Third era of Information Security

As I look over my experience in Information Security since 1999, I see three distinct eras with respect to the motivation driving technical control purchases:

  • Basic (mid-90’s to early 2000’s) – Organizations implemented basic host-based and network-based technical security controls, i.e. anti-virus and firewalls respectively.
  • Compliance (early 2000’s to mid 2000’s) – Compliance regulations such as Sarbanes-Oxley and PCI drove major improvements in security.
  • Breach Prevention and Incident Detection & Response (BPIDR) (late 2000’s to present) – Organizations realize that regulatory compliance represents a minimum level of security, and is not sufficient to cope with the fast changing methods used by cyber predators. Meeting compliance requirements will not effectively reduce the likelihood of a breach by more skilled and aggressive adversaries or detect their malicious activity.

I have three examples to support the shift from the Compliance era to the Breach Prevention and Incident Detection & Response (BPIDR) era. The first is the increasing popularity of Palo Alto Networks. No compliance regulation I am aware of makes the distinction between a traditional stateful inspection firewall and a Next Generation Firewall as defined by Gartner in their 2009 research report.  Yet in the last four years, 6,000 companies have selected Palo Alto Networks because their NGFWs enable organizations to regain control of traffic at points in their networks where trust levels change or ought to change.

The second example is the evolution of Log Management/SIEM. One can safely say that the driving force for most Log/SIEM purchases in the early to mid 2000s was compliance. The fastest growing vendors of that period had the best compliance reporting capabilities. However, by the late 2000s, many organizations began to realize they needed better detection controls. We began so see a shift in the SIEM market to those solutions which not only provided the necessary compliance reports, but could also function satisfactorily as the primary detection control within limited budget requirements. Hence the ascendancy of Q1 Labs, which actually passed ArcSight in number of installations prior to being acquired by IBM.

The third example is email security. From a compliance perspective, Section 5 of PCI DSS, for example, is very comprehensive regarding anti-virus software. However, it is silent regarding phishing. The popularity of products from Proofpoint and FireEye show that organizations have determined that blocking email-borne viruses is simply not adequate. Phishing and particularly spear-phishing must be addressed.

Rather than simply call the third era “Breach Prevention,” I chose to add “Incident Detection & Response” because preventing all system compromises that could lead to a breach is not possible. You must assume that Prevention controls will have failures. Therefore you must invest in Detection controls as well. Too often, I have seen budget imbalances in favor of Prevention controls.

The goal of a defense-in-depth architecture is to (1) prevent breaches by minimizing attack surfaces, controlling access to assets, and preventing threats and malicious behavior on allowed traffic, and (2) to detect malicious activity missed by prevention controls and detect compromised systems more quickly to minimize the risk of disclosure of confidential data.

Mitigating Modern Malware Risks

During the last several years we have observed dramatic changes in the identity of attackers, their goals, and methods. Today’s most dangerous attackers are cyber criminals and nation-states who are stealing money and intellectual property. Their primary attack vector is no longer the traditional “outside-in” method of directly penetrating the enterprise at the network level through open ports and exploiting operating system vulnerabilities.

The new dominant attack vector is at the application level. It starts with baiting the end-user via phishing or some other social engineering technique to click on a link which takes the unsuspecting user to a malware-laden web page. The malware is downloaded to the user’s personal device, steals the person’s credentials, establishes a back-channel out to a controlling server, and, using the person’s credentials, steals money from corporate bank accounts, credit card information, and/or intellectual property. We call this the “Inside-Out” attack vector.

Here are my recommendations for mitigating these modern malware risks:

  • Reduce the enterprise’s attack surface by limiting the web-based applications to only those that are necessary to the enterprise and controlling who has access to those applications. This requires an application-based Positive Control Model at the firewall.
  • Deploy heuristic analysis coupled with sandbox technology to block the user from downloading malware.
  • Leverage web site reputation services and blacklists.
  • Deploy effective Intrusion Prevention functionality which is rapidly updated with new signatures.
  • Segment the enterprise’s internal network to:
    • Control users’ access to internal applications and data
    • Deny unknown applications
    • Limit the damage when a user or system is compromised
  • Provide remote and mobile users with the same control and protection as itemized above
  • Monitor the network security devices’ logs in real-time on a 24x7x365 basis

Full disclosure: For the last four years my company Cymbel has partnered with Palo Alto Networks to provide much of this functionality. For the real-time 24x7x365 log monitoring, we partner with Solutionary.

HIghlights from Sophos threat report

Highlights from Sophos threat report.

The recently released Sophos Threat Report claims that with more than 50 percent of companies allowing free and open access to social networking sites:

  • 67 percent of users were spammed on social networks – double from when the survey began in 2009 (33.4 percent)
  • 40 percent were sent malware
  • 43 percent were phished – more than double from when the survey began in 2009 (21 percent)

The answer is not totally blocking access to social network sites. People in marketing and sales need access, but they don’t need to be playing Farmville. Also totally blocking all aspects of social network sites might create a morale issue.

Anti-virus can play a role, but a defense-in-depth strategy is needed that includes Next Generation Firewalls.

Network Security Blog » Customer information stolen

Network Security Blog » Customer information stolen.

Three database/email server compromises were revealed over the weekend.  A business partner of McDonald’s lost their promotional mailing list, Gawker’s entire user database was compromised and posted, and the DeviantArt user mailing list was also stolen, along with additional user information, again through a partner.  None of these cases involved financial data; none of these would have been covered in any way by the PCI requirements.

So what is the value to the hackers? Martin sums it up nicely:

The danger with the McDonald’s and DeviantArt compromises isn’t the account names, it’s the the potential for phishing and other scams.  The phishers now have a validated list of customers they can target their spam at, quite likely starting with fake alerts about the compromise itself to get users to click on links to malicious sites.  From there, they can move on to lower impact, less obvious attacks, but that’s how I’d start.  The potential of a user trusting an email warning them of danger is quite a bit higher than the other emails.

PS: Walgreen’s customer email list was compromised. Again, no big deal, just email addresses. But as Martin said above, a valid list of email addresses is a great starting point for phishing scams.