IT Security today is not about defending a (non-existent) perimeter, but about protecting the organization's attack surface, which has changed dramatically due to the cloud, mobility, BYOD, and other advances in corporate computing that have caused fundamental shifts in network architecture and operations.
Practically speaking, it means you need to monitor what is occurring inside the firewall just as much (if not more) than what is outside trying to make its way in. Think of it as a post breach mindset based on a "1,000 points of light" model as opposed to a "moat and castle" model of defense.
In theory its evolutionary, but given the accelerated pace in which security organizations have matured, it is not necessarily an easy transition to make. Not only has the threat landscape changed, but there has been constant flux in the leadership, skills, tools and budget required.
As a result, even in advanced shops, perimeter-based defense practices still linger. Practices based on flawed thinking or misconceptions, which if left unchecked, hinder fast detection and response. Here are some of the ones we see the most:
* Fixation on penetration prevention. Solution: Shift to an "Already compromised" mindset. With APTs more prominent than ever, it's no longer about if you get breached, but when. You should evolve your security defense accordingly. Instead of focusing on preventing penetration, focus on the adversarial activity that is going on within your network. The good news is you have an advantage; the majority of damage is usually done several months after penetration. Hackers tend to deploy low and slow' techniques and perform minimal actions per day in order to evade detection, better understand the organization and craft a foolproof roadmap to reach their true target.
* Accepting simple explanations. Solution: Always dig deeper. Security events are not caused by error or accident. Every piece of evidence should be over-analyzed and malicious intent must always be considered. Because your security teams cannot know all adversarial activities, in a sense they are at a disadvantage; therefore, it is crucial for the teams to over-investigate what they can see in order to reveal other unknown and undetected connecting elements. Security teams must always assume they only see half the picture, working diligently to uncover the rest of the pieces of the puzzle.
* Striving for fast remediation. Solution: Leverage the known. Instead of remediating isolated incidents as fast as possible, the security team should closely monitor the known to understand how it connects to other elements within the environment and strive to reveal the unknown. For example, an unknown malicious process can be revealed if it is connecting to the same IP address as a detected known malicious process. Moreover, when you reveal to the hackers which of their tools are easy to detect, hackers can purposely deploy, in excess, the known tools to distract and waste the defender's time.
Sign up for Computerworld eNewsletters.