The pace of change for Information Technology is challenging established notions of "What is IT?" and "What is Information Security in the modern age?" For one example, the "new" data center technologies such as virtualization, Software-Defined Networking (SDN), service-oriented delivery models, and cloud computing have radically changed the typical IT infrastructure from a defined set of assets owned and controlled by the organization to a constantly fluctuating roster of resources that can come and go from IT department visibility and control.
[Enterprise defenses lag despite rising cybersecurity awareness]
As this has occurred, we have witnessed the equivalent of a Cambrian Explosion of new Internet-connected life forms - mobile devices, tablets, sensors, actuators, home appliances, monitoring systems, content access devices, and wireless terminals. Applications running on these devices range from recreation to services critical to the functioning of our social and economic infrastructure. Put it all together, and we expect that world population of Internet-connected devices will grow from today's 10 billion to over 50 billion by the year 2020.
From a security point of view, these IT changes, including the expansion of Internet-connected devices, lead to a corresponding increase in attack surface. Instead of the mission of protecting a reasonably known and enclosed IT perimeter, we now must be ready to secure any connected device humans can make against any threat a hacker can innovate. Clearly, using established security practices, except on a larger scale, will not suffice.
Plainly said, we need to think differently about cybersecurity.
One classic strategy and two new ones
The aspects I just quickly described may sound overwhelming, but I remain optimistic, however, that methods exist to contain damage to assets, processes, and people that make use of information technology. Ironically, what is old is new again for some of this, and then there are just plain new ways to approach. Of the many to surface, I'd like to talk about three in particular.
Do the basics and do them well
This includes taking a diligent approach to software patching, user identity management, network management, and eliminating any dark space in your infrastructure. The main objectives in this endeavor include reducing attack surfaces available to adversaries and basing resource access policies on need-to-know/need-to-use principles. Even just getting better at patching can reduce available attack surface by 70 percent. Organizations that perform thorough asset inventories are often surprised by how many previously undocumented systems they discover connected to their network.
[Security training is lacking: Here are tips on how to do it better]
This do-the-basics strategy might sound commonplace, but it can be quite demanding when one takes into account the diversity and sheer numbers of devices and systems that today's IT operations must secure. A sophisticated identity management program that brings together the latest strong password, federated identity, privilege management and anomalous behavior detection technologies would not have been possible a few short years ago, but it can go far in improving the ability of security teams to prevent, see, and contain security incidents.
Strive to spread doubt and confusion in the adversary's mind
There are plenty of ways to do this. You can start by making your infrastructure a moving target by changing addresses, infrastructure topologies, and available resources daily. An activist approach to virtualization makes it possible to build up and tear down resources at will. SDN technology can virtualize the deception process while streamlining the process of building security management and control features into the network fabric. In short, do what you can to prevent the adversary from seeing the same infrastructure twice.
You can also set up honey pots and Potemkin villages on your network that can waste the adversaries' time, divert them from real assets, lead them to tainted intellectual property, or cause them to stumble into alarms that announce their presence in your domain. At their most advanced, these techniques can shake adversaries' confidence in their hacking prowess and increase their anxiety over being caught, exposed and prosecuted.
Collect, correlate, and analyze as much operational data as you can
This strategy is significant as it signals a shift in the remediation mode to detecting and defeating attacks and intrusions quickly and thoroughly when they do occur. In the data, you are looking for Indicators of Compromise (IoCs) -- anomalous device or user behavior, network traffic to and from known addresses, and other tip-offs. Data subject to analysis can include local telemetry from your infrastructure, information and intelligence from beyond your infrastructure, or data traffic that doesn't conform to normal patterns of activity.
Changing your mental approach is just as essential
This new approach to security carries with it a not-trivial change in our mental approach for security. Formerly, we thought of security as defending perimeters and hardening assets against attack. The new model calls for assuming that if people, things, and business processes haven't been compromised, they will be shortly. Established security tools and products like firewalls, security appliances, or anti-malware software do a good job of blocking known threats and leave us freer to detect, recognize, and contain those threats that manage to slip through basic defenses.
[The U.S. state of cybercrime takes another step back]
Increasingly, we have come to understand that the most dangerous threats do their work quietly and quickly, and then disappear. A threat of this kind will typically wreak its damage in minutes, hours or days. By contrast, too many security teams require days, weeks, or months to discover and remediate an intrusive threat of this kind. That's not good enough.
We also need accountability shifts, a measure by which to define efficacy, and a willingness to "break some glass" to change what we have...otherwise, we continue to get more of what we have today, and that isn't acceptable.
The strategies recommended in this article do three things to make adversaries' life more difficult:
- Shrink attack surfaces and vulnerabilities through the basics
- Shift the burdens of fear, uncertainty, and doubt onto the bad actors
- Reduce latencies between the moment a threat lodges in an infrastructure, its detection, and its disposal
While we have a challenging road ahead to secure IT-enabled social and economic processes from deliberate harm, new technologies, network intelligence, and new ways of thinking about cybersecurity itself give us a fighting chance.
John N. Stewart is the CSO of Cisco Systems, Inc.
