The King is dead, long live the King

Sometimes change isn’t necessary or advisable. If it ain’t broke, don’t try to fix it. Other times it’s vital. Stand still, don’t innovate or adapt, and you’ll be left behind. The world of Cyber Security has its fair share of challenges. A constant deluge of malware, increasingly sophisticated attacks, and a clever enemy.

In the face of all this, and more, it’s imperative for organisations to stay on top of their security strategy. As the landscape and associated risks change, so should the strategy, ensuring that it remains fit for purpose.

With due acknowledgement to the fact that there are shades of grey, and strict definitions and descriptions aren’t always helpful or accurate, here is a brief list of trends which reflect how thinking is changing. Let’s contrast the traditional approach with what is needed in today’s climate.

Perimeter: not long ago you could focus on defending your corporate network knowing full well where it ended. The network edge was defined. Slot in firewalls, set up a DMZ, and hey presto – job done. Now of course, with the advent of mobile workers and the wonderful cloud, the perimeter isn’t fixed. Instead of worrying about securing the perimeter, now we also worry about securing the user. Cue greater network access control and the gradual shift to zero trust models.

Layers: sadly, we’re not talking about cakes. The traditional approach emphasized layers. For example, if you have anti-virus, then have it at different levels. On the end point, the server farm and on the perimeter. While securing each ‘layer’ still holds true, it’s also important to ensure interaction between layers. Sharing of data and intelligence. If we spot something suspicious at the gateway, is that information helpful from an end point perspective? Greater integration and co-ordination between solutions at different levels is key, helping to achieve faster detection of threats and reduce time to respond – as well as making it easier to conduct post incident analysis.

Black lists: many years ago, Donald Rumsfeld, then US Defense Secretary, made his infamous remarks about known unknowns and unknown unknowns. There was probably a point in there somewhere. Anyway, solutions that make use of black lists stop the known bad. If we know a file is malicious and it’s on our black list, we’ll block it. Trouble is, what to do if something isn’t on the list? Can it really be trusted? Should we keep it out anyway? Or wait until there is an update to the list and then revisit?

Blacklisting still has a part to play, but most products and solutions now make use of non-signature based technology and other approaches (either instead of, or alongside, black lists). Techniques include white listing (only allow the known good), sand-boxing and heuristics. Machine learning and artificial intelligence are helping to drive a new generation of security solutions.

Reactive: organisations are becoming more aware that they cannot remain in reactive mode. In effect, only responding when alerted by systems or rushing to contain an infection in the ‘unlikely’ event it happens. The reality is that all organisations – no matter their size, line of business or the kind of data they hold – are targets for the hackers. And hackers are adept at finding loopholes, compromising systems and then lying low. It is not uncommon for them to maintain access over a period of months or even years.

In that scenario, when cyber criminals do their best to bypass and suppress Security measures, relying on them setting off triggers to indicate compromise is a risky business.

Instead, it makes sense to adopt a proactive mindset. Measures include making thorough preparations for a breach – a case of when not if – knowing exactly how incident response and remediation is to be carried out, having a strong information security management system, better sourcing and use of threat intelligence, continuous monitoring of the full network and threat hunting.

Malware: there was a time when virus writers took the scatter gun approach. Target everyone, regardless of who and where they are. Mass malware was the norm and many different flavours of worms and viruses made the headlines, infecting thousands of machines at a time. A large portion of malware today is still the same. However, as well as dealing with typical in the wild malware, organisations also have to counter advanced targeted attacks. These are usually more sophisticated and crafted for specific industries, territories or businesses. Coupled with a wider range and improved quality of social engineering techniques, it is becoming harder to detect and mitigate against these kinds of threats. Hence the need for improved defences, factoring in this particular category of attacks.

Man plus machine: ask someone about their security posture and you’ll likely get a blank look or a raised eyebrow. Once you’ve got over the awkward silence and clarified that the context is their organisation and what mechanisms they have in place, chances are the response will list measures that are skewed towards security products and solutions. Yes, there may be some training or end user awareness. And hopefully there are controls, policies and procedures. However, historically, technology has played a major part, with human involvement limited to some extent – for example, in the form of deploying and configuring products. This human element is growing and should form part of our thinking. Devoid of human guidance, products can only do so much, even taking into consideration the leaps and bounds made in fields such as AI. Greater use of human expertise is crucial to help combat threats. That could be in the form of analysts sitting in a Security Operations Center, digital forensics work to uncover how a breach took place or reverse engineering malware.

In short, Cyber Security continues to evolve. It has to. And as it does, so too should organisations, otherwise they risk having an ineffective and potentially outdated security strategy.