Boards must up their game before the hackers claim checkmate
- Published: Friday, 03 April 2015 12:09
By Ian Pratt
In today’s climate, the cyber security paradigm is a reactive cycle. When a threat is uncovered, it is examined and a counter-measure is created, with response times varying from weeks to years.
The problem is that attackers have the ability to quite easily reuse the previous pieces of malware, modify them and then build a brand new threat, therefore bypassing the new and updated security measures. Effectively, the connected world is under siege and current security solutions and approaches are outdated and inadequate.
A growing threat
As humans, we love to point the finger at a particular individual or to a group of individuals; however, security vendors, CISOs and employees all play a role collectively. Cybercriminals are still managing to not only release unique malware, but create malware that remains undetected for weeks, months and even years.
A lot of the pressure falls into the lap of the board of directors. They have the responsibility to ensure that management is protecting company assets effectively; and this responsibility extends to cyber security. Executive management must be more proactive in making sure their organizations deploy the right defences to survive in this new world of accountability.
The board must be competent in risk control and should challenge management when excessive risks are taken. A key question for the board is whether it is doing enough to protect its organization’s important assets.
With many assets in digital form: business plans, source code, trade secrets, financial projections, deal margins and proposed mergers and acquisitions (M&A) deals, these assets are often under the personal control of management executives who must take appropriate steps to safeguard them.
Public data breaches are a major cause of concern; cyber security breaches will generate a new wave of litigation in the years ahead and, as breaches are likely to have an adverse impact on a company’s financial performance, there is a requirement to disclose these breaches rapidly. As more executives are being targeted with highly advanced attacks, boards must require management to take appropriate actions to safeguard the assets of the company.
Why hackers are winning the arms race
Implementing a cyber security solution requires specialised knowledge. Today’s sophisticated threats are primarily caused by financially-motivated criminals and nation states who use malware to attack the organisation. This malware is not generally detectable by current anti-virus or any of the other traditional security solutions in common use.
There are two main classes of attacker, defined by their motives, which target companies: those seeking financial gain and those attempting espionage. Attackers seeking financial gain have adopted more aggressive tactics in recent years. The techniques have evolved from phishing to online bank fraud, via threats like Zeus, to aggressive intrusions seen in the Heartland breach and the 2014 Target breach. Attackers seeking financial gain are a major threat for all companies that collect payment information. These attackers also resell confidential information and trade secrets from compromised enterprises.
To defend, many information security programs follow conventional wisdom and implement a layered approach to security, deploying multiple security products at different points in the network in an attempt to detect malware. While this is generally an improvement over single-technology solutions, many of the deployed technologies are obsolete and no longer effective. When you have more than 70 percent of breaches beginning at the endpoint and nearly 80 percent of information security professionals stating that users are their biggest security headache (1), it becomes overwhelmingly apparent that traditional endpoint protection is a spectacular failure. Deployment of conventional, yet ineffective and expensive, countermeasures is common and a principal reason for data theft.
Executives at the highest levels, including the board, must be aware of these developments and ensure their organization’s approach to their cyber security program is actually effective rather than just being compliant with traditional concepts of security.
Pretty much all of the tools that we rely on use detection as the primary function but if someone can come up with a new attack or changes an existing attack so that it looks just slightly different from a previous attack, then they can get past these detection-based approaches very easily. That’s really where this arms race has been lost over recent years; the fact that these attackers have learnt how to make these changes very easily and cheaply to enable them to by-pass existing defences.
The new approach: network segmentation and isolation
Today’s targeted malware seeks to use compromised PCs as a way into the enterprise network, attacking other systems to persist software that exfiltrates data. When a single PC is compromised, the incident response (IR) team has to investigate every possible move of the attacker, at enormous cost.
We need to be more like a biological system, where we have bodies built of cells. If a particular cell is compromised, the damage is generally contained within that cell and killed off and removed. We need to build our computer systems in a similar kind of way, with isolation technology; a relatively new concept that is proving effective at securing endpoints.
As the workforce becomes more mobile, employers and employees want to use those laptops and other endpoint devices while they’re working at coffee shops, at hotels and airports, which all have unsecure networks. However, you can’t extend the boundary of the enterprise network to those places, so those endpoints are going to have to look after themselves. Therefore, it is essential we adopt isolation technology.
Micro-virtualization meets this need by protecting computing devices against the execution of malicious code.
With endpoint systems today, one of the challenges that we have is that, if a user opens a bad document, goes to a bad website, or even just goes to a good website and is served a bad advert, malware can easily end up running as the user and then proceed to compromise the whole machine. Once this happens, there really is a complete loss of control and then anything that takes place on that machine from then on is compromised too. Isolation technologies, such as micro virtualization, can help by ensuring that every task being performed on that machine happens within its own little bubble (Micro VM). So if, or when, something bad occurs, it is contained within a Micro VM and it isn’t going to impact or compromise the underlying system.
Enforcing the ‘need to know’
Even if the system does get compromised, whether it's because the user itself is malicious, or perhaps a loss of control of the infrastructure, organizations still have the confidence of knowing that the information we really care about is running within one of these protected environments. That enables us to follow a good security practice by identifying the business critical aspects that you care most about, and coming up with some set of restrictions for them and then treating them differently from everything else.
If CISOs try and apply the same restrictions to everything, and treat all data in the same way, they will never be able to get anything done and will end up having to relax those restrictions as they just aren’t enforceable.
Shifting to a model where we have things more compartmentalised and isolated using micro virtualization means that everything is running within its own container: so that users don’t have to be concerned about the security of the application itself, or even of the underlying operating system, because it is going to be contained.
CISOs and CEOs face a multitude of new and emerging challenges, including risks generated by the myriad of mobile devices, the endless amount of information, the difficulty to act in accordance with new regulations and the threat of state-sponsored attacks combined with global cyber criminals.
Ensuring that corporate assets are secure is an important legal responsibility for today’s boards of directors. In this dynamic, ever-changing threat landscape, oversight of cyber security becomes especially detrimental to organizations. It is up to the board to review security budgets, policies, and the effectiveness of security controls. Game-changing security technology, such as micro virtualization, can be instrumental in helping boards see to it that management successfully carries out its mission to secure corporate assets and users.
Ian Pratt, co-founder, Bromium.
Bromium report Endpoint Protection: Attitudes and Trends 2015