Practically every day, a new high-profile security breach is reported in the media, revealing the latest distributed denial of service (DDoS), advanced persistent threat (APT) or whatever else it may be that has compromised the data of customers and employees at large organisations.
But beyond the high-profile attack at large companies, there are hundreds or even thousands of cyber attacks carried out every single day that will not be reported by the media – or, in most cases, the victim.
Whether these attacks are carried out on businesses, public sector organisations or entire nations – for reasons of activism, monetary gain or warfare – something needs to change about how they are combated.
Successful attacks on some of the largest and most resourceful organisations in the world are leading a growing number of companies to the same brutal conclusion: no amount of investment in the latest and greatest information security solutions can keep them protected. The hackers, for several years now, have constantly remained one step ahead of security vendors and their solutions.
>See also: The 2015 cyber security roadmap
‘Our adversaries are in many cases stronger than us,’ admits Dr Wael Aggan, CEO of CloudMask. ‘This is proven each time we learn of a new security breach at a well-known consumer brand, a high street bank or government department. These organisations invest heavily in security technology but breaches still occur.
An increasing number of stealth attacks are being uncovered – such as sophisticated malware toolkit Regin – which are not immediately destructive but monitor and track information over a period of time.
As such, a paradigm shift in how organisations secure data is desperately required. Many IT departments still focus much of their attention on protecting the boundaries of their networks to ensure strong perimeter security, but times have changed.
‘Today, our adversaries have greater capabilities, and boundaries are not preventing them from reaching our data,’ says Aggan. ‘At the same time, our data is no longer confined to our network, where it can be protected – we live in a hybrid world, and we need to collaborate with multiple stakeholders.’
It is no longer enough to rely on perimeter security alone. Businesses need a more dynamic technique that protects data throughout its lifecycle, from creation, through transit and storage to the point of consumption. The focus should be on protecting data, not controlling access to the data.
The complexity and interconnection of enterprise systems creates tiny chinks in the overall armour, which can lead to bigger vulnerabilities.
The 2014 attack against casino chain Las Vegas Sands Corp is a case in point. The company is a multibillion-dollar operation with robust security, but the hackers were patient, spending weeks probing at branch office networks and servers until a weakness was found.
‘In this case, they found the password of a senior IT staffer who had visited a branch office,’ says Keith Bird, UK MD at Check Point. ‘This gave them access to Sands’ main servers, after which they launched a malware attack very similar to the recent Sony Pictures attack.
‘The sheer complexity of modern IT estates makes it difficult to monitor and manage every device, access point, server and so on, irrespective of the investment in security.’
The Las Vegas Sands Corp attack was indicative of a large but common flaw in many organisations’ approach to security: focusing too much on sophisticated protection techniques and overlooking the biggest threat to the business – the employees.
Indeed, two-thirds of respondents to a 2014 Check Point survey of over 700 IT professionals said that recent high-profile breaches of customer data were likely due to employee carelessness.
Another study, by Cisco, found that not only are employees becoming an increasing source of risk through a lack of awareness of social and phishing techniques, but many actually attempt to deliberately circumvent security policies that they believe inhibit innovation and collaboration.
This is clearly a critical problem, and points to an urgent need to better educate employees on the consequences of their actions and how to keep the company secure.
‘Employees are often the weakest link in the chain when it comes to keeping the company secure,’ says Simon Mason, head of security EMEA at Verizon. ‘Gaining access by using someone’s valid credentials is by far the easiest and least-detectable way to gain unauthorised access to networks and data.’
Awareness is the ‘best line of defence’ against any type of threat, he adds, so regardless of the level of protection and security tools in place, businesses must ensure they educate employees about the risk factors in their actions and that in-house policies and procedures are being adhered to. ‘Overlooking the most basic steps can lead to disaster.’
That’s not to say, however, that investing wisely in security solutions is not important. The threat landscape is constantly evolving, and organisations must ensure they are keeping up with it by deploying the right technologies.
The case is no longer ‘if’ but ‘when’ an attack will occur, and how organisations respond to that will make or break them in terms of how they reduce, limit or, even, completely eliminate the damage.
Last year was a wake-up call for businesses, but 2015 is only going to see cyber attacks become more complex, sophisticated and challenging to spot.
‘Businesses are not moving fast enough to keep up, and the likely result will be more high-profile security breaches,’ says Phil Barnett, VP and GM of EMEA at Good Technology, who points to consumer technology in the workplace as a particular headache area for IT departments.
‘Consumer devices act as a gateway for corporate data to move between controlled, corporate environments and unknown entities,’ he remarks. ‘By design, modern consumer devices are prone to leaks because they are built to make it easy for users to share data.
‘The lack of employee awareness makes their devices easy targets for sophisticated cyber threats. Unless education and corporate technology are enhanced, consumer technology is likely to be the root cause of huge security issues in the coming year.’
CIOs will also increasingly worry about the security and governance implications of technology investments falling away from their department and into the hands of business users.
The best way to ensure that good security and governance is kept is to align the goals of the IT department more closely with those of the business leaders. To do this, leaders must be persuaded that cyber security is not a necessary evil, nor a form of insurance.
Accepting that breaches will occur, businesses should in fact treat cyber security as a business enabler: an investment that brings proportionate returns with the avoidance of significant compromise.
‘CIOs need to accept that breaches are pretty much inevitable,’ says Greg Day, CTO, EMEA at FireEye. ‘There is no such thing as perfect security, so marginalise the impact of those that loom largest. Educate your employees accordingly, budget, invest and test your response strategies against the focused, advanced attacks that will come to define 2015.’
