It’s No Longer Feasible to Manage Threats Individually, Given the Sheer Volume of Security Gaps That Exist.
Faced with hundreds, thousands, and even hundreds of thousands of vulnerabilities across their IT infrastructures leaves security practitioners at a virtually insurmountable disadvantage. The result is often lengthy dwell times and asynchronous iterations that limit the effectiveness of cyber security programs. This begs the question what is holding us back from prevailing against cyber-attacks. And more importantly, what are emerging approaches that allow organizations to transition from a traditional domain expert model to an interactive, iterative, and collaborative model.
According to Gartner (see ‘Designing an Adaptive Security Architecture for Protection from Advanced Attacks’, January 2016), enterprises often make the mistake of implementing a reactive, rather than pro-active approach to cyber security. They often rely on blocking techniques, which are proven to be ineffective.
One of the biggest problems in cyber security today is how to manage the volume, velocity, and complexity of data generated by the myriad of IT security tools in a typical enterprise. Feeds from these disconnected, siloed tools must be analyzed, normalized, and remediation efforts prioritized. The more tools, the more difficult the challenge. Ultimately, this data aggregation and analysis requires legions of staff to comb through massive amounts of data to connect the dots and find the needle in the haystack. These efforts can take months, during which time attackers can exploit vulnerabilities and extract data.
Even if an organization can hire enough qualified resources to perform this analysis, they often misalign remediation efforts by relying on internal security intelligence that lacks context regarding active threats and which specific vulnerabilities they are exploiting. Without taking external threat data and business criticality into account, security teams can focus on mitigating the wrong gaps. In many cases, just reacting to past threats rather than taking a pro-active approach based on predictive analytics to shut the window of opportunity before attackers can take advantage of it.
Let’s consider the key factors that limit the effectiveness of cyber security programs.
One Dimensional View
First, many organizations, and even vendors, are still focusing on the network layer, while barely acknowledging other areas of the attack surface; for example, the application layer. What’s needed instead is a holistic view of the attack surface, to match the strategies and capabilities of adversaries. The Verizon 2016 Data Breach Report confirms this. The network layer and end points are only one piece of the puzzle. The attack surface has grown dramatically and therefore security practices should align accordingly.
Second, most vulnerability management tools rely on Common Vulnerabilities and Exposures (CVE), which can lead to a misalignment of resources and efforts. The POODLE vulnerability is a good example, which occurred in 2014. At the time it was published, it received a 5.5 rating by the National Vulnerability Database (NVD). It’s a common practice to filter vulnerabilities and only take action on those with a CVE value of 7 or higher. Using this model, the POODLE vulnerability would have been ignored. Finding out early that it was spawning hundreds of thousands of attacks, would have enabled organizations to adjust their remediation priorities to address the POODLE threat. This incident illustrates the importance of contextualizing internal security intelligence with external threat data.
To improve the odds of defeating cyber-attacks, organizations can implement the following three best practices:
1. Given the shortage of qualified security professionals, leverage technology to automate as many security operations tasks as possible.
2. Increase the frequency of security posture assessments as propagated by the National Institute of Standards and Technology’s “continuous monitoring and diagnostic” guidelines.
3. Lastly, extend protection measures to address today’s growing attack surface. This includes moving beyond the network layer and endpoints, to include applications, databases, cloud environments, the Internet of Things, etc.
It’s no longer feasible to manage threats individually, given the sheer volume of security gaps that exist. A holistic, risk-based approach that considers both security posture and business impact can reduce attack surfaces and reduce the dwell time during which vulnerabilities can be exploited.