By: Vid Sista, Practice Director, Security & Mobility
It’s time for a new threat-centric security model.
Online attackers are agile and innovative. The security industry is responsive, yet so many organizations – small, midsize, and enterprise – have employed a patchwork of security tools and services that leaves them open to compromise. Investment in integrated technology solutions has become a key part of an effective defense strategy. Not only will IT organizations need to re-think their approach to dealing with different threats, but the security industry will need to consolidate and integrate, moving toward a model of visibility and shared protection.
Today’s dynamic threat landscape requires a collaborative approach to the fast, efficient exchange of threat information in real-time. Attackers are becoming more sophisticated and their methods evolve rapidly. Most current defenses focus on the perimeter or are preventive in nature. This gives attacks that do make it through free reign to do extensive damage for long periods of time undetected.
To mitigate the risk of a breach, security should form the foundation of a network’s architecture, and any effective security strategy needs actionable threat information that provides context and visibility across the entire network.
Top Security Trends
The top security trends so far this year involve the determined attacker’s ability to innovate new tools and evade detection by the latest, targeted methods. Cisco’s 2015 Annual Security Report lists the following trends:
- Exploits of Adobe Flash vulnerabilities are increasing. They are regularly integrated into widely used exploit kits such as Angler and Nuclear.
- Angler continues to lead the exploit kit market in terms of overall sophistication and effectiveness.
- Operators of crimeware, like ransomware, are hiring and funding professional development teams to help them make sure their tactics remain profitable.
- Criminals are turning to the anonymous web network Tor and the Invisible Internet Project (I2P) to relay command-and-control communications while evading detection.
- Adversaries are once again using Microsoft Office macros to deliver malware. It’s an old tactic that fell out of favor, but it’s being taken up again as malicious actors seek new ways to thwart security protections.
- Some exploit kit authors are incorporating text from Jane Austen’s classic novel Sense and Sensibility into web landing pages that host their exploit kits. Antivirus and other security solutions are more likely to categorize these pages as legitimate after “reading” such text.
- Malware authors are increasing their use of techniques such as sandbox detection to conceal their presence on networks.
- Spam volume is increasing in the United States, China, and the Russian Federation, but remained relatively stable in other regions in the first five months of 2015.
- The security industry is paying more attention to mitigating vulnerabilities in open-source solutions.
- Continuing a trend covered in the Cisco 2015 Annual Security Report, exploits involving Java have been on the decline in the first half of 2015.
The Attack Continuum
One of the most persistent threats today stems from the “any-to-any” challenge that all sizes of IT organizations face. The expectation to be able to connect to any application from anywhere through mobile devices, clouds, and virtualization, leaves networks open to compromise. Coupled with the combination of niche security products that many organizations employ, network security management has become unwieldy.
The threat-centric model is a holistic approach to security that is based on visibility and control across the extended network and what Cisco has termed the full attack continuum:
- Before an attack occurs:
Context-aware security is key. Organizations need total visibility of their environment with actionable alerts. Network security professionals need to know what they are protecting, its value as a target, the likelihood of an attack and likely attack vectors, as well as a historical view of past compromises.
- During the attack:
Attacks are no longer singular: they are ongoing and require continuous security. Security professionals need dynamic data from across the network and analysis that recognizes patterns and provides context. Real-time information enables intelligent automation.
- After the attack begins to cause damage or exfiltrate data:
Retrospective security, a feature that most security solutions do not offer, is essential to honing an effective defense against today’s evolving threat landscape. This step in the full attack continuum involves remediation and minimizing damage, but also building contextual intelligence to help prevent and counteract future attacks.
Cisco predicts that in the next five years the security industry will experience major changes, leading to consolidation and integration. With Cisco’s attention to the full attack continuum, we can already see the industry shifting toward a threat-centric security model that meets the dynamic threat landscape head-on and reduces the gaps and complexity caused by fragmented security solutions.