Reduce breach risk and costs with security resilience

In cybersecurity circles, there’s a common axiom that states, “There are two types of companies: those that have been breached and those that don’t know they have been breached.” If the phrase sounds of doom and gloom, it’s meant to be because the harsh reality is that almost every company will suffer a cybersecurity breach. 

Businesses can spend and spend on the latest and greatest security technology and still get breached for a number of reasons, including user-related issues. The challenge for businesses is to find the breach as soon as possible and return to normal operations as quickly as possible.

To understand the current risks and how to recover from them, I interviewed Keith Bromley, Ixia’s senior solutions marketing manager and brainchild behind the concept of something called “security resilience,” which is an architectural model of recovering from a breach.

——————————————–

Welcome, Keith. Can you please describe the current state of security as you and Ixia see it.

Keith: It’s becoming evident that traditional security defense models are failing. It’s not a question of if your network will be breached, but when. News broadcasts for the last several years have shown that most enterprise networks will be hacked at some point. In addition, the time it takes for most IT departments to notice the intrusion usually takes months. According to the Ponemon Institute, the average time for breach detection is 191 days, i.e. more than six months. This gives hackers plenty of time to find what they want and exfiltrate whatever information they want.

I have a few interesting data points I would like to cite.

• A study by Ponemon in February of 2018 found that 80 percent of cybersecurity and IT experts anticipate a catastrophic data breach at their companies by 2021.
• The same study found that in 2017, the cost of a cyber breach increased 22.7 percent over 2016.
• According to the Global Cyber Risk Perception Study by Marsh and Microsoft from February 2018, only 30 percent of businesses have a cyber defense plan.

Those are frightening statistics. What’s your take away from them?

Keith: One of the things we have noticed is that most breaches take place over the course of several days. These aren’t just short-term incidents, but are often long-term actions. Based upon this information, a rapid response to security threats could help minimize the cost of a breach by stopping the ongoing infiltration in a shorter period of time. Unfortunately, this isn’t the norm. So what if that six months could be reduced to one month? Or maybe reduce it further to one week, or how about just one day? What if you could go further? That should be of interest to every organization.

If that is of interest, what can security professionals do?

Keith: First off, there are three common security approaches that people use: Best Effort, Regulatory Compliance, and Defensive Security. 

Best effort is a familiar scenario for most IT shops. Either the security engineer, executive or another leader has said, “We need to install some level of security.” This typically involves implementing firewalls, basic security components, and maybe some basic auditing and monitoring.

The next rung up the ladder is regulatory compliance. This is often an executive-level initiative. The thought is that business needs compel the company to be compliant to PCI, HIPAA, or some other standard. One might think this would make the security architecture more robust. Unfortunately, while compliance may be necessary for auditing purposes, it does not guarantee security.

The third level is essentially the defensive approach — “I’m going to make this network so secure that no one is going to break into it.” This is when all those inline and out-of-band devices are deployed. You can even create defense-in-depth strategies for prevention. For instance, if someone gets through Port 80 on the firewall, the next step is to challenge the data with DPI (deep packet inspection). There are other things you can do as well, like implement prevention, detection, and response processes.

Unfortunately, these architectures all have at least one thing in common: They don’t work. Someone always gets through the defenses. A better strategy is needed.  At Ixia, we’re calling this network security resilience.

Can you define what you mean by resilient security and how it works?

Keith: Resilience is defined as the ability of an entity to return to its original form after being bent, stretched, or compressed. From a security perspective, we are specifically talking about the ability of an IT network to recover to normal, steady state operations after a security attack and breach have occurred.

IDG

It’s not an altogether new concept, but at the same time, it doesn’t get as much attention as the defensive approach. However, from the perspective of a breach, security resilience is one of the most important activities one will ever perform because the “time to observance” and “time to remediation” can be reduced. In short, you get attacked, defenses get breached, the network is compromised, the threat is discovered, the damage is fixed, and then the network is secure again.

While prevention should always be a key security architecture goal, a resilient architecture goal focuses on recognizing the breach, investigating the breach, and then remediating the damage as quickly as possible.

How does the resilient approach differ from the other ones? Can you give specifics?

Keith: A resilient approach enables organizations to do a number of things, such as strengthen their capabilities to better defend against attacks, maximize their ability to rebound from attacks, and minimize the severity and cost of security breaches.

Ixia

Network security resilience then is the set of activities that can be conducted to help the network after the breach happens. So to be clear, the best effort, compliance, and defensive strategies we talked about earlier are all focused on preventing a breach. This security resilience strategy is about “after breach” activities.

If businesses want to embrace network security resilience, what are some initiatives or technologies they can deploy to move them in that direction?

Keith: Each one of the activities could be an interview in itself, but I’ll try to summarize.

• Deploy threat intelligence gateways to prevent the exfiltration of data to known bad IP addresses.
• Use application intelligence to help find indicators of compromise (IOC).
• Decrypt TLS (and SSL)-based monitoring data with a network packet broker (NPB) to distribute data to forensic tools for faster analysis.
• Implement adaptive monitoring using the automation capabilities of an NPB to respond to SIEM instructions in near-real time to pass suspect monitoring data to data loss prevention (DLP) tools for analysis.
• Install a security attack replay capability to capture security data and view it in the lab to acquire a tactical analysis of how the breach took place.
• Conduct cyber range training so security engineers can recognize threats faster and practice responding to them properly.
• Use threat simulation capabilities in your security lab to understand better how a particular threat behaves so you can understand what it touches.
• Capture and filter monitoring data, and then send that data to a purpose-built device to look at traffic patterns and IOC.

Thanks, Keith, that was great. Any last words?

Keith: I understand the need to focus on preventative measures, but every company needs to be prepared for a security breach. The bad guys are moving too fast and have advanced machine learning-based tools. It’s impossible to defend against every type of attack. Playing defense is certainly important, but more emphasis needs to be placed on recovering after a breach.