But accepting that breaches are inevitable does not mean investing less in security, and it will be down to CIOs and CISOs to convince their company’s executive leadership that upping investment is a necessity.
‘This will always be difficult,’ says Oscar Arean, technical operations manager at Databarracks. ‘If the business has ever experienced a breach then, depending on the severity, they may be more inclined and more easily persuaded to invest more in security. If they haven’t, getting them to invest in solutions for what is seen as a risk but may never happen can be a hard sell.’
Penetration testing should be a first step to determine the current state of the business’s security measures, and decisions can be made from there.
The best method for convincing senior management is to show risk and costs in real terms that make sense to them. The next step is making sure the budget is spent wisely. Next-generation security, to meet the changing technology landscape, will vastly differ from ‘traditional’ security methodology.
The abundance of mobile devices and cloud services, and the ever-growing number of digital identities, requires a different security methodology – one that accepts that the perimeter is really dead, not almost dead.
‘The solutions that we’ll see will place a greater emphasis on management and governance of digital identities, provide visibility into what’s happening on the greater network – visibility into not only the internal components, but also the things happening in the cloud – and provide tools for faster response and better mitigation,’ says Daniel Cohen, head of anti-fraud services at RSA.
‘Mobile devices and cloud services are being adopted at an incredible rate, and threats to organisations will increase globally. That said, every region has its own unique characteristics that will push attackers to evolve their methods.’
Specifically in the UK, for example, if prime minister David Cameron is successful in banning secure communications, attackers may have to look for other ways to hide theirs.
A waiting game
Ultimately, however, CIOs and CISOs need to change their tack this year to ensure that they are not on the receiving end of the next highly publicised breach.
According to Verizon’s Data Breach Investigations Report, on average it takes 243 days for a data breach to be discovered, if it’s ever discovered at all. As such, CIOs and CISOs need to get much better at closing this gap – not to days, or even minutes, but to seconds.
Of course, this is no mean feat; hackers are patient – they will find an easy target to infiltrate the company, and from there they will test the system for further points of weakness.
Once they are on the move, they leave back doors and entry points, in case their main hubs are uncovered. This means that an organisation may find one breach but will be unaware that there are ten more lying dormant.
‘For these reasons, organisations need always-on continuous monitoring, not just on the network but on every endpoint,’ says Ben Johnson, chief evangelist at Bit9 + Carbon Black. ‘This approach will enable them to track the kill chain of an attack right back to the initial intrusion and the action that triggered it on the endpoint.
‘By having complete visibility of every action the hacker has undertaken, security teams can close any gaps quickly to minimise the damage of a hack and prevent future attempts.’
What the experts say
‘We need to realise there is always the chance of a breach and we’re never likely to eliminate the threat altogether. Once we’ve recognised his problem, we can begin to assess the impact of a breach to our various critical assets, look at the cost of that breach and then the cost of potential solutions.’
– Orlando Scott-Cowley, cyber security expert, Mimecast
‘Management teams are accustomed to gaining support for training for worst-case situations in other areas of the business – information security should be no different. Planning and input needs to include all departments. Whoever has access to the network, no matter how occasional, must be involved.’
– Ian Trump, security consultant, LogicNow
‘CIOs and CSOs need to improve both detection effectiveness and response speed in order to minimise their risk of being the subject of a major breach. They should also be able to analyse those attacks in as near to real-time as possible, in order to identify which ones represent a real danger.’
– Piers Wilson, head of product management, Tier 3 Huntsman
‘Employee education is critical to a company’s security posture. Regular security best practices and training should be conducted. It is the responsibility of everyone in the company – from execs to the front desk to make sure the security practices are used.’
– David Howorth, VP EMEA, Alert Logic
‘No one can have missed the high-profile bugs and hacks of 2014 and the damage to reputations and lawsuits that followed. These types of scenarios should now be enough to give even the most IT-phobic management nightmares. CIOs can now find a wealth of evidence online to support their requests for funds.’
– Nicholas Sciberras, product manager, Acunetix
‘No matter how much money they spend, they will still get breached – it is just the way of the Internet. Instead of thinking that way, think about how ready they are for the incident and how their response will be swift and accurate such that there is no disruption to the business.’
– TK Keanini, CTO, Lancope
‘CIOs and CSOs therefore need to look to install systems that can automatically collect and analyse 100% of IT network data in real-time. This allows the proactive identification of anomalies and, from there, strategies can be devised in order to limit potential damage caused by the breach.’
– Ross Brewer, VP and MD of international markets, LogRhythm
‘CIOs and CSOs have to honestly and thoroughly investigate whether parts of their organisations operate at different speeds. If they do, they have to address that immediately. Frustrated security specialists and business managers that do not talk to each other anymore are the best allies to any attacker.’
– Wieland Alge, VP and GM of EMEA, Barracuda Networks
‘Security and the response to threats will stretch increasingly into the application layer rather than just protecting the perimeter and network. We will also see an increasing correlation of events across the network, systems, firewalls and applications that when combined turn into a threat.’
– Stefan Haase, product director, Redcentric
‘User education may always be behind the curve, but basic principles should still apply. Frequent communications and regular updates in team meetings, deploying a mock phishing campaign and assigning security champions to business units are all tactics that organisations should be using.’
– Paul McEvatt, lead security specialist and cyber consultant UKI, Fujitsu