Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
11/18/2014
02:45 PM
Bradon Rogers
Bradon Rogers
Partner Perspectives
50%
50%

Best Practices in the Face of High-Profile Breaches

Attacks are a mainstream problem, and organizations must employ more than just traditional minimalist approaches of firewalls and virus scanners.

Ongoing, high-profile security breaches are prompting many conversations with customers about the basic hygiene steps they should be taking to improve their security posture and reduce their risk of data compromise. The painful reality is that attacks are a mainstream problem, and traditional minimalist approaches of firewalls and virus scanners are no longer sufficient.

You need to think through the zones in your infrastructure and reduce the crevices through which cyber criminals can crawl. They will go for your weakest point, which today is often a specialty device. From a point-of-sale or ATM system, criminals can navigate up spokes to your hubs, a store, branch, or office. From a compromised machine in one site, they will push into the data center, then out again to other sites. 

Different Defenses for Different Devices

The first step is to differentiate desktop protection from data center and specialty device protection. The desktop is under constant modification with new applications, patches, and upgrades. However, with fixed-function devices such as point-of-sale terminals, ATMs, or app-specific tablets, you can restrict functionality to a narrow range, lock them down, and block anything that is outside of the normal scope. The small size, large number, and wide distribution of these devices means they don’t change very often, if at all. Small-footprint application and change-control defenses will allow nothing to run that you do not want to run, including malware.

In locking down these systems, you cannot just block updates, because those updates may contain critical security patches. Effective application and change-control technologies also provide virtual patching, creating a barrier to newly discovered weaknesses and exploits. Virtual patches recognize and block the attempted exploit without having to patch the software, reducing panic when new threats are announced. System upgrades or firmware updates can then be properly evaluated and installed during regular maintenance windows.

Data center servers may provide a similar broad range of functions to desktops, but they are vastly different in scale, contain more sensitive data, and are just as likely to be virtual devices spanning multiple physical systems. In turn, there is a wide variety of purpose-built, high-performance, low-impedance security technologies that are adapted to the virtual and cloudy nature and scale of modern data centers and server infrastructures.

Secure the Data Center Perimeter

The speed and volume of traffic through your data center requires a different level of performance, inspection, and reliability in a firewall at the data center boundary. The sheer number of servers, and the spread of virtual and cloud-based systems, means point defenses are no longer sufficient. Traffic prioritization should direct critical data to the best pipes, while inherent load-balancing and failover capabilities keep everything moving. Perhaps most important is anti-evasion capability, identifying and reconstructing seemingly innocuous message parts into their intended whole package, and checking that against attack patterns or threat signatures.

Defend Your Database

Databases can be especially vulnerable, running software that is many versions behind due to restricted patching windows and elaborate testing requirements. Sometimes this code is very complex, has been customized in some way, or the person who wrote the scripts is long gone and the scripts have not been updated. Virtual patching also protects these systems, blocking exploits even if the underlying software is unpatched. For further protection, database vulnerability management can identify misconfigurations or potential risk areas within the database and make suggestions on how to fix those weaknesses, such as using open ports or unmodified default settings.

Check Data Before It Leaves

Data centers may process a high volume of traffic, but the traffic tends to follow established patterns. Database application monitoring observes traffic and interactions within the databases, develops a baseline for normal behavior, and flags or blocks anomalous actions that may be part of a malicious attack. Data loss prevention capabilities observe data in-motion through the network and at-rest in storage, helping you quickly build and deploy accurate usage policies, and then monitor and enforce policies on data-in-use, ensuring compliance before the data leaves your network. Data-monitoring tools can even capture traffic leaving the network for later analysis, so you do not have to guess at the impact should an error or breach occur.

Consider the Cloud

By now, your systems probably extend well beyond the physical walls of the IT department. Cloud services, such as Microsoft Azure and Amazon Web Services, provide tremendous scale and elasticity but still need to be protected. The standard model of virus scanners and firewalls falls apart quickly when faced with the scale of the cloud. Instead, virtual virus scanners and centralized security controllers work with the strengths of the cloud, analyzing patterns, directing items that require further analysis to centralized resources, and policing what can and cannot be moved outside of the physical perimeter.

Know What’s Happening Now

Cyber attacks are no longer passive events. They are no longer static viruses trying to find and infiltrate as many weaknesses as they can find, or crudely written emails trying to trick you into sharing your bank account details or clicking on a malicious link. Instead, they are active events, guided by human intelligence, learning and adapting to the conditions found in your organization. Finding these attacks within the high volume and rate of traffic flowing in and around your systems requires knowledge of events as they are happening, not in a report produced hours or even days afterward. Security information and event management (SIEM) systems must operate at data center scale and provide real-time visibility into abnormal behaviors, wherever they are. With attackers continuously probing for areas of weakness, and shifting from one attack vector to another to confuse or evade your defenses, the ability to digest and correlate messages and warnings from anywhere is an essential component of SIEM functionality.

The Best Security, Physical or Virtual, Is Integrated

Taken together, the steps above create an integrated defense that is more effective, and less expensive, than deploying scanners on every server instance and point defenses at every ingress and egress. Intelligence on threats, from phishing to malware to zero-day exploits, should be shared among the systems and collected centrally for a complete view of the current situation. Suspicious data should be picked off and sent to a malware analysis engine for static and dynamic evaluation once, instead of multiple times, reducing the quantity of intensive inspection and improving response times. Reports are available sooner and provide a clearer picture of what is happening, and the likely objectives of the attacks.

This list of best practices is not all-inclusive, and there are certainly other technologies and practices that can improve your security posture. However, data center infrastructure and purpose-built devices (such as point-of-sale machines) are common themes in recent major breaches. We need to reevaluate how systems and networks are safeguarded and raise the minimum protection threshold.

Bradon Rogers is the Senior Vice President of Product and Solution Marketing at Intel Security, and is a 14 year veteran in the security space. In this role, Bradon is responsible for worldwide go-to-market of the Intel Security product portfolio. In his prior role at Intel ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32697
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
CVE-2020-19510
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
CVE-2020-19511
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVE-2021-21422
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
CVE-2021-0532
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177