Closing the Barn Door - Four Steps to Containing Security Breach Damage
Not that many years ago, the usual approach to corporate security protection was a strong security perimeter. This was done simply by using a strong firewall to control all entry to the network. If we represent this with a diagram, it looks like this:
A neat, symmetrical ring around an organization's internal network. Sadly, this approach has gone off the rails. The neat circle has stretched and been bent beyond recognition to cover multiple offices and remote users. Cloud-based services split it into pieces, and mobile devices can invite the world in. Our diagram of the safe, solid security perimeter has been replaced by:
I would suggest that the security perimeter can no longer be our only defense. According to Larry Ponemon of the Ponemon Institute, IT professionals are starting to realize that prevention is both costly and nearly impossible. Instead, companies are now adopting a detection strategy. The idea is to detect the initial elements of a breach before irreparable damage is done. This does not eliminate the perimeter security strategy. We can still in most cases keep the casual hacker out with a good perimeter defense.
So, how can this detection strategy work? This is a relatively new direction for the industry, so opinion is still forming. My approach to implementing the best possible breach protection in today's complex world is as follows:
1) Maintain the perimeter
The perimeter is still important. It helps to keep the casual intruder out, and serves as an early warning system. The use of VPN to connect remote offices and users can extend the perimeter without breaking it, and proper mobile device policies and user training can limit exposure. The logs from perimeter devices can also be used as a major element of the detection strategy.
2) Improve Identity and Access Control
Studies continue to show that many breaches occur because of stolen credentials, as well as users with access to data and systems they don't need to do their jobs. The basis for the Target breach is now believed to be a compromised user name into Target's network belonging to an HVAC contractor. The details are not yet fully known, but I would speculate that the user name had privilege well beyond what was required for HVAC maintenance.
3) Detective Forensics
In the world of computer security, forensics is most often used to figure how a breach happened, and what information was compromised. I would suggest however that forensics applied proactively and continuously can help identify a breach before it results in major compromise. Security intrusions almost always leave a trail, which we normally follow after the horse it out. If we monitor systems and logs properly however, we can detect the trail early in the process, and shut down the entry point. This is the approach of a new class of technology - the breach detection system. This technology is in its infancy, and very expensive. With some common sense, diligence, and consistency, it is possible to active the same result with far less cost.
4) Concentric Networking
Referring back to the basic security perimeter model, the world is outside of the circle, with all company resources on the inside. The downside is that the database server with all of a company's customer information sits in the same security zone as all the employees, including a bunch who do not need access to customer information. The compromise of any basic user credentials can be an entry point, getting a hacker past the perimeter, and allowing for an attack on the database.
We can however view the security perimeter as a series of concentric circles, each layer being protected by its own firewall, with increasingly restrictive rules. For example, a network might have a firewall protecting the outer ring, limiting access to company employees, with the customer database server behind yet another firewall, itself restricting access to only those users who need it. Now, a hacker has to breach two increasingly restrictive firewalls to get to the key data. This concept of concentric networking can be carried as far into additional layers as necessary to ensure that the most critical resources have the strongest protection.
When combined, the four stage approach above serves to keep most hackers out, limiting the access of those who do get in, and detecting their trail and shutting them down before the damage is done. In effect we are catching the horse with his head out the door, putting him back in, and shutting the door after him.