How to create an IT security strategy that balances defence with offence
A proactive IT security strategy, centered on offensive measures, is key to risk mitigation and overall cost savings
Short of time?
Every product developer seems to have the same worry: Is what I just created stable and secure enough to deploy? Today, every IT department has the same worry. Not that they need it, but if they wanted an incentive, research from the Ponemon Institute agrees.
The later organisations identify defects in the applications they build or deploy, the more it costs them to implement fixes. It makes intuitive sense but resolving a defect during the quality assurance (QA) testing phase, for example, cost 11 times more than fixing it during the development phase. And after the system goes live, that same defect costsninety times as much to resolve.
There is an incredibly strong financial argument for businesses to identify vulnerabilities as early as possible. But there is more to it than that. The IT security industry traditionally introduces new products and features that end up creating layers of defense against cyberattacks.
It is more difficult for attackers to navigate through multiple layers to gain access to a specific vulnerability target. It is a good approach and a good defense is vital. But every defense needs to be balanced with an effective offense that prevents attacks from happening in the first place.
A good offense strategy focuses on testing and training against realistic loads and cyberattacks before an application or network change is deployed. This way, key vulnerability targets are fixed before they are made public - making a cyberattack much less likely.
It also focuses on making traditional defensivesecurity layers work smarter, by introducing greater visibility and reducing the network’s attack surface – again reducing the chances of a successful attack. So a good offense in IT security is not just cheaper, it mitigates attack risk.
Where do vulnerabilities come from?
When it comes to attack targets, there are three Ps to consider: products, people, and processes. ‘Products’ covers specific product features, system commands or compliance issues, which malicious hackers identify and exploit. For example, an unchanged default setting can be easily bypassed to achieve administrator privileges.
'People’ covers both human error and malicious intent from inside an organization. Employees might leave passwords in obvious places, or fall victim to social engineering attacks. IT teams might accidentally leave a support back door or API to the network open.
It is important to remember the role and mission of IT security teams: if they are not trained on how to deal with a situation so they can be part of the solution, then they just might inadvertently become part of the problem. Train them and give them the time and tools to practice.
Finally, ‘processes’ covers issues such as how products or services are installed or configured, and even the method and timing of deployments of patches and upgrades. Configure a new product wrong and you may have just opened a new door to your network.
Miss a patch in one area and you likely have a new vulnerability. Have an execution plan for making changes and implement according to your plan.
All three vulnerabilities can occur from development, through deployment, through operation. A comprehensive security strategy protects against all three types of vulnerability. Formulating the strategy begins with two key offensiveelements, which act as a foundation for, further down the line, two keydefensive elements.
Offensive strategy #1: Development
It is easy to think of development as the first, finite phase in a process - or as something that only applies to businesses that build hardware and software. But anytime you deploy an application and a network, or offering a new service, you are developing.
If you are installing a new security appliance or implementing a new feature of multi-factor authentication on your network, you are developing. And developing never stops - new features, updates and patches continually occur in every application, network, and wireless connection.
Development, in other words, is a broad and continuous process. It is crucial to recognise this in order to build an effective, offense strategy. Whether you are carrying out a new deployment, a patch or an upgrade, development testing should be a continuous process.
It is vital to continuously check performance and security integrity during even routine upgrades, maintenance and other changes, not just during isolated testing periods.
Offensive strategy #2: Training
Security training ensures your team has the skills to manage every stage of the security lifecycle, from stressing your configuration during beta testing, to intelligent network monitoring, to reducing the network’s attack surface.
It is also about teaching IT staff by being proactive with realistic training. Attack your own application and practice defending it. Training is more than just watching videos or sitting in PowerPoint presentations. It is about active practice in realistic scenarios. IT teams need to expect the unexpected, and take nothing for granted.
Defensive strategy #3: Monitoring
Most organisations monitor their networks for signs of attack. But you cannot secure what you cannot see. Looking at this with our offense mindset, how do you know your security framework is even sending all of the data up to your firewall and other security tools?
Those security tools have the best chance of protecting your network when they have access to all incoming data - pre-filtered, highly load-balanced. This relies on a robust architecture that is accurate, highly available and easily programmable to shift the load in case any one tool fails.
Defensive strategy #4: Defending
Of course, having a sophisticated arsenal of defensive tools designed to prevent malicious network access is vital. But again, a good offense mindset can make defending far easier. Shrinking your network’s attack surface makes your business a more difficult target to hit.
Why fight and analyse network traffic that comes from IP addresses that are known to harbor malware, or the source of attacks, when it can simply be blocked? hospital in New York, for example, is highly unlikely to need to need someone from a small country on the other side of the world inside its network - so why not just block them?
When it comes to your internal network why not instantly block all known bad, unregistered, or hijacked IP addresses automatically as well as entire regions of the world where you do not do business? Your doors need to be open for business. Your internal network does not.
Combining offense and defense
An intelligent and comprehensive security defense strategy begins from a point of offense. The more thorough and continuous your development testing and training, the easier your network will be to defend. Make yourself a smaller target and you will be more difficult to hit.
These offensive security elements lay the foundation for highly targeted and specific defensive security, minimising wasted effort on protecting a too-large attack surface. Prevent attacks from occurring in the first place. The best defense is amplified by a well thought-through offense.
Sourced from Jeff Harris, senior director, solutions marketing, Ixia