Today’s information security landscape is a constantly evolving beast. As attack vectors continue to grow, attacks become more frequent and attackers evolve to be even more sophisticated.
This is what we call “the new normal.”
As a result, the need to continuously adapt to an increasingly hostile environment has resulted in a significant change from the familiar security measures that kept us “comfortable” only a scant 5 years ago.
Do you remember these “golden rules” from just a few years ago?
Lock your workstation when you walk away.
Run antivirus software.
Don’t click on suspicious links.
Don’t write your password on sticky notes.
Select strong passwords and change them often.
Have firewalls, in fact, have lots of them.
Encrypt your hard drive.
Patch your systems at least once per month.
Although the good “belt and braces” security hygiene of yesteryear is still valid and required, the reality is that it’s nowhere near sufficient to combat the dangers of today’s increasingly complex threats.
As we consider the evolving enterprise security posture, here are a few observations and recommendations to help you keep up with the rapid pace of change:
Say goodbye to generic “best practices” security. Compliance is not a security program – it’s a starting point. Any organization that is still just checking the boxes on the audit report is getting breached. Have this conversation in the boardroom and use it to drive the culture towards security that’s specifically tailored to the business.
Patching is a daily event. Flaws in applications, services such as DNS and foundational software, including OpenSSL, mean that we can’t wait a month or more for patches. Ensure your organization can respond with instant remediation across workstations, mobile, servers and clouds. Manage at the application level to respond without having to push new desktop images.
Security just got personal. Targeted attacks go after specific individuals with personalized messages and payloads from an apparently trusted source. It’s getting more and more difficult–even for security professionals–to differentiate the malignant from the benign. And the highly rare APT ups the ante when the attacker has found a truly valuable target. More education is necessary, but can only go so far. Hardening must reduce the default attack surface as much as possible, and containment strategies further sandbox attacks.
Breaches are to be expected. Formerly denied and only discussed in secret, breaches are now a reporting requirement for many organizations. A prescribed approach to incident management includes both technical and reputational responses. Containing breaches and their impact has been a deciding use case for app virtualization across governments, healthcare and financial services. Virtualizing all browser-based access is a leading practice for containing attacks against one of the most popular entry points for organizational breach.
End-to-end strong encryption is mandatory. And encryption isn’t just for networks and hard drives. Encryption must protect sensitive data within and between applications from desktops to mobile. Criminals have also recognized the value of encryption, with ransomware leveraging encryption as a weapon. And as the painful death of SSL has shown, outdated encryption can be as bad as no encryption. Control encryption for endpoints through app and desktop virtualization, on mobile devices with enterprise mobility management and for cloud and web apps with an application delivery controller with embedded web app firewall. And get to TLS immediately to protect your interests and meet PCI DSS requirements.
Security begins with access. A deep knowledge of highly situational context is necessary to control identity, authentication, authorization and access control. Implement the 5W’s of Access for employees and non-employee access. Use virtualization to provide fine-grained access control for privileged users and to ensure that there’s no direct access to sensitive data.
IT has competition. End users think they can do computing better themselves. And in many ways, they can. But not for security. Ensure that Shadow IT, unsanctioned BYO and the use of consumer-grade apps, clouds and services for sensitive data are replaced with IT-controlled and sanctioned offerings. Sounds tough? Simplify life for users by enabling single sign on, improving their access and automating a superior experience across devices – and watch the competition lose!
This is by no means a prescriptive list. The demands on information security teams are here to stay. Nobody can afford to stand still. Attack vectors and the methods in which bad actors seek to exploit will grow exponentially with the advent of more and more connected devices, people and locations.
What defines the next era of information security? Just as we look back the the “good old days” of security, today will appear relatively easy in comparison to how the Internet of Things (IoT) will quicken the evolutionary forces.
It’s time to keep watch, with both eyes open.