or breach of the system security. Make use of the products like ProPolice and Stackguard to prevent the buffer overflow attack from succeeding.
Packet sniffing
The attacker can use the protocol analyzer to launch the attack by the packet sniffing. This is the process in which an attacker gathers the data sample with a software or hardware device which allows data inspection at a packet level. The attacker may see the IP addresses, unencrypted passwords, sensitive data and MAC addresses. After a vulnerability is discovered, the attacker will begin an active attack. The perfect method to prevent this attack is to forbid anything except the trusted network administrators from placing the packet analyzer on a network. Most of the packet analyzers can identify the presence of the packet analyzer, unless an attacker uses software to make the attack invisible.
FTP bounce
An FTP bounce attack is the legacy attack that will not work well on the FTP software. It uses the port command to indirectly request access through a victim machine. At once in a a port, an attacker can gain information or else disrupt network communication.
Smurf
The smurf attack exploits the common network toll such as ping. To prevent this smurf attack, just install the recent security patches. This patch will avoid any network host to ping the own broadcast addresses. It will stop the smurf attack.
Mitigation techniques:
Take a deep look to protect against the threats. The mitigate techniques and methods are mainly depends upon the type of threats. Listed below are some of the mitigation techniques:
Training and awareness
It is considered as the most convenient and comfortable form of security. User training is considered as the least expensive and most effective mitigation techniques. It is the best way to keep the users from making mistakes that will lead to a success of the social engineering attack is educating how to handle them. It is important to know the procedures, protocols and policies for the security of a network. Or else training users give a real advantage of the relatively low cost.
Patch management
When an application or an operating system is released, it is not perfect from the security perspective. Then after the release, updates and security patches are released on the ongoing basis, which can add to a software to make them more secure or provide it more functionality. The windows update systems which are installed in the latest servers and clients can be configured to install as well as download the patches automatically from the site. The windows server update services to download the patches to servers and then test it before applying to the bulk of the clients on the network.
Policies and procedures
The security procedures and policies must be outlined clearly in writing in the organization. It should define acceptable behaviors on networks and organization computers. Who uses the computers has to read the procedures and policies and also sign the form for agreeing it.
Incident response
When the intruder has enacted an attack on the network, then the first instinct gets the user back to work regardless of what that takes. It makes a more sense in the short run, but in case of long run it might be a wrong move. The reinstall software which is damaged by the attack, then this re-installation may cover the track of an attacker and prevent it from prosecuting and finding it.
It is essential to understand the security threats which affect the networks. And be familiar with the affecting networks like DoS attacks, worms, viruses, smurf, social engineering and man in the middle attacks. It is necessary to learn each type of these attacks operates and how to secure it. Additionally, understand the mitigation techniques such as incident response, procedure and policies, patch management and training and awareness. Understand efficient and effective method of protecting against the social engineering threats and also other network weaknesses. Understand the security patches must be used to update the applications and operating systems.
How to Open VCE Files
Use VCE Exam Simulator to open VCE files.
This post was authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group
Headlines highlighting how vulnerable we are to cyber threats are now all too commonplace. The statistics on security events and successful network breaches continue a trend that favors attackers. These bad actors are getting faster at network compromise and data theft while their dwell times inside networks have increased to over 200 days according to most of the major annual cybersecurity reports. The result of these voluminous and persistent threats has been hundreds of millions of dollars in lost business alone without counting the long term costs of diminished customer and citizen confidence.
Still organizations may face even greater risks as they try to fend off sophisticated attackers against a backdrop of an ever expanding network footprint. The new network now includes myriads of personal devices, virtualized workloads, and sensors that represent rapidly increasing points of connectivity as well potential compromise.
When considering these trends, it is clear that the traditional means of protecting organizations are not as effective as they once were. Static access controls like firewalls and intrusion prevention systems placed at network ingress and egress points are being easily evaded by attackers because the communications paths in and out of networks are too complex and dynamic. Also broad use of personal devices inside corporate networks has dissolved what used to be a hardened network boundary. We no longer conduct business within a perimeter of highly controlled, corporate-issued end user devices that gain access only under the strictest of authentication and authorization controls. Instead, the modern enterprise enables dynamic communities of employees, contractors, business partners and customers as well as their data and applications, all connected by an agile digital fabric that is optimized for sharing and collaboration.
