In the past, we always played catch-up by implementing controls to deal with new threats. This allowed zero-day successes and successful attacks against resources when only the attackers knew of one or more vulnerabilities in our network. We tended to rely on vulnerability detection and associated risk management to protect confidentiality, integrity, and availability (CIA). While still a necessary process, vulnerability management alone falls far short.
When assessing risk using the formulaic model THREATS * VULNERABILITIES *BUSINESS IMPACT = RISK, we tended to avoid threat management. The argument for years was that we couldn’t cost effectively manage threats. Instead, we focused on identifying and managing vulnerabilities in the name of prevention. Today, security professionals understand that we need to shift much of our security effort to managing threats we know will eventually find their way into our network.
The misconception that we should concentrate on preventing attacks still tends to govern many organizations: especially those without a strong security program. Organizations that understand that we can’t stop all business continuity events give equal importance to vulnerability management, monitoring solutions, and response processes.
In addition to shifting effort to threat management, approaches to prevention must also change. Endpoint design and access control policies often lean toward keeping users happy. This must change. While we should keep our employees productive, providing certain capabilities on devices used to process and store business information increases risk to unacceptable levels.
Finally, network design should include implementation of comprehensive monitoring. Further, threats should encounter numerous barriers before reaching a target. The approach is similar to physical security where we might place a fence and two or three locked doors between the attacker and the target. These barriers can also help contain threats already on our network.
Solutions for business of all sizes exist to meet the challenges listed above. The following is a list of nine areas organizations should include when managing threats and associated risks.
1. Least privilege. Users should never be allowed to install applications on their devices. Further, applications not residing on the organization’s software whitelist should never reside on user devices: regardless of who is attempting to install them. This begins with using group policy—if you are in a Windows environment—to place restrictions on users. AppLocker and Intune are also great tools for managing end user applications.
2. Threat detection. Antimalware software, host-based firewalls, and host-based IPS are all necessary to help gather information about what is happening on endpoint devices. None of these alone provides sufficient prevention, detection, and response (PDR) capabilities, and PDR is only one facet of threat detection. Today’s advanced threats tend to operate in ways requiring information from many sources for us to detect them.
User and network behavior analytics solutions gather information from network and endpoint sources to analyze patterns of behavior. These patterns are compared to baselines to determine if a response is necessary. Pattern analysis often uses real time and historic information.
3. Network segmentation. Network segmentation via VLANsis a necessary control to prevent access, limit unwanted access, and to contain continuity events.
4. User awareness. Users should always understand what actions put the organization and themselves at risk: clicking on email links, clicking on email attachments, sharing passwords, etc.
5. Incident response process. Response to any unwanted event requires a documented process and a trained team. Aneffective incident response is always necessary to mitigate the business costs associated with a business continuity event.
6. Web filtering. Again, most attacks today are against user devices. One important control is preventing users, and malicious code residing on our systems, from visiting known bad sites and site categories known to be high risk. Because web filtering is available in devices such as the Cisco ASA, there is little reason today for not implementing web filtering.
7. Block high-risk IP address ranges. One of the ways attackers lure our employees is via redirection: sending users to a website other than the one they believe they are visiting. In addition to web filtering, consider blocking known high-risk IP address ranges.
8. Manage outgoing TLS communication. Attackers tend to hide their activity by using encrypted sessions. Organizations should never allow any endpoint device to connect directly to an external device with TLS. (Hopefully, you’ve already killed off SSL connections…) This prevents IPS and other filtering solutions from looking at packet payloads.
9. Block macros. Finally, block the execution of Office macros wherever reasonable and appropriate but especially from untrusted sources.
The Final Word
More security effort is needed to manage threats: including prevention, detection, and response. The solutions needed go beyond what most organizations do today.
The solutions listed in this article are not all inclusive. For example, they don’t include network-based IPS and firewalls. The list is intended to fill gaps many organizations have due to the changing nature of attacks.