Making The Shift to Network Security Resilience
In the webinar Best Practices for Network Security Resilience, I explained the concept of network security resilience and how to implement it. However, successful implementation relies upon making the fundamental mind shift to the strategy. One cannot expect to see the benefits if they don’t embrace change.
However, change is easier said than done. It seems like many security engineers, architects and CIOs are caught up in a philosophy that is primarily focused on prevention. So how can you start the shift towards resilience? There are three simple tenets that must be embraced. They are as follows:
- Acceptance of the Network Security Resilience concept
- Acceptance of the belief that you can make real changes
- Commitment to make the change
First, you need to accept that it is not a question of if, but when, that your network will be breached. While prevention should always be a key security architecture goal, a resilient architecture goal focusses on recognizing the breach, investigating the breach, and then remediating the damage as quickly as possible. While the concept is straight forward, it can feel like there is an “arms race” that requires you to spend all of your security budget to continually upgrade defenses. While this threat is real, you also need to set aside some budget for security resilience. If budget is truly a problem, it may be that you can put together a plan to convince you CIO, or Chief Information Security Officer (CISO), that the security risk is real to your company’s personally identifiable information (PII) and that you need some extra budget to remediate the risk.
The second step is to overcome any pessimism that you can, actually, make positive change in this area. Some people get caught up in the mindset that there is nothing you can do that will be effective, so why waste the time. This mindset is often cleared up once a breach happens, PII is stolen, the company is faulted for their lack of prevention techniques, fines are then assessed by government agencies (like the FTC and HHS departments in the United States), and lawsuits are filed against the company. Unfortunately, a mindset change at this point is too late.
The implementation of changes to the network that can increase resiliency to the network is definitely possible. If the average length of time from intrusion to detection is 191 days, according to a
The third thing that you must do is act on the change. There is always new stuff coming that may be better than what you can implement now but you need to make a “planned” start. The reason I say planned is that while there are several things can do, you need to follow through on the new processes. Some activities require less effort than others, if implemented correctly.
For instance, application intelligence with geolocation can be used to expose indicators of compromise. Consider the example that there is someone in Eastern Europe accessing your FTP server in Dallas and transferring data back to the Eastern Europe location. If you have no authorized users in that geographic area, I would say that there is a good chance that your network has been compromised and I would personally jump all over that. However, you need the setup and inspection of that data to be easy in the first place. This typically requires some sort of dashboard that can quickly and easily expose the relevant information—no log file inspections, no physical correlation of data points on your points, etc. Any manual activities like that will slowly kill the use of any resilient tactics, unless you can add headcount for this kind of activity.
Another simple type of activity is the use of a threat intelligence gateway that blocks the exfiltration of data to known bad IP addresses. The trick here is that you need a gateway that has constant updates that are easy to load. This gives you a formidable defense that does not consume an exorbitant amount of your time.
As I mentioned earlier, check out the webinar to get details on the following items:
- What is network security resilience?
- The benefits of this security technique
- Examples of visibility and security solutions that you can implement to reduce the time to remediation