In today’s networks then, we have to consider that identity is the new perimeter to be protected. Identity in this case does not mean only the device and its physical location but also the data, applications and user information it contains. Given that 60% of all breaches still originate at an endpoint compromised through a phishing scam or social engineering attack, it is no wonder that a risk mitigation strategy with identity at its center, is top of mind for many business and technology leaders.
In fact, cyber security is a boardroom level agenda item today. Business leaders want to ensure that they have in place the investments necessary to protect intellectual property and customer data, keeping their businesses out of the headlines that damage reputation and affect profitability. CIOs and CISOs feel caught between seemingly opposing goals of enabling digital transformation while protecting data and intellectual property at all times. These are concerns they share with their teams in IT and operations who feel equally burdened to balance performance and accessibility with rightful and appropriate resource use. Cybersecurity as we have all come to understand, can be either a critical barrier or key enabler to an organization’s ability to be productive. Current top of mind concerns for protecting the modern enterprise coalesce around 5 key areas: infrastructure, SaaS, devices, identity and response.
Going to the cloud does not mean relinquishing security control or accepting a security posture that is less secure for cloud-hosted workloads relative to premised ones. In fact, the selection of cloud provider can mean having access to the very latest in security technologies, even more granular control and faster response than is possible with security in traditional networks. As a first step, security stakeholders need to understand how sensitive and compliance intense their cloud-hosted workloads and data are. They should then opt for access controls that limit use to only that which is business appropriate and emulate those access policies already in place for premised workloads. Enrolling in cloud workload access monitoring will also ensure that any events which are a deviation from desired security policies can be flagged as indicators of possible compromise. Cloud users should also be familiar with the security technologies offered by their provider whether native or through partnership. This gives cloud users options for implementing the kind of multi-tiered security architecture required to ensure least privilege access, inspect content and respond to potential threats.
Key takeaways
2. SaaS – Whether a business is hosting critical workloads in the public cloud or not, its employees are surely using applications there. The convenience and ubiquity of these applications means broad user adoption for the ease of information sharing and collaboration they enable. As a result, important, security and compliance intense data maybe making its way to the public cloud without security stakeholder knowledge. The question from businesses then is: “How do I protect my corporate data?”
Organizations want to make sure their employees are as productive as they can be. To that end many are allowing them to bring their own devices and even their own applications into the network. This agility comes with some added security risk. Fortunately, there are ways to mitigate it. Ultimately the goal is to derive all of the benefits these SaaS applications offer without violating company use and compliance policies for data sharing and storage. Additionally, firms must ensure that employees’ use of SaaS apps does not unwittingly enable data exfiltration by bad actors. Limiting risk comes down to enacting a few of the basics that ensure safe use. For starters, there’s a need to identify which SaaS applications are in use in the network and whether they are in line with company policy or on a safe list. Granular access rights management will limit the use of even the safe apps to those persons who have a business need for them. Where possible, policies should be in place that require data to be encrypted when at rest, especially if it is being stored in the cloud. Having the ability to periodically update the safe lists of apps and monitor all use, can potentially alert security administrators when those applications which are unsanctioned appear among an organization’s communications. With these types of facilities in place stakeholders maybe be promptly alerted to unsanctioned application use. At times, unwanted application use will be detected. This is the time to block those applications, modify or deprecate privileges allowing access to them and as a further precaution remotely wipe or delete data stored through use of those applications.
Key takeaways
3. Devices – Smartphones, tablets, self- sourced laptops, these are the new network perimeter and at times its weakest links. Whether owned by the organization or not, they most certainly contain business valuable data that is at high risk. Because mobile devices often connect from public networks and may not have the most up to date protections, these endpoints are popular targets for the installation of botnets or malware. Use of personally sourced devices is a new and seemingly permanent reality prompting organizations to broadly ask “How do I keep company information secure?”
