While the market may be focusing less on perimeter security, enterprises can improve overall cybersecurity and save time by taking a few simple steps for their perimeter networks.
It’s not easy being a Chief Information Security Officer (CISO) these days. While the regular drumbeat of news of cyber attacks has meant that board members and the executive suite now actually know the name of their CISO, more attention and budget isn’t always a good thing. That’s because there isn’t always a consensus on where that money should be spent. Some cybersecurity market segments, like endpoint detection and response (EDR) technologies, have more than a dozen players all spending millions on sales and marketing. Many CISOs have stopped answering their phones for any caller they don’t recognize due to the onslaught of sales calls. While NIST and other standards organizations have done a fairly good job of defining the basic table stakes for cybersecurity, most large enterprises still struggle with thwarting attacks even with all the right boxes checked.
Perimeter security is one area that has been particularly perplexing. With public cloud computing growing dramatically, many have suggested that there is no longer a perimeter. Even those doing their own hosting have suggested that perimeter security is not where they focus. For example, Google has a devised a series of automated trust verification techniques that largely makes the location of a device much less of an issue. However, media reports of high profile breaches frequently note the lack of intrusion detection capability among “east-west” network traffic, which comprises network communication once inside the perimeter. Moreover, much of the growth of public cloud computing among enterprises has been in the Software as a Service (SaaS) space where someone else is responsible for securing that internal network traffic.
But the problem remains that perimeter defenses, and firewalls specifically, are an integral part of most enterprises with associated staffing and budget. Changing business processes and roles is not easy. That’s not to say that perimeter defense is not a useful endeavor. It does stop a lot of attacks. In fact, many penetration testing teams readily acknowledge that most efforts to break into a company’s internal network from the Internet fail. Or at least they fail where company employees are not part of the test. In the vast majority of publicized breaches, social engineering has proven the key to getting past perimeter defenses. And from there, many organizations had limited preventive and detective controls to stop or at least detect malicious activity. And with the attack surface being much larger internally, it’s much more likely that an unpatched system or configuration error is able to be exploited, to say nothing of the credential harvesting and use that are proving to be the Achilles’ heel of many organizations.
In some senses, the issue is not that perimeter security is not important. It’s simply at a level of maturity where it should largely be on autopilot with innovation and operational activities largely focused elsewhere. Spending significant labor on constantly updating firewall rules or adding another layer of perimeter defense seems to be a case of diminishing returns. Instead, the focus should be on leveraging foundational controls that can filter out the known-bad IP addresses, spam, and phishing without any disruption to the business along with the requisite patching and remote access hardening. Given the grown of end to end encryption, it’s not clear that perimeter sandboxing really add a lot of value. Instead, more intelligent endpoint protection/data security solutions and enterprise-wide security analytics seem to be of greater value, particularly when combined with innovations such as deception solutions, logical network segmentation, SSL/TLS decryption solutions where available, and recursive object based static inspection that is used in Leidos’ ATM solution.
But given labor shortages and the volume of data, this will only work with much more automation that is not available out of the box. It means that organizations need to embark on a true integration effort that is more than just stringing a few dozen tools together. That means defining use cases at a technical level with scripting and interaction with application programming interfaces (APIs). It is part of a relatively new discipline known as DevSecOps that ties in development activities with security operations. For many, it means leveraging the structure and scalability that cloud computing offers. For example, Amazon offers a possible model for this. To do this correctly, organizations need to commit to standardized IT and cybersecurity processes that can be applied consistently. For IT organizations used to responding to the latest initiatives from the C-suite or business units, this can be a challenge. The trick is to get agreement on some basics of the foundation and then allow for loosely coupled applications to handle the application interactions. Here are few suggestions to start with:
- Offload low-hanging fruit – Perimeter security no longer keeps the bad guys out. It just keeps the nuisances at bay. Organizations should have highly optimized mechanisms to filter out known-bad traffic, both e-mails and web traffic, without breaking a sweat. That means either third-party scrubbing services or appliances designed to ingest the latest known-bad indicators and enable cybersecurity personnel to implement durable enterprise wide mitigations against entire classes of threats. This is not the job for firewalls. Keeping this process reliable and automatic ensures that cybersecurity personnel can spend their time elsewhere.
- Cover hygiene and authentication – Few events are more frustrating or embarrassing for a cybersecurity professionals than to have your perimeter breached due to a vulnerability where a patch has been available for years or even months. While patches can break functionality and are frequently a headache to deploy on perimeter systems, it’s not rocket science. Using the DevSecOps methods described above, new patches can be quickly tested and deployed, often without human intervention. Similarly, organizations who implement multi-factor authentication for access to internal systems can significantly slow down would-be attackers and likely repel those unwilling to devote significant time to a single target.
- Don’t trust the first two – It should be clear by now that perimeter security is not enough, and most organizations understand that. However, what is often missed is just how ineffective the perimeter without the others layers of defense to support it. For example, current data suggest that 91% breaches started with a phishing e-mail, which is often customized for the target and thereby circumvents most e-mail filtering protections. In fact, perimeter security works best when it is used in combination with internal controls to limit the breadth and impact of a breach such as applying equal scrutiny to outbound network traffic.
- Automate, Automate, Automate – From security orchestration tools that can turn indicator of compromise (IOC) data from threat feeds into access controls to automated patching, the technology to automate much of security is already available if organizations are willing to do the scripting and tweaking necessary to make it work for them. That said, it’s not easy to get right. Just doing stupid things faster won’t help. Instead, regular measurement and tweaking is essential. Once the tools and tweaks are deployed, the goal should be to bring the labor for perimeter security as close to zero as possible with the remaining time spent validating the effectiveness of the automation and addressing the true anomalies.
Leidos can help organizations with all these challenges and much more. For example, our SOC Transformation solution is specifically designed to help organizations improve automation, better leverage and act on threat intelligence, and integrate their disparate security tools. Contact us today.