Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

The Era of Personalized Risk Reduction

Blanket approaches to cyber security don’t work. So many vendors rely on throwing generic signature after signature, and alert after alert without any action. These legacy solutions are stuck in the assumption that all threats are the same and easily stopped – but we know this isn’t the case.

Blanket approaches to cyber security don’t work. So many vendors rely on throwing generic signature after signature, and alert after alert without any action. These legacy solutions are stuck in the assumption that all threats are the same and easily stopped – but we know this isn’t the case.

I won’t spend this article detailing how adversaries have gotten more clever, or how attacks are becoming more complex. But here is something we haven’t spent enough time on as an industry: tailoring your security policy and protections to the actual threats experienced by your organization, and to the threat landscape at large.

Let me illustrate this with a simple, but powerful example. Think back to the last six months, have you used a Microsoft RTF file in the daily course of business? I would imagine the majority of you are nodding your head “no” right now.

Network Security

Recently, there have been multiple critical vulnerabilities affecting RTF files, allowing a remote attacker access to a machine if exploited. If your business has no reason to use RTF files, and there are active vulnerabilities or exploits against them, wouldn’t you want the ability to simply block them from ever entering your network? This is only one example, but there is an ever-evolving world of vulnerabilities and exploits against certain file types. What matters is the ability to quickly block them when something new and malicious surfaces, or even better, to whitelist only the content needed by your groups of your employees at any given time.

Here is another example. I was talking with a security practitioner at a major healthcare organization who noticed a series of IPs that kept trying to compromise his public web presence. After quickly identifying the offending IPs, he would add them to a blacklist for set periods of time, and then eventually remove them from the list. If they re-offended, they would be permanently blocked, but this exercise allowed him to protect his organization without preventing legitimate access.

Let’s take this one step further: what if your IPS/IDS or network anti-malware didn’t just pull from some giant database of threats your provider thinks you will experience, or from a large group of outsourced signature creation teams. What if your protections were automatically created by the actual threats attempting to breach by your organization?

Now, we can take a look at the opposite route, with some approaches coming at the problem from a place I like to call “detect and remediate.” This happens when devices focus on generating alerts on the exploits, malware, malicious IPs or other threats as they cross your network.

Often, this approach forces your security teams to operate under the assumption that (1) you can sift through the thousands of alerts to find the truly dangerous ones you need to focus on or (2) you can pay for third-party Incidence Response services to augment your security posture or remediate after-the-fact.

Advertisement. Scroll to continue reading.

Based on these examples, consider three requirements that cover what we need for the future of threat protection:

• The ability to quickly reduce the ways adversaries can compromise your organization — in effect, reducing your attack surface.

• The ability to ingest either internal or external security intelligence, and put it into practice simply within your security platform.

• The ability automatically update your security posture based on the actual threats targeting your organization.

Taken together, these three requirements fit into a “detect and prevent” approach. What is needed in today’s threat landscape is the ability to detect all known and unknown threats, and automatically prevent them without any manual intervention.

Ideally, any solution would also go beyond the traditional approach of only focusing on the perimeter, but the data center, mobile devices and any points of segmentation across your network. Malware doesn’t care about all the walls you put at your edge, and it is not reasonable to expect teams to manage divert security policy for each location. Finally, you must have the ability to evaluate all traffic and threats, and tailor that unified policy based on what is actually happening on the network.

Every industry conference I attend begins with the same platitudes about shifting the conversation. “Detect and remediate” to “detect and prevent” is a good place to start.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet