The aftermath of recent cyber-attacks will be felt for years to come. How can a huge organisation with complex systems and networks prevent itself from becoming the next Target or Sony? Is there any hope?
Yes, there is hope! However, we have to modify the economics of cyber-attacks.
Cyber-security is an economic game
In The Art of War, Sun Tzu examines the economic considerations of war, front and centre. The business of cyber-security is also an economic game.
Cyber-crime is red-hot because it makes perfect economic sense to the adversary. The investment of time and money required for cyber-criminals to breach a billion dollar organisation is ridiculously small compared to the payoff. A group of a few hackers working collectively for several weeks with a couple of thousand dollars of black market software is often enough to breach a Fortune 500.
This reality puzzles CISOs who already spend tens of millions of pounds each year on IT security.
Antiquated defences and vast attack surfaces
Current security architectures were designed in a bygone era when there was a useful notion of an internal network inside the corporations' buildings, and the Internet outside. The firewall was invented to create a narrow isolating choke point between internal networks and the internet allowing only a few controlled interactions. All was well!
Your systems routinely run computer programs written by anonymous persons. While you may not be aware, each Internet web page is a computer program. Just about any internet-connected “rectangle” that you see is a program. All these external programs are potentially malicious, and can compromise you.
You have an enormous attack surface, literally endless places for access! The endpoint is your unguarded front door and is the weakest economic link in your defences. Once an endpoint is compromised, the adversary can remotely control the infected computer with the same privileges on your network as one of your legitimate users.
Backfire from next-gen security investments
Let's explore the economics of the next-generation firewall. First, the next-gen firewall does absolutely nothing for your riskiest mobile users. Moreover, modern malware tries hard to avoid misbehaving while it is still within your network pipes before reaching an endpoint. The firewall, grasping at straws, generates a large daily stream of seemingly suspicious events. These notifications have to be analysed and chased down by additional investments in event management systems, and security analysts. The overwhelming majority of these events turn out to be false positives, ie, wasted money.
The bad guys also use this as a weapon, by increasing the volume of specious traffic known to generate false positives, while the real attack is carried out elsewhere. This is reverse leverage.
Ultimately, the next-gen firewall becomes a bottleneck, unable to manage the growing traffic. You have to spend more money on additional hardware that generates even more false-positive events. Vicious cycle.
A new hope
There is hope. Innovation will resolve this crisis.
Organisations must invest in a strategy that will directly impact the economic costs to malicious actors.
Imagine, each of your endpoints, is a little red dot. The size and colour intensity of the dot is relative to the amount of information on the endpoint, and the nature and frequency of internet interactions that each endpoint has. This is the battlefield!
Your investments must protect your information from unknown internet programs that run on your endpoints, while still supporting such programs seamlessly. This isolation technology must be simple and robust. It must be designed such that it costs the adversary significant time and money to try to break through. Ideally, you must also be able to fool the adversary into thinking that they have succeeded, while gathering intelligence about the nature of the attack. Techniques like micro-virtualisation let you do this.
You will also need new products that let you continuously visualise and monitor your risk at the internet endpoint level, and provide end-to-end encryption and robust identity authentication.
Plan ahead or fall behind
A very senior executive is going to have to micro-manage the plan to mitigate the risk of cyber-attacks. This is a time of great risk to our organisations, so leaders must follow their own business instincts.
Unless you have one already, hire a top-notch CISO as a partner for this project.
While you transform your security infrastructure to turn the economic odds back against the adversary, your company might look like an “Under Construction” zone. Some users will complain loudly, and you will have to make an effort to have the business running smoothly while the transformation is in play. Nothing worth doing is ever easy, and you must be prepared to see this through. The risk of inaction is worse.
Contributed by Gaurav Banga, co-founder and CEO, Bromium