Three strategies for the new era of enterprise cybersecurity

We have witnessed the equivalent of a Cambrian Explosion of new Internet-connected life forms

The pace of change for Information Technology is challenging established notions of "What is IT?" and "What is Information Security in the modern age?" For one example, the "new" data center technologies such as virtualization, Software-Defined Networking (SDN), service-oriented delivery models, and cloud computing have radically changed the typical IT infrastructure from a defined set of assets owned and controlled by the organization to a constantly fluctuating roster of resources that can come and go from IT department visibility and control.

[Enterprise defenses lag despite rising cybersecurity awareness]

As this has occurred, we have witnessed the equivalent of a Cambrian Explosion of new Internet-connected life forms - mobile devices, tablets, sensors, actuators, home appliances, monitoring systems, content access devices, and wireless terminals. Applications running on these devices range from recreation to services critical to the functioning of our social and economic infrastructure. Put it all together, and we expect that world population of Internet-connected devices will grow from today's 10 billion to over 50 billion by the year 2020.

From a security point of view, these IT changes, including the expansion of Internet-connected devices, lead to a corresponding increase in attack surface. Instead of the mission of protecting a reasonably known and enclosed IT perimeter, we now must be ready to secure any connected device humans can make against any threat a hacker can innovate. Clearly, using established security practices, except on a larger scale, will not suffice.

Plainly said, we need to think differently about cybersecurity.

One classic strategy and two new ones

The aspects I just quickly described may sound overwhelming, but I remain optimistic, however, that methods exist to contain damage to assets, processes, and people that make use of information technology. Ironically, what is old is new again for some of this, and then there are just plain new ways to approach. Of the many to surface, I'd like to talk about three in particular.

Do the basics and do them well

This includes taking a diligent approach to software patching, user identity management, network management, and eliminating any dark space in your infrastructure. The main objectives in this endeavor include reducing attack surfaces available to adversaries and basing resource access policies on need-to-know/need-to-use principles. Even just getting better at patching can reduce available attack surface by 70 percent. Organizations that perform thorough asset inventories are often surprised by how many previously undocumented systems they discover connected to their network.

[Security training is lacking: Here are tips on how to do it better]

This do-the-basics strategy might sound commonplace, but it can be quite demanding when one takes into account the diversity and sheer numbers of devices and systems that today's IT operations must secure. A sophisticated identity management program that brings together the latest strong password, federated identity, privilege management and anomalous behavior detection technologies would not have been possible a few short years ago, but it can go far in improving the ability of security teams to prevent, see, and contain security incidents.

Strive to spread doubt and confusion in the adversary's mind

There are plenty of ways to do this. You can start by making your infrastructure a moving target by changing addresses, infrastructure topologies, and available resources daily. An activist approach to virtualization makes it possible to build up and tear down resources at will. SDN technology can virtualize the deception process while streamlining the process of building security management and control features into the network fabric. In short, do what you can to prevent the adversary from seeing the same infrastructure twice.

You can also set up honey pots and Potemkin villages on your network that can waste the adversaries' time, divert them from real assets, lead them to tainted intellectual property, or cause them to stumble into alarms that announce their presence in your domain. At their most advanced, these techniques can shake adversaries' confidence in their hacking prowess and increase their anxiety over being caught, exposed and prosecuted.

Collect, correlate, and analyze as much operational data as you can

This strategy is significant as it signals a shift in the remediation mode to detecting and defeating attacks and intrusions quickly and thoroughly when they do occur. In the data, you are looking for Indicators of Compromise (IoCs) -- anomalous device or user behavior, network traffic to and from known addresses, and other tip-offs. Data subject to analysis can include local telemetry from your infrastructure, information and intelligence from beyond your infrastructure, or data traffic that doesn't conform to normal patterns of activity.

Changing your mental approach is just as essential

This new approach to security carries with it a not-trivial change in our mental approach for security. Formerly, we thought of security as defending perimeters and hardening assets against attack. The new model calls for assuming that if people, things, and business processes haven't been compromised, they will be shortly. Established security tools and products like firewalls, security appliances, or anti-malware software do a good job of blocking known threats and leave us freer to detect, recognize, and contain those threats that manage to slip through basic defenses.

[The U.S. state of cybercrime takes another step back]

Increasingly, we have come to understand that the most dangerous threats do their work quietly and quickly, and then disappear. A threat of this kind will typically wreak its damage in minutes, hours or days. By contrast, too many security teams require days, weeks, or months to discover and remediate an intrusive threat of this kind. That's not good enough.

We also need accountability shifts, a measure by which to define efficacy, and a willingness to "break some glass" to change what we have...otherwise, we continue to get more of what we have today, and that isn't acceptable.

The strategies recommended in this article do three things to make adversaries' life more difficult:

  • Shrink attack surfaces and vulnerabilities through the basics
  • Shift the burdens of fear, uncertainty, and doubt onto the bad actors
  • Reduce latencies between the moment a threat lodges in an infrastructure, its detection, and its disposal

While we have a challenging road ahead to secure IT-enabled social and economic processes from deliberate harm, new technologies, network intelligence, and new ways of thinking about cybersecurity itself give us a fighting chance.

John N. Stewart is the CSO of Cisco Systems, Inc.

Join the CSO newsletter!

Error: Please check your email address.

Tags Incident responsecybersecurityasset inventoryapplicationsSDNenterprisesoftwareIOCdata protection

More about CiscoCiscoCSOInc.Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John N. Stewart

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts