Long live perimeter security

It is not possible to build the perfect security perimeter. But that doesn't mean you shouldn't try.

Most security experts agree that just because something is not 100% bulletproof doesn't mean it is worthless, even if, as Bayshore Networks CEO Francis Cianfrocca, puts it: "The traditional network perimeter is no longer defensible."

[Security pros say their companies invest in the wrong technologies]

The most recent stark illustration of that is Adobe. The company acknowledged in mid-September that hackers had broken in a month or so earlier and accessed customer names, encrypted credit and debit card numbers and expiration dates, as well as source code. The company has not yet reported how the attackers got in but clearly, whatever perimeter defenses were in place were not enough.

But Cianfrocca himself, in his next breath, declares that enterprises should keep investing in traditional perimeter defenses. "You still have to keep your front doors locked, even as you confront threats from entities that freely move through or bypass them," he said.

Gary McGraw, CTO of Cigital, calls perimeter security "basic hygiene," and likens putting software security ahead of network security to, "putting on your pants before putting on your underwear."

Dr. Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals, said that while organizations need protection inside their perimeters, "Why let attackers in without a fight at the perimeter? Perimeter defenses won't make you secure, but it is useful place to fight your first battle with the attacker, gather intelligence, etc."

That is not a unanimous view, however. Thevi Sundaralingam, vice president of product management at Accellion, told Dark Reading recently that, given a world where mobile-enabled employees connect with their company networks from around the world on devices of their choosing, "perimeter security is no longer relevant to enterprises. Next-gen security needs to focus on keeping content safe, not on defining a network perimeter."

Tyler Rorabaugh, vice president of engineering at Cenzic, agrees. "The perimeter has been gone for several years due to BYOD, and data being accessible from anywhere. It's difficult to build a perimeter or virtual fence around a non-existent border, as a border cannot be defined around data that is accessible from everywhere," he said.

[The new perimeter]

In support of that view, he noted that, "There are more than 60,000 public facing APIs (Application Programming Interface) through systems like APIHub, Mashery, and Apigee. Almost all major companies give access to some form of third-party data, and most consumer-related data, even health records, are now public facing."

But Sundaralingam and Rorabaugh appear to be in the minority. Chuvakin calls that view "silly."

"Yes, next-gen security needs to focus on keeping content safe, but do that first by defining and defending a network perimeter," he said, arguing that even a perimeter that is only 30% effective, "means that you have a third less malware to fight on the inside."

[Identity is the new perimeter]

Kevin McAleavey, an expert on malware as a service and founder and chief architect of the KNOS Project, said a good perimeter will do much better than 30%. "Defending the perimeter is still the best way to prevent upward of 90% of attacks against infrastructure from even getting in there in the first place," he said. I definitely disagree that it's obsolete."

Nimmy Reichenberg, vice president of strategy at AlgoSec, is another who compares it to protecting the valuables in a house. "The fact that you have a safe in your house does not mean you unlock all your doors and tear down your fence," he said. "There is no inherent conflict between protecting the perimeter and protecting sensitive data -- and combining both is a best practice."

And Trevor Hawthorn, CTO of ThreatSim, says while attackers know there are easier ways to steal data -- web application vulnerabilities and social engineering that by-pass network security controls -- that doesn't mean organizations should abandon perimeter security. "The minute we stop doing that, we give hackers another easy route to get closer to sensitive data," he said.

Some of the debate may be more about semantics than substance. Chuvakin and others agree that the explosion of mobile devices and remote access has drastically changed the definition of a perimeter. He notes that, "an organization's Virtual Machines (VM) are deployed inside the perimeter, while the Virtual Private Cloud (VPM) "extends the perimeter to include the Amazon environment."

Kevin O'Brien, enterprise solution architect at CloudLock, said the BYOD reality is that the perimeter frequently extends beyond that. An example, he said, is a tablet that is used for work during the day, but then taken home in the evening, "connected to an unencrypted home wireless network, and used to edit sensitive files."

[Citadel exploit goes after weakest link at airport: employees]

Perimeter based security would not protect that information, he said, "even if an IT organization enforced good multifactor password authentication or mandated SSL-wrapped connections to the cloud services used by that device."