Many years ago, risk from mobile devices was ameliorated by installed agents and thick clients that provided security controls right on the device itself in a centralized way. Today, with employee self-sourced devices, the installation of such clients is not always feasible. Still today’s security administrators have to accommodate a heterogeneous end-user device environment comprised of various form factors and OSes while applying consistent and organizationally sanctioned controls to all of them. A cloud-based approach can provide a lot of flexibility and control here. From the cloud, endpoint connectivity to network resources can be centrally managed through security policies that restrict where devices can go based on their security posture, installed protections or location-based access rights. Command of devices from a central location ensures not only consistent policy enforcement but automation so that when anomalous device behaviors or connection patterns are detected, centralized command can restrict access, quarantine the affected device and even wipe it clean so that the threat is fully contained.
Key takeaways
4. Identity – Despite all of the investments organizations make in security and threat mitigation, identity will be compromised. The latest data tells us that way too many of us click on links and attachments that we should not. From that point on, the bad actor has gained a foothold in the network and may set about moving laterally, looking for sensitive information to steal while impersonating the legitimate user. This common scenario is what makes many businesses ask: “How can I ensure identity protection?”
All of the major cybersecurity reports and indices point to this as the most common component of a data breach – the stolen identity. A security strategy for any organization or business needs to have this as a central tenet. The protection and management of credentials that give resource access to customers, employees, partners and administrators is foundational to sound security practice. Implementing multi-factor authentication broadly for all applications and services is a good starting point. It should nevertheless be complemented by facilities for monitoring authentication and authorization events not only for users but also and especially for privileged users and administrators. This type of monitoring offers the best opportunity to identify attempts by attackers trying to move laterally through privilege escalation. Once flagged as suspicious and anomalous, optional automated response can ensure that access requirements are elevated on the fly and privilege escalation requests are verified as legitimate.
Key takeaways
5. Response – Each year organizations are subjected to tens of thousands of security events making the business of protecting critical assets continuous. Given that threat dwell times are 200 plus days, bad actors have ample opportunity to move “low and slow” throughout networks after the initial compromise. Naturally security administrators and stakeholders are left to ask: “How can I better respond to ongoing threats?”
The potency and frequency of today’s cyber threats requires a security strategy build on the assumption of compromise. A network or device may not be breached today but remains at risk so the process of protecting, detecting and responding to a breach is a continuous one. The data that is being exchanged by end points and shuttled among data centers and hybrid clouds contains a lot of information about the security state of those endpoints and resources. The key to unlocking that intelligence is analytics and specifically the type of analytics that is made possible through machine learning. Having the ability to monitor large amounts of traffic and information in a continuous fashion and unearth anomalous behavior is and will be key to shortening the time to detection of a breach or compromise. Behavioral analytics not only tell us what is out of the norm or unwarranted behavior but also informs of good and desired connectivity. By understanding both anomalous and appropriate traffic patterns, organizations can fine-tune access controls that are just right for enabling business yet limiting risk. Further, with continuous analytics the process of determining the right access controls for the environment at a given time can be as dynamic and responsive as users’ access needs.
Key takeaways
In summary, security threats maybe common to businesses and organizations of all types but the way they are addressed can vary greatly. In the modern enterprise driven by mobility and cloud, architecting for security represents an opportunity for unprecedented agility. With a strategy build on identity as the new perimeter and access to continuous processes to protect, detect and respond to threats, a business can be as secure as it is productive. Watch the On-demand webinar – Top 5 Security threats – with Julia White and myself to hear more about our approach to cybersecurity or visit us at Microsoft Secure to learn more about Security.
This post was authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group
Headlines highlighting how vulnerable we are to cyber threats are now all too commonplace. The statistics on security events and successful network breaches continue a trend that favors attackers. These bad actors are getting faster at network compromise and data theft while their dwell times inside networks have increased to over 200 days according to most of the major annual cybersecurity reports. The result of these voluminous and persistent threats has been hundreds of millions of dollars in lost business alone without counting the long term costs of diminished customer and citizen confidence.
