In today’s ‘new normal’ world of Information Security, yesterday’s approaches to keeping the bad guys out have effectively been rendered useless. Put simply, it is my view that it’s no longer possible to protect your personal data or your organization’s intellectual property by maintaining a reactive strategy.
As traditional perimeters decrease in size, yet multiply with every new mobile device or IoT connected endpoint, the aggregate threat vector increases, rendering traditional methods totally ineffective.
It’s time to rip up the playbook and rethink how you move to a proactive posture – one that should be viewed as an imperative, not a nice-to-have.
At the heart of many of the best examples of modern, effective security postures that I have seen has been the concept of using intelligence to help drive the desired outcomes of each of the key cornerstones of Deter, Detect, Respond, Remediate. Just as, in the physical world, we look to law enforcement and government entities to use intelligence to protect from harm, so must we embrace the same philosophies in the virtual world – we are in a relentless state of cyber-war and we must prepare for the ongoing battle by out-thinking and out-smarting the enemy.
An ounce of prevention is worth a pound of cure. – Benjamin Frankin
In terms of the role that intelligence plays in the new normal, I think of it as a combination of Human & Artificial – each with a key role to play and each as vital as the other in the successful implementation of a progressive, adaptive security posture.
Human Intelligence – this is an oft-neglected, yet critical part of the line of defence. It’s a game of hearts and minds and every organization has to view their employees, contractors and partners as extensions of their firewall. For the human intelligence element to be effective, organizations must commit to deliberately blurring the lines between personal (at home) and corporate (in-office) security – designing scenarios and exercises that imitate social engineering or phishing attacks and using those results to consistently address gaps in how those employees, contractors and partners behave and react to suspicious scenarios.
The rapid growth in ransomware, where attackers deliberately look to use social engineering techniques to “lock” files with their own encryption and demand a hefty sum to provide the key to unencrypt, is mentioned on the front of the world’s newspapers and is another example of why it is critical to educate, educate, educate.
Artificial Intelligence – this is an emerging paradigm and perhaps the best weapon any organization could possess in today’s evolving threat landscape. Collecting, analyzing and acting upon system and log information is fundamental to the “hand-to-hand combat” approach that is required to keep the bad actors at bay. Attackers no longer use traditional methods to breach firewalls; they are much more sophisticated and use Advance Persistent Threat tactics – which can include leaving Remote Access Trojans dormant for months at a time – so it is critical to add an “East-to-West” view to accompany the existing “North-to-South” view, so that lateral data movement and network activity can also be captured and assessed.
The key to utilizing an artificial intelligence approach is being able to derive anomalies from the huge amounts of information that are captured in log management solutions and Security Information and Event Management (SIEM) systems. The application of readily available machine learning techniques with anomaly detection algorithms can help give an organization “x-ray vision” into activity on their corporate networks and provide an advantage over the attacker.
As CTO, there is one question that comes up from customers over and over again.
“What advice would you give us about where we should spend our time, effort and money to prevent or more quickly detect and remediate threats?”
My answer is always the same, irrespective of customer or industry sector:
“The fact that many organizations go months before they realize they have been compromised means there are not enough tools in place to quickly detect “indicators of attack” and “indicators of compromise.” You have to act like you’ve already been breached – that’s the change of mindset you need. Assume you are compromised right now, today, and then think about how you would architect segmentation at the access, network, application and data level. You also need more visibility to determine a baseline for what activity is valid, ie. bandwidth usage, which users connect from where, which networks typically communicate at what times of day and what’s normal traffic, so that anomalous traffic can stand out using “x-ray” vision. For example, one way to gain visibility into attacks against web applications is with NetScaler Security Insight which uses the application firewall function to better identify and prioritize attacks for more effective triage. Security insight also analyses the NetScaler configuration to and highlight inconsistencies that weaken the security posture.”
At Citrix, we are fanatical about security and are committed to providing a portfolio of solutions—across the entire company—that help our customers address their security and compliance needs and keep their data safe in transit, in use and at-rest.