Rik Ferguson, the Vice President Security Research for Trend Micro, has a sobering warning. Your security will be breached. You can’t stop it, you have to be ready.
“You build your infrastructure on the assumption that a breach is going to happen. Your goal is to find out immediately and respond accordingly.”
In the past, security was all about creating barriers around your critical resources so that no one could get to them. While that remains a central plank of any security strategy, a more modern operational environment also focuses on mitigating the effects of a breach.
“It’s less about building a better castle and more about building a better dungeon. You make it more difficult for the attacker to leave with what they came for. You have to accept the fact that they’re going to get in,” said Ferguson.
To that end, he suggested that protecting data within your network is crucial as you have to assume that it will leave your network at some point. “Encryption is your friend in that respect so that if they get your data it’s useless,” he told us.
In addition, Fergus suggests that there is value in using other techniques. “Something that I think is under-invested, particularly in enterprise networks, is all the honey-x technologies such as honeynets, honeypots— and one that is really cheap and easy is honey-user accounts. You can do that with an outsourced cloud service”.
So where does the responsibility for information security lie? Is it up to IT to look after this for the whole business or is the responsibility broader?
“Most companies have a CSO or CIO fulfilling that kind of role. Sometimes they’re very technical, other times they’re very business-focussed. I think in a lot ways there’s a requirement for both CIO and a CSO. The CIO is concerned with information and the CSO is focussed on security. They complement and assist each other. I think this is the model that really works”.
Ferguson also notes that IT and security are being bypassed. “With the adoption of cloud and multi-tenanted services, a lot of those decisions, such as which cloud provider are we going to use, are made by individual business units without any interaction whatsoever with IT or security,” he said.
Given that the new focus of security seems to be acceptance that breaches are going to happen and that the new way of approaching security is to ensure that adequate controls are in place to detect and mitigate the effects, we asked Ferguson whether this approach has been effective.
“So far, of all of the breaches that have been reported, none of them has stopped something before it started.”
One of the more insidious aspects of recent breaches is that it’s not always the larger, well-known businesses that are attacked, but partner companies. For example, in 2011 Epsilon, the world’s largest permission-based email marketing provider, was breached resulting in the customer lists of several Fortune 100 companies being compromised. Until then, Epsilon was a largely anonymous company.
“I remember when Epsilon was breached,” recounted Ferguson. “I’d never heard of them. I never knew a company called Epsilon existed. But as a result of that attack I received five breach notification emails from five different companies”.
So, even if your own seals are tight and data is safe, you have to consider the position of a critical business partner in your security threat and risk assessment.
The proliferation of mobile devices is also an important part of the enterprise’s threat surface as mobile devices are often the least protected endpoint on the network, concluded Ferguson.