Securing a network becomes more challenging when the enemies are deceptive, clever, and savvy snakes, but recognizing the gaps in their security strategies before the criminals do can help organizations minimize detection and response times.
I'm reminded of Macbeth whose valour in war against Norway was rewarded with the title of Thane of Cawdor. In gratitude, Lady Macbeth encourages her husband to kill the king. She advises him, "Your face, my thane, is as a book where men/May read strange matters. To beguile the time/Look like the time. Bear welcome in your eye/Your hand, your tongue. Look like th' innocent flower/But be the serpent under 't." (Shakespeare, I.v.53-57)
[ ALSO ON CSO: Traditional anti-virus is dead. Long live the new and improved AV ]
The problem with a lot of breaches, especially those that are the result of social engineering, is that many of the attackers are just like Lady Macbeth. They know how to beguile the time. They phish like the innocent flower, but they are serpents indeed.
How, then, do organisations avoid the fate of King Duncan, especially when the extended network provides more opportunities for invasion?
Lysa Myers, security researcher at ESET referenced the Target example, where hackers were able to break into the sales network through an HVAC company.
"HVAC should not give access all the way to the point of sale machine," she said. Segmenting the network can prevent those types of breaches, as can encryption and risk assessment.
"It's complicated protecting the network because it opens holes, so organizations need to develop a principle of least privilege. Access only what they need. The idea is to make it so that if criminals get in with one piece, they can't access the whole puzzle," Myers explained.
If they accept that there is a risk of being breached, companies can stop criminals who gain access into their network by zoning off access through segmentation. There is no one single means of protection, though.
Organisations need to be deploying a balanced and holistic security approach with the right technologies and the right solutions in place before, during, and after an attack in order to safeguard their vital information.
"More businesses need to be aware of risk assessment. Without understanding what they are protecting against, they can't build the best protection. Don't go purchasing programs or creating policies without first understanding their risks," Myers said.
Encrypting everything is another critical step toward creating stronger security. "Encrypt as much as you can, in storage and in transit," Myers added.
Myers also pointed out that there are other pieces to the puzzle, including two-step authentication and user education, or awareness programs.
[ ALSO ON CSO: 6 steps to win executive support for security awareness programs ]
In reference to awareness programs, Zully Ramzan, chief technology officer at RSA said, "Organizations should conduct exercises to see if the education is working. Look at initiatives and make them more targeted. Identify the employees with a higher propensity for compromises so that you can assess the risks, but I don't think companies should over-invest in awareness programs."
Analysis becomes one of the most useful tools in piecing together the most comprehensive strategies against and in response to attacks.
"Analytics are important in gaining insight and then leveraging action," Ramzan added.
"Security is always about visibility and control. With the cloud it becomes more paramount to use visibility for being able to understand what's going on across all IT points from end users to the cloud."
The idea is that security is not about prevention, and focusing too much on prevention could open up greater risks. In addition to building those perimeters of prevention, organizations also need to develop strategies for detection and response.
"Don't inflate or conflate any of these comprehensive strategies," said Ramzan. The idea that technology alone can protect against criminal attacks is wishful thinking, he said.
"Organizations need to move past prevention alone. Look at who received what, who clicked, and what happened. Monitoring response is essential."
What's important to consider is that the criminals who are trying to hack into the network are looking for the ways to infiltrate despite the defenses that organizations are developing. The fundamental principles of a balanced approach that includes prevention, detection, and response includes the best offensive and defensive tactics.
Security is no longer about protecting the perimeter to secure what is inside. Extended networks mean more connectivity, so the extended network needs to be protected.
"The network is critical for defending against breaches," said Marc Solomon, Cisco's vice president of Security Marketing, "but as the Internet of Everything (IoE) expands, there will be more devices, and the extended network includes everything from data centers to clouds to end devices."
All of those pieces need to be considered in developing the strongest security.
If organizations are only looking at prevention, the attackers are looking towards where the organization is blind, said Solomon. Yes, the network is the core of an organization's security, but they should be looking at it holistically.
"Nothing is an end all be all. We are all human and we will all make mistakes," he said.
Spending money on awareness training is a good best practice because security is about a balance of prevention, detection, and response. Solomon added.
"Security is a series of attack vectors, on end users, and addressing that will help, but you're not going to solve the problem solely through awareness training."
Macbeth had murdered several men, including the king, before anyone suspected him of treason. That's not to suggest a trust no one approach, but a recognition of the fact that people with malicious intent don't advertise their criminal behavior. Thus, for most organizations, protecting their environments require a variety of technologies.
"A lot comes in through email users, so you need something that secures email like advanced malware protection. Users might click on an unknown threat, and that unknown needs to be addressed. Advanced malware might be able to see the file, understand its behavior and block the threat based on certain characteristics," said Solomon.
[ ALSO ON CSO: Best practices for email security ]
What are some technologies that can help in addition to advanced malware?
"Email security and web security on the network or the crawl ware service can reduce the time of detection and the time of response," Solomon added.
Putting in place firewalls and intrusion-prevention systems that work together are other solutions that can be in place to protect against attack vectors. "The whole security system--people, process, and security--is needed to secure your environment," he said.