How Do You Identify Yourself
Still organizations may face even greater risks as they try to fend off sophisticated attackers against a backdrop of an ever expanding network footprint. The new network now includes myriads of personal devices, virtualized workloads, and sensors that represent rapidly increasing points of connectivity as well potential compromise.
When considering these trends, it is clear that the traditional means of protecting organizations are not as effective as they once were. Static access controls like firewalls and intrusion prevention systems placed at network ingress and egress points are being easily evaded by attackers because the communications paths in and out of networks are too complex and dynamic. Also broad use of personal devices inside corporate networks has dissolved what used to be a hardened network boundary. We no longer conduct business within a perimeter of highly controlled, corporate-issued end user devices that gain access only under the strictest of authentication and authorization controls. Instead, the modern enterprise enables dynamic communities of employees, contractors, business partners and customers as well as their data and applications, all connected by an agile digital fabric that is optimized for sharing and collaboration.
In today’s networks then, we have to consider that identity is the new perimeter to be protected. Identity in this case does not mean only the device and its physical location but also the data, applications and user information it contains. Given that 60% of all breaches still originate at an endpoint compromised through a phishing scam or social engineering attack, it is no wonder that a risk mitigation strategy with identity at its center, is top of mind for many business and technology leaders.
In fact, cyber security is a boardroom level agenda item today. Business leaders want to ensure that they have in place the investments necessary to protect intellectual property and customer data, keeping their businesses out of the headlines that damage reputation and affect profitability. CIOs and CISOs feel caught between seemingly opposing goals of enabling digital transformation while protecting data and intellectual property at all times. These are concerns they share with their teams in IT and operations who feel equally burdened to balance performance and accessibility with rightful and appropriate resource use. Cybersecurity as we have all come to understand, can be either a critical barrier or key enabler to an organization’s ability to be productive. Current top of mind concerns for protecting the modern enterprise coalesce around 5 key areas: infrastructure, SaaS, devices, identity and response.
Going to the cloud does not mean relinquishing security control or accepting a security posture that is less secure for cloud-hosted workloads relative to premised ones. In fact, the selection of cloud provider can mean having access to the very latest in security technologies, even more granular control and faster response than is possible with security in traditional networks. As a first step, security stakeholders need to understand how sensitive and compliance intense their cloud-hosted workloads and data are. They should then opt for access controls that limit use to only that which is business appropriate and emulate those access policies already in place for premised workloads. Enrolling in cloud workload access monitoring will also ensure that any events which are a deviation from desired security policies can be flagged as indicators of possible compromise. Cloud users should also be familiar with the security technologies offered by their provider whether native or through partnership. This gives cloud users options for implementing the kind of multi-tiered security architecture required to ensure least privilege access, inspect content and respond to potential threats.
Key takeaways
2. SaaS – Whether a business is hosting critical workloads in the public cloud or not, its employees are surely using applications there. The convenience and ubiquity of these applications means broad user adoption for the ease of information sharing and collaboration they enable. As a result, important, security and compliance intense data maybe making its way to the public cloud without security stakeholder knowledge. The question from businesses then is: “How do I protect my corporate data?”
Organizations want to make sure their employees are as productive as they can be. To that end many are allowing them to bring their own devices and even their own applications into the network. This agility comes with some added security risk. Fortunately, there are ways to mitigate it. Ultimately the goal is to derive all of the benefits these SaaS applications offer without violating company use and compliance policies for data sharing and storage. Additionally, firms must ensure that employees’ use of SaaS apps does not unwittingly enable data exfiltration by bad actors. Limiting risk comes down to enacting a few of the basics that ensure safe use. For starters, there’s a need to identify which SaaS applications are in use in the network and whether they are in line with company policy or on a safe list. Granular access rights management will limit the use of even the safe apps to those persons who have a business need for them. Where possible, policies should be in place that require data to be encrypted when at rest, especially if it is being stored in the cloud. Having the ability to periodically update the safe lists of apps and monitor all use, can potentially alert security administrators when those applications which are unsanctioned appear among an organization’s communications. With these types of facilities in place stakeholders maybe be promptly alerted to unsanctioned application use. At times, unwanted application use will be detected. This is the time to block those applications, modify or deprecate privileges allowing access to them and as a further precaution remotely wipe or delete data stored through use of those applications.
