2014 was dubbed the Year of the Data Breach. It became impossible to grab a newspaper without seeing the word “breach” smeared across the front page. According to a study conducted by the Ponemon Institute in 2014, a staggering 43 percent of companies experienced a data breach, which is up 10 percent over the previous year. Hackers are becoming more sophisticated in their approaches and cleverer at penetrating networks.
There is no silver bullet that can stave off all attackers. But there are approaches that can help companies better protect themselves against these attacks.
The approach that has been advocated (though not yet fully implemented) by the federal government is a huge step in the right direction. To improve the security posture of federal agencies, the Department of Homeland Security (DHS) has launched a Continuous Diagnostics and Mitigation (CDM) program. The CDM program does not contain new security technologies per se; rather it transforms the way existing technologies are used. The CDM approach heavily integrates existing layered security systems in a way that produces synergies between the systems and allows the organization to rapidly identify and respond to security vulnerabilities and breaches.
Just like federal agencies, commercial enterprises need to approach IT security in a way that will help them make the most of their limited resources. Enterprises need to be thinking about solutions that can maximize existing infrastructure investments. As with the federal program, commercial enterprises should be looking for integrated approaches that can continuously monitor and mitigate security exposures and cyberattacks.
What are the hallmarks of this new approach to IT security? These new systems provide:
- Continuous information about the people and devices that are connected to your network
- Real-time information about transient devices and personally-owned devices
- Information sharing and automation between your various existing security systems
- A wide range of automated controls that function at both the network level and the endpoint level
Preventing cyberattacks requires constant visibility and control over endpoint state and behavior – long after the device has joined the network. A continuous monitoring approach detects endpoint changes and anomalous activity, and when a fault or suspicious activity is detected, an alert can automatically communicate the event and/or respond to the problem such as by quarantining the suspicious device or immediately remediating the endpoint fault.
The modern computing era relies heavily on mobile computing and accommodation of personally owned devices (BYOD) on the network. Thus, enterprises must architect their IT security system in ways that accommodate transient devices and personally-owned devices. For example, a traditional security system based on agents is poorly suited to a BYOD environment. Similarly, security processes that are periodic in nature – e.g. periodic risk assessments and periodic mitigation processes – will often not see transient devices on your network and not patch vulnerabilities before an attacker can discover them and gain a foothold. Continuous monitoring and mitigation systems avoid both of these problems.
As with next-gen network access control (NAC), continuous monitoring and mitigation systems provide a wide range of endpoint remediation actions. Self-remediation informs a user of the security issue and presents them with instructions on how to mitigate the issue. Direct remediation is performed by the security platform by executing a script to install a patch, update an antivirus signature, re-start or re-install an agent, kill a process or disable a peripheral device. Third-party remediation can send requests to an external system to perform the fix. Organizations can decide which is best for their unique application, but regardless, they all allow for quick and effective corrections of network issues, often preventing major breaches from occurring.
Traditional IT security tools and practices are too focused on agents, occasional assessments, disparate point solutions and manual response. Enterprises should adjust their security architectures to better align with today’s evolving IT environments and threat landscape. IT should move in the direction of deploying next-generation security architectures that emphasize continuous monitoring; fast, automated response to violations, exposures and indications of compromise (IoC); and integration between third-party security and management systems to share security intelligence and enhance control context.
Considering all the headache and heartache cybercriminals caused in 2014, it’s scary to think about the damage they will cause in 2015. Cybercriminals are outspending security teams two to one, and with hackers becoming more organized, it is increasingly important to develop a security posture that will not only provide holistic, real-time visibility of the network but enable auto-remediation capabilities to ensure breaches are stopped before they have the chance to establish a foothold and become a vastly bigger problem.