Mind the gaps: A holistic approach to securing the network

Organisations need to be deploying a balanced and holistic security approach with the right technologies and the right solutions in place

Securing a network becomes more challenging when the enemies are deceptive, clever, and savvy snakes, but recognizing the gaps in their security strategies before the criminals do can help organizations minimize detection and response times.

I'm reminded of Macbeth whose valour in war against Norway was rewarded with the title of Thane of Cawdor. In gratitude, Lady Macbeth encourages her husband to kill the king. She advises him, "Your face, my thane, is as a book where men/May read strange matters. To beguile the time/Look like the time. Bear welcome in your eye/Your hand, your tongue. Look like th' innocent flower/But be the serpent under 't." (Shakespeare, I.v.53-57)

[ ALSO ON CSO: Traditional anti-virus is dead. Long live the new and improved AV ]

The problem with a lot of breaches, especially those that are the result of social engineering, is that many of the attackers are just like Lady Macbeth. They know how to beguile the time. They phish like the innocent flower, but they are serpents indeed.

How, then, do organisations avoid the fate of King Duncan, especially when the extended network provides more opportunities for invasion?

Lysa Myers, security researcher at ESET referenced the Target example, where hackers were able to break into the sales network through an HVAC company.

"HVAC should not give access all the way to the point of sale machine," she said. Segmenting the network can prevent those types of breaches, as can encryption and risk assessment.

"It's complicated protecting the network because it opens holes, so organizations need to develop a principle of least privilege. Access only what they need. The idea is to make it so that if criminals get in with one piece, they can't access the whole puzzle," Myers explained.

If they accept that there is a risk of being breached, companies can stop criminals who gain access into their network by zoning off access through segmentation. There is no one single means of protection, though.

Organisations need to be deploying a balanced and holistic security approach with the right technologies and the right solutions in place before, during, and after an attack in order to safeguard their vital information.

"More businesses need to be aware of risk assessment. Without understanding what they are protecting against, they can't build the best protection. Don't go purchasing programs or creating policies without first understanding their risks," Myers said.

Encrypting everything is another critical step toward creating stronger security. "Encrypt as much as you can, in storage and in transit," Myers added.

Myers also pointed out that there are other pieces to the puzzle, including two-step authentication and user education, or awareness programs.

[ ALSO ON CSO: 6 steps to win executive support for security awareness programs ]

In reference to awareness programs, Zully Ramzan, chief technology officer at RSA said, "Organizations should conduct exercises to see if the education is working. Look at initiatives and make them more targeted. Identify the employees with a higher propensity for compromises so that you can assess the risks, but I don't think companies should over-invest in awareness programs."

Analysis becomes one of the most useful tools in piecing together the most comprehensive strategies against and in response to attacks.

"Analytics are important in gaining insight and then leveraging action," Ramzan added.

"Security is always about visibility and control. With the cloud it becomes more paramount to use visibility for being able to understand what's going on across all IT points from end users to the cloud."

The idea is that security is not about prevention, and focusing too much on prevention could open up greater risks. In addition to building those perimeters of prevention, organizations also need to develop strategies for detection and response.

"Don't inflate or conflate any of these comprehensive strategies," said Ramzan. The idea that technology alone can protect against criminal attacks is wishful thinking, he said.

"Organizations need to move past prevention alone. Look at who received what, who clicked, and what happened. Monitoring response is essential."

What's important to consider is that the criminals who are trying to hack into the network are looking for the ways to infiltrate despite the defenses that organizations are developing. The fundamental principles of a balanced approach that includes prevention, detection, and response includes the best offensive and defensive tactics.

Security is no longer about protecting the perimeter to secure what is inside. Extended networks mean more connectivity, so the extended network needs to be protected.

"The network is critical for defending against breaches," said Marc Solomon, Cisco's vice president of Security Marketing, "but as the Internet of Everything (IoE) expands, there will be more devices, and the extended network includes everything from data centers to clouds to end devices."

All of those pieces need to be considered in developing the strongest security.

If organizations are only looking at prevention, the attackers are looking towards where the organization is blind, said Solomon. Yes, the network is the core of an organization's security, but they should be looking at it holistically.

"Nothing is an end all be all. We are all human and we will all make mistakes," he said.

Spending money on awareness training is a good best practice because security is about a balance of prevention, detection, and response. Solomon added.

"Security is a series of attack vectors, on end users, and addressing that will help, but you're not going to solve the problem solely through awareness training."

Macbeth had murdered several men, including the king, before anyone suspected him of treason. That's not to suggest a trust no one approach, but a recognition of the fact that people with malicious intent don't advertise their criminal behavior. Thus, for most organizations, protecting their environments require a variety of technologies.

"A lot comes in through email users, so you need something that secures email like advanced malware protection. Users might click on an unknown threat, and that unknown needs to be addressed. Advanced malware might be able to see the file, understand its behavior and block the threat based on certain characteristics," said Solomon.

[ ALSO ON CSO: Best practices for email security ]

What are some technologies that can help in addition to advanced malware?

"Email security and web security on the network or the crawl ware service can reduce the time of detection and the time of response," Solomon added.

Putting in place firewalls and intrusion-prevention systems that work together are other solutions that can be in place to protect against attack vectors. "The whole security system--people, process, and security--is needed to secure your environment," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags myernetwork securityKingsecurityCSO

More about AdvancedCiscoCSOindeedRSASolomon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts