Baseball pundits have been keeping an eye on a few major trends this 2015 Major League season, one of them being the sport’s noticeably shrinking offense (aside from the Royals recent 14-2 playoff win and Daniel Murphy’s (News - Alert) home run streak for the Mets). ESPN and a number of other sources point to several reasons why the game is in a state of change as defensive strategies force hitters to get crafty about how they put points on the scoreboard. It’s not a stretch to say that, like baseball, IT security is a different game than it was just a few years ago.
The Defensive Shift
As a whole, the IT security world of enterprise decision-makers and technology providers alike is laser focused on strengthening defenses, and cyber security spending figures reflect skyrocketing investment. The average total cost of cyber protection for financial services firms was $20.8 million in 2014 according to the Ponemon Institute (News - Alert), and Gartner predicts information security spending will reach $75.4 billion by 2015 year-end.
Let’s explore three trending defensive moves:
Hyper-specialized relief pitching: Each pitcher has a highly specialized role and today it’s not uncommon to see a reliever enter the game to throw to just one batter. Similarly, we’ve gotten very comfortable with how we use our security tools, what we use them for, and how/where they add value or don’t add value. Practitioners are mapping value assessments to security investments, and more importantly, building metrics that show the efficacy of the product and improvements to security posture. The same can be said for tracking pitchers’ past performance against a given hitter and bringing in a reliever who will predictably dominate.
The increase in defensive shifting: Defensive shifts – or stacking infielders on the right side – have been particularly effective this MLB (News - Alert) season at stifling the performance of lefty pull hitters. In fact, this strategy saved 190 runs in the first half alone, according to estimates from Baseball Info Solutions. In IT security, we, too, are focused on anticipating offensive (attacker) tendencies and architecting our defenses accordingly. Upping our defensive game means evolving to think and execute differently. Defense-in-depth (layered defense) needs to include prevention, detection, mitigation and forensics in order to fully protect customer, employee, proprietary and sensitive information against advanced threats (unknown threats against unknown operating system or application-level vulnerabilities).
Data-driven analytics:Moneyball changed the way the game of baseball is played. This season is no exception, with data-driven teams dominating the 2015 MLB playoffs. The analytics of the game have allowed pitchers – and security pros – to thoroughly understand their opponents’ weaknesses and pitch to these weaknesses. According to a new report by PwC U.S., 59 percent of respondents are leveraging data-powered analytics to enhance security by shifting security to critical areas of exposure or risk, ensuring that mitigating controls are in place to protect the crown jewels.
New Offensive Strategies
Still, playoff tensions escalate as attackers run into advanced security programs and start to better pinpoint and leverage weaknesses to their advantage. People like Hall of Fame slugger Mike Schmidt in this Associated Press op ed are calling for hitting coaches to develop hitters who can drive balls to all parts of the field, including bunting or tapping the ball away from the shift for a base hit.
Cyber criminals, if not hitting coaches, are surely heeding Schmidt’s advice by using targeted attacks as a way to tap and bunt their way through the weak spots in enterprise network defenses. Now we’re worried about the opportunistic attacks and silent threats we don’t see or hear coming. A recent report from Vectra Networks “shows a sharp upturn in targeted attacks that have penetrated the perimeter.” With little hits here and there, they’re doing it in a way that makes it very hard for enterprise security teams to rally around.
Three threat vectors cyber criminals are exploiting to score runs:
Attacks cloaked in SSL/TLS traffic: One of the big weaknesses we have right now is a complete lack of visibility into our encrypted traffic. Once inside the network, for example, cyber attackers are moving laterally – a 580 percent increase in lateral movement detections, according to the Vectra Networks report – using hidden tunnels of encrypted SSL traffic to get around. The encrypted traffic that protects data from being viewed within modern applications, such as SharePoint, Exchange, Salesforce.com (News - Alert) and Google Apps, also creates a blind spot that can be exploited by advanced threats and malware, as indicated by numerous highly-publicized data breaches in well-known organizations.
Attacks on cloud-based applications: Just like the Force in Star Wars, the Cloud can be harnessed for good or bad. Sanctioned cloud application usage is obviously good. But attackers are blurring the lines of cloud usage by leveraging cloud service providers (CSPs) as part of their attack landscape, which, in turn, makes it extremely difficult for IT security pros to distinguish good versus bad usage. In fact, Blue Coat identified the emergence of a previously unidentified attack framework dubbed Inception that used CSPs as command and control (unbeknownst to the CSP (News - Alert)) to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims’ computers.
Attacks on mobile devices: Just as an increasing number of people are switching most of their online activity to mobile platforms, cyber criminals have done the same with their targeted attacks, using methods such as fake applications and poisoned links to gain access to your device. One of the most troublesome trends, however, is the colossal rise of malvertising, now the leading threat vector. Cyber criminals create fake advertisements that are placed on high-profile sites — appearing legitimate — but which are actually designed to steal private information.
A Life-Cycle Defense Approach to Address Advanced Threats
Obviously teamwork is key to success both on and off the field. When it comes to IT security, we’re talking about collaboration between technology, process and people for ongoing cyber, information and network security operations. Threat intelligence information is a critical element to provide awareness and contribute to decisions about how to handle incoming and insider threats. A life-cycle defense approach brings these elements together in a repeatable process. To achieve these objectives, it is recommended organizations deploy a life-cycle defense approach that implements a complete, multi-layered defense process and strategy, as follows:
Ongoing Operations: The life-cycle starts with detection and blocking all known threats as part of routine, day-to-day operations. Unknown threat events are escalated to the containment phase.
TTP Analysis and Sharing: Analysis into attackers’ techniques, tactics and procedures (TTPs) can be used to beat them at their own game by learning as much as we can from their attacks. Sharing those TTPs can expose unrelated attacks across disparate organizations.
Incident Resolution: Breaches that do occur are investigated, analyzed, and quickly remediated, and the resulting intelligence is shared, which in turn helps convert unknown threats into known threats.
By adopting a life-cycle strategy and operational approach, organizations define key process and roles of each of the systems and capabilities in their security architecture to achieve advanced threat protection and stay safe against unknown threats. Most importantly, changes in posture and strategy have to be understood by the entire security team to ensure efficiency and success of the program. Remember, if the pitcher/catcher have a game plan on how they want to pitch to a given batter, the other seven defensive players on the field need to be on the same page. The game plan will determine where they stand, where they throw and how they are positioned to defend – or in our world – proactively mitigate threats, resolve issues quickly, learn from incidents, and apply new intelligence so future attacks do not succeed.