The security game has changed. The simple tactics of moves and counter moves is no longer working. More businesses are being successfully attacked despite the numerous point solutions available; worse, many don't even know they have been attacked until it's too late.
The problem is that the attacks and attackers themselves have evolved. Forget the old faceless image of a socially-introvert hacker as your opponent. Today's hackers are well-oiled enterprises in their own right; and they work for money not just for sport. This has led to an increased sophistication in attacks. Some use smokescreen tactics to divert attention away from their true malicious goal; others trade and barter secret business information gleaned from social engineering.
Our modus operandi has also changed, especially in Hong Kong. With businesses asking employees to collaborate more and become mobile, many constantly share information and access key applications through a variety of constantly-connected devices. This has increased application and network security risks, and made the security walls porous.
The risk of non-compliance is another issue that keep CIOs awake through the night. With regulations becoming more stringent, businesses are hard-pressed to comply. Those who don't, not only face huge fines but risk tarnishing their reputations irreversibly.
Don't sacrifice your pawns unnecessarily
It's better to view today's security as a chess game. Your security policies and solutions are your pawns on the chess board they are constantly evolving. Reacting to your opponent's moves is not enough; it makes you defensive and blinds you from multi-modal attacks. Every chess player knows that a winning strategy requires you to nullify the opponent's strategy, prepare for counter moves and protect your king--the company data.
So why doesn't the old approach of using point solutions work? First, it comes from a militaristic point of view that assumes your business is a castle and building strong walls can thwart your attackers.
Today, however, businesses are diverse, disparate and extremely mobile. Networks lie at the heart of many businesses, enabling them to adapt to a dynamic market, exploit new and fleeting opportunities and improve operational efficiency. Clouds have also changed internal infrastructures. In the name of better efficiency and cost savings, many are adopting cloud-driven application delivery models to be more agile.
All these changes mean that vulnerability against network threats--such as DDoS and DNS attacks--have increased exponentially. A single network outage can not only bring businesses to their knees, but open a gaping hole for intruders to create backdoors or even steal secrets.
Access security, once seen as an option, has also become mandatory. With employees working from disparate locations and becoming increasingly mobile-driven, who gets access to which applications becomes important. Without a good access management system, businesses are vulnerable to attacks from both insiders and outside hackers.
A well-rounded security framework can offer you an in-depth look at the risks and threats that your entire infrastructure faces, allowing you to plan for the right security measures. It also allows you to understand the security impact of deploying architectures like Bring Your Own Device (BYOD) have on the entire infrastructure.
How to protect your king
So where do you begin? Here are three things to keep in mind when building a complete security framework.
First, become application-centric--not just network-centric. Why? That's because the way we use applications, often seen as the lifeblood of businesses, has changed drastically.
According to F5 iHealth data surveys, the majority of applications are accessed via the Web. Mobiles have introduced a shift in the devices we use to access these applications. According to Gartner, 2.7 billion mobile devices will be shipped in 2017 and 40 percent of the workforce will be mobile. Meanwhile, Clouds are changing the way applications are developed and deployed.
Most network infrastructures have also not kept pace with the way we use applications. Many are largely not application-aware, and are ill-prepared for sophisticated or multi-modal attacks at the application level. An application-centric approach, which goes beyond device or network-centric ones, offers a smarter approach.
For example, F5 Networks'(www.f5networks.com) new F5 Synthesis, made up of a high-performance services fabric, intelligent services orchestration and simplified business models, reduces operational risks. By enabling you to centrally deploy and manage application services consistently, it ensures fewer deployment errors that often exploited during an attack.
Second understand that the network, not your servers, is the Achilles' heel. So protecting your network using a multi-tier security model is important.
For example, a two-tier DDoS protection system properly deployed can stop volumetric, asymmetric, computational and vulnerability-based DDoS attacks. Often the first tier at the perimeter uses layer 3 and 4 network firewall services. This will root out most attacks. A second tier--consisting of more sophisticated and also more CPU-intensive services, such as SSL termination and a web application firewall stack--can act as a secondary defense to thwart more sophisticated or brute force attacks.
Lastly, understand that humans, not machines, are the biggest threat to your security framework. It's no secret that most hackers use social engineering to overcome sophisticated security defenses and access vital information. So the money spent on training on awareness, deploying a real-time access management system enterprise wide and enforcing consistent security policies across the business will go a long way to thwart would be attackers.
Good enough security is no longer good enough. A complete security framework deployed enterprise wide, instead of just point security solutions, can help you understand the severity of the threats your business faces.
A holistic security framework anchored by an enterprise-wide security solution, can future-proof your organization against new attacks and regulations. It can also allow you to use contextual intelligence to root out new attacks before they become security threats.
In the end, you need to accept that your business will always be under attack. And at any time, an attack can be successful. Instead of crossing your fingers behind your back, it is far more prudent that you are well prepared to recover from one. Armed with a universal security framework, you can reduce the chance of being blindsided, fooled or even checkmated. It's your move.
Linda Hui is the managing director at F5 Networks in Hong Kong and Taiwan. With more than 17 years of experience in the information and telecommunication industry, Hui is responsible for overseeing and steering the company's growth in Hong Kong and Taiwan.