For that reason and others, Eldon Sprickerhoff, cofounder and CTO of eSentire, said he believes what is obsolete is, "the idea of a single, secure perimeter. Now, several perimeters need to be defended simultaneously: the classic perimeter, such as corporate headquarters and wholly owned data centers; smaller ones like implementations in the cloud and shared infrastructure; and finally personal perimeters like BYOD."

[CSOs face ongoing paradoxical challenges, according to report]

In other words, modern perimeter security is about more than threats from outside the wall. "It must review internal behavior, including the use of bandwidth analysis, honeypot and honeytoken systems, and access anomalies to guard against unacceptable activity," Sprickerhoff said.

"Though nothing is completely secure, building a 'honeycomb' of little perimeters instead of one large will provide better security for the modern network."

Arthur Braunstein, vice president of strategic accounts at CloudLock, takes it a step further: In essence, the person has become the perimeter, he said.

"The cloud and BYOD add a dimension to the porosity of networks and the rise of insider threats that is profound," he said. "Data is associated with users, not with devices. Companies can no longer go to a device, isolate it with access controls or enumerate the files on it, since the device is now the cloud and all users have pretty much equal access. So data protection has to be people-centric, leading to the metaphor of the human firewall."

And that firewall is, to put it mildly, porous. "The lion's share of exploits result when insiders maliciously or negligently externalize data," Braunstein said. "Or, outsiders socially engineer their way into enterprises and use code or takeovers to camouflage their illegitimacy."

Braunstein said he thinks the economics point to a trend where, "companies contract with public cloud vendors for infrastructure, with perimeter security built into that, and then focus their own efforts on safeguarding data usage."

He likens it to companies that use bank vaults. "No sane enterprise would run its own cash repository," he said. "Their cash defense perimeter moved from an on-premise safe to a better protected vault at a trusted bank. But enterprises do manage their cash with great sophistication and in line with their business needs."

But if people are the perimeter, doesn't ultimate security depend on human nature, which includes both carelessness and sometimes malicious intent?

[The 4 tiers of a secure B2B framework]

Not entirely, in the view of Sprickerhoff, who said that when human failure results in a breach, better technology can detect it more quickly. "I am a huge fan of internal honeypots -- systems that are deployed within an environment that appear to contain the 'secret sauce' that an external attacker would want to gain access but to which there's no legitimate need to access," he said. "They act as a 'canary in a coal mine' to alert an enterprise when other defenses have been breached."

Braunstein adds that IT departments can lower the risk from end users by providing them with cloud tools. "You move them away from increasingly more expensive and difficult-to-control, diminishing-return legacy infrastructure, encourage them to use sanctioned and controllable cloud solutions like Google Apps, and reduce the incentive to cheat," he said.

Reichenberg agrees that BYOD expands and fragments the perimeter. To deal with it, "companies must take measures to protect against threats such as lost or stolen devices. We have been doing this for corporate laptops for many years, but with BYOD we must extend this protection to non-company owned and highly mobile devices," he said.

Trevor Hawthorn, CTO of ThreatSim, contends that BYOD, the cloud and web services have made the "traditional perimeter" less relevant. "But if you look at nearly any large enterprise you will find a significant amount of data that still lives inside the castle walls," he said. "This isn't to say that we shouldn't stop moving towards putting security controls closer to the data, but we can't scrap the old paradigm just yet."

Ultimately, most experts agree that perimeter security is not so much a wall, but a layer of protection -- one that deserves an investment of time, effort and money, but not at the expense of software and data-level control.

"The network perimeter is now pervasive," Bayshore's Cianfrocca said, and an enterprise that focuses only on a single perimeter is the high-tech version of, "the drunk who looks for his car keys under the streetlight because the light is better."

[Cyberattacks the greatest threat to nations, say global execs]

Hawthorn said the most investment should be made in, "two places deep within the enterprise that the Internet can still directly reach: software and people.

"Developing secure software is possible and there are a ton of resources to help," he said, "and users can either be your biggest weakness or your greatest asset. Most modern attacks involve some sort of user-targeted attack.

Hawthorn stressed, however, that he wasn't necessarily calling for every end user to get training to the point of making them experts.

"We just need to tweak their mindset to be more of a 'smart skeptic' when it comes to emails, handling data, and anomalies they encounter during their day," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AccellionAdobe SystemsAlgoSecAmazon Web ServicesCenzicCitadelGartnerGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place