Key takeaways
3. Devices – Smartphones, tablets, self- sourced laptops, these are the new network perimeter and at times its weakest links. Whether owned by the organization or not, they most certainly contain business valuable data that is at high risk. Because mobile devices often connect from public networks and may not have the most up to date protections, these endpoints are popular targets for the installation of botnets or malware. Use of personally sourced devices is a new and seemingly permanent reality prompting organizations to broadly ask “How do I keep company information secure?”
Many years ago, risk from mobile devices was ameliorated by installed agents and thick clients that provided security controls right on the device itself in a centralized way. Today, with employee self-sourced devices, the installation of such clients is not always feasible. Still today’s security administrators have to accommodate a heterogeneous end-user device environment comprised of various form factors and OSes while applying consistent and organizationally sanctioned controls to all of them. A cloud-based approach can provide a lot of flexibility and control here. From the cloud, endpoint connectivity to network resources can be centrally managed through security policies that restrict where devices can go based on their security posture, installed protections or location-based access rights. Command of devices from a central location ensures not only consistent policy enforcement but automation so that when anomalous device behaviors or connection patterns are detected, centralized command can restrict access, quarantine the affected device and even wipe it clean so that the threat is fully contained.
Key takeaways
4. Identity – Despite all of the investments organizations make in security and threat mitigation, identity will be compromised. The latest data tells us that way too many of us click on links and attachments that we should not. From that point on, the bad actor has gained a foothold in the network and may set about moving laterally, looking for sensitive information to steal while impersonating the legitimate user. This common scenario is what makes many businesses ask: “How can I ensure identity protection?”
All of the major cybersecurity reports and indices point to this as the most common component of a data breach – the stolen identity. A security strategy for any organization or business needs to have this as a central tenet. The protection and management of credentials that give resource access to customers, employees, partners and administrators is foundational to sound security practice. Implementing multi-factor authentication broadly for all applications and services is a good starting point. It should nevertheless be complemented by facilities for monitoring authentication and authorization events not only for users but also and especially for privileged users and administrators. This type of monitoring offers the best opportunity to identify attempts by attackers trying to move laterally through privilege escalation. Once flagged as suspicious and anomalous, optional automated response can ensure that access requirements are elevated on the fly and privilege escalation requests are verified as legitimate.
Key takeaways
5. Response – Each year organizations are subjected to tens of thousands of security events making the business of protecting critical assets continuous. Given that threat dwell times are 200 plus days, bad actors have ample opportunity to move “low and slow” throughout networks after the initial compromise. Naturally security administrators and stakeholders are left to ask: “How can I better respond to ongoing threats?”
The potency and frequency of today’s cyber threats requires a security strategy build on the assumption of compromise. A network or device may not be breached today but remains at risk so the process of protecting, detecting and responding to a breach is a continuous one. The data that is being exchanged by end points and shuttled among data centers and hybrid clouds contains a lot of information about the security state of those endpoints and resources. The key to unlocking that intelligence is analytics and specifically the type of analytics that is made possible through machine learning. Having the ability to monitor large amounts of traffic and information in a continuous fashion and unearth anomalous behavior is and will be key to shortening the time to detection of a breach or compromise. Behavioral analytics not only tell us what is out of the norm or unwarranted behavior but also informs of good and desired connectivity. By understanding both anomalous and appropriate traffic patterns, organizations can fine-tune access controls that are just right for enabling business yet limiting risk. Further, with continuous analytics the process of determining the right access controls for the environment at a given time can be as dynamic and responsive as users’ access needs.
Key takeaways
In summary, security threats maybe common to businesses and organizations of all types but the way they are addressed can vary greatly. In the modern enterprise driven by mobility and cloud, architecting for security represents an opportunity for unprecedented agility. With a strategy build on identity as the new perimeter and access to continuous processes to protect, detect and respond to threats, a business can be as secure as it is productive. Watch the On-demand webinar – Top 5 Security threats – with Julia White and myself to hear more about our approach to cybersecurity or visit us at Microsoft Secure to learn more about Security.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |