Multi-layered security: Defending from all sides

The threat landscape in the Middle East is ever evolving and always advancing with tailor-made, stealthy threats that evade traditional, point-in-time security defences. Instead of relying on a single attack vector, an advanced attack will use whatever unprotected paths exist, often combining paths in a blended method, to reach its target and accomplish its mission, writes Rabih Dabboussi, Managing Director, Cisco UAE.

The world is talking about superheroes – think Batman, Spiderman or even Superman but more than the superhero battling it out alone, today’s real blockbuster superheroes are joining forces combining their complementary superpowers in the universal quest for good over evil – think Avengers! And so how do we take this analogy into the world of security – well it got me thinking that we need to look seriously at what it means to join forces to more effectively combat and defeat the bad guys from a cyber-security perspective – not only from an industry standpoint, but also from a technology standpoint.

Cyber criminals go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible Indications of Compromise (IoCs). At the same time, modern networks are also evolving, extending beyond traditional walls to include public and private data centres, endpoints, virtual machines, mobile devices, and the cloud.

In today’s dynamic Middle Eastern IT and threat environment, point-in-time solutions lack the visibility and control defenders need to implement an effective security policy that addresses advanced threats. And disjointed approaches only add to capital and operating costs and administrative complexity.

Converged solutions that combine two or more security functions together on a single platform attempt to address these shortcomings. However, simply consolidating security functions on one appliance is far from adequate. The level of integration, if any, is typically limited to device management and post-event analysis – where data is combined into a single repository (often in a SIEM) for later manual analysis.

This visibility and analysis aren’t automatically correlated in real time and made actionable to quickly contain and stop damage, or shared throughout to prevent future attacks. And the data gathered is evaluated only once – a snapshot in time – not continuously, so that we forfeit opportunity to systemically ‘tune’ defences based on new telemetry and intelligence.

It should come as no surprise then that for the last few years the Verizon Data Breach Investigations Report has revealed that most breaches are found by law enforcement and other third parties – not by the breached organisations themselves. To make security investments more effective in the region, what’s needed is a comprehensive approach with tightly integrated threat defence across the extended network and the entire attack continuum – before, during, and after an attack.

As attack methods have evolved, more choices of information security and risk management tools have been developed to fill the void. For example, endpoints—particularly mobile ones—use protections beyond antivirus to centrally manage things such as what endpoints can access or what applications they can use.

It is important to consider the exploit paths taken by attackers and malware when you think of layered security. Most of the attacks start with a targeted phishing attack against a user and when the user falls for it, the endpoint gets affected. This becomes the launch point to get deeper into the organisation, where the data with real value can be accessed. A well-integrated threat defence system facilitates sharing of ‘context’ and intelligence between security functions which then immediately informs the whole and speeds detection and remediation.

Each security function must be tightly integrated for truly effective multi-layered protection against the full spectrum of attacks – including known and unknown attacks. This is done by gathering telemetry data across the extended network and encompassing all attack vectors for full contextual awareness, and then analysing it continually to surface IoCs that would otherwise go unnoticed. With these IoCs, we can prioritize events and stop threats sooner, hopefully before much damage is done, essentially providing an ‘early warning system’ for unknown cyber attacks.

In the Middle East, integrated threat defence provides better and faster protection at multi-gigabit speeds – before you have a known signature, before valuable data is stolen and before a third party discovers and alerts you to the breach. And it does so while simplifying an organisation’s security architecture with fewer security devices to manage and deploy. By gaining full contextual awareness that is continuously updated, defenders can assess all threats, correlate intelligence, and optimize defences.

There are other aspects of joining forces, besides integrating security functions. At the industry level, open source is a valuable tool for defenders in the Middle East as they rapidly innovate to close security gaps and gather great intelligence about potential threats. New open standards and efforts to create, share and implement custom application detection and custom IoCs empower defenders to further reduce the attack surface and better identify anomalous behaviour. The ability to share real-time threat intelligence and protection across a community of users is another prime example of working together for greater security effectiveness.

When developing or refining their IT risk management strategy, IT groups in the Middle East should focus on the following three important security enforcement points in particular:

Internet Use Protection

• Protect resources from the spread and execution of viruses, worms, and Trojans.
• Verify user credentials and system security posture.
• Control user access to specific applications or other system resources.
• Prevent the introduction of threats to the infrastructure from trusted computers by enforcing endpoint security policies.

Attack and Intrusion Protection

• Control access to servers and applications containing sensitive information.
• Assure application and user data transmissions are in conformance with application access rules and protocols.
• Monitor transmissions for end system vulnerability exploitation attempts.
• Prevent intrusions to servers, databases, and applications.

Remote Access

• Control access to corporate assets from remote users, branch sites, partners, and contractors.
• Assure a VPN with strong authentication and encryption is used to verify credentials and assure transmissions are protected.
• Limit access through trusted sites by trusted users and devices only, making sure improper access over the gateway VPN is not obtained by unauthorized users.

One of the weakest links in the security chain is Email – which is the preferred channel for business communications and thus continues to be a vector of choice for attackers. Hence, when companies within the region evaluate security or revisit what they already have, they should be sure to ask the following questions for more effective protection against spam, blended threats, and targeted attacks:

1. How do you deal with the variety of types of spam and viruses? We all know that there is no such thing as 100% protection but we can reach the 99%+ range by layering and integrating multiple anti-spam engines and multiple anti-virus engines. A security architecture that tightly integrates multiple engines and allows them to automatically and seamlessly work together not only increases protection levels but also reduces false positive rates as they serve as a check and balance against each other. In addition, reputation filters that look at the reputation of the sender’s IP address can help protect against attacks like snowshoe spam that hijack IP address ranges.
2. How do you deal with blended threats that include links to websites laced with malware?Look for solutions that include web categorization and web reputation. With web categorization security administrators can set policies to allow only certain categories of web sites to be accessed. Web reputation assigns a reputation score to a URL based on a variety of data, including the length of time the domain has been malware-free, so you can set policies about whether or not a link can be accessed based on thresholds.
3. What happens if an attack still gets through – do I have any recourse? Because some sophisticated attacks manage to get through, you need advanced malware protection that includes retrospective security. Retrospective security continues to track files and analyse their behaviour against real-time, global threat intelligence. If a file is later identified as malicious, retrospective security can also determine the scope of the attack so that defenders can quickly contain the threat and remediate.
4. What capabilities do you offer to help me stay ahead of emerging threats? To identify any trend you need to have visibility into data across a community. In this case, the ability to look at email and network security telemetry from a community of users together with other sources that track threats can give you the intelligence and lead time you need to proactively protect against emerging outbreaks. Look for vendors that include outbreak filters within their email security architecture and can leverage collective security intelligence to develop protections in real-time against new outbreaks.

Attacks will continue to evolve as will our IT environments. Integrated threat defence is a dynamic foundation that allows us to include an expanding list of super heroes that work in concert, sharing their findings to protect across more threat vectors and thwart more attacks.