Simply Security - News, Views, and Opinions from Trend Micro

Posted on May 31st, 2012 in Spotlight by Simply Security | Be the first to comment | Tags: Spotlight

IT leaders are hoping to adapt their defense strategies to present new obstacles for cybercriminals.

With traditional network security tools such as firewalls, antivirus software and intrusion detection systems struggling to account for all of the threats posed by today's cybercriminals, there has been much discussion of what the next generation of complementary defense tactics may look like. Two of the most promising paradigms posited of late have been the concept of dynamic perimeters and a greater emphasis on damage mitigation tactics.

The range and complexity of threats facing today's data security professionals can be overwhelming at times, but one of the most consistent takeaways has been the notion that static, perimeter-based defenses may no longer be up to the task. According to Federal Computer Week (FCW), the majority of current cybersecurity mechanisms have been designed to protect a very specific set of system configurations that are in operation for a long period of time.

The temporal aspect is key, because the longer a hacker has to gather reconnaissance, identify a vulnerability and gauge the potential security response, the more successful an attack will be. Additionally, one loophole can be exploited for an extended period of time until security administrators diagnose and resolve the issue.

Instead of exhausting resources attempting to identify and plug holes in the network environment, a so-called moving target defense (MTD) approaches the issue from a different angle. Instead of presenting attackers with a constant set of security variables, data protection mechanisms continuously evolve to place a new scenario in front of would-be hackers. According to FCW, this fundamentally narrows the window in which cybercriminals are able to exploit a weakness because there is no guarantee that the configurations they observed during intelligence gathering missions will still be intact.

"Most of the exploits you see today are based on specific vulnerabilities in the way code is structured," former Defense Advanced Research Projects Agency senior scientist Anup Ghosh told FCW. "MTD strategies are to create different instances of the same software where semantically or functionally the behavior of the software is the same, but its structure would change with each instance."

While this approach would be quite a departure from current strategy, the underlying technology may not be all that far away. According to FCW, the continued virtualization of operations will be essential to MTD programs, allowing for flexible provisioning of compute resources. Continuous monitoring will also help govern quickly evolving environments to ensure this added complexity is confusing cybercriminals, not network administrators.

Nevertheless, Ghosh suggested that it would take no less than four years before widespread implementation of MTDs is seen. And while that is a "fairly aggressive" timetable in comparison to many other areas of federal research and development, organizations will have to focus on bolstering separate layers of their data security strategies in the meantime.

According to Dark Reading's Ericka Chickowski, experts have recently shown an increased interest in damage mitigation protocols. As government contractors and software vendors have fallen victim to large-scale breaches and attacks, organizations with far fewer resources are beginning to wonder if absolute prevention is a realistic goal. Instead of focusing solely on fortifying a strong perimeter, many are conceding that it may be wiser to plan for seemingly inevitable intrusions.

"Security traditionally has been a preventative game, trying to prevent things from happening. What's been going on is people realizing you cannot do 100 percent prevention anymore," Forrester Research principal analyst Chenxi Wang told Chickowski. "So we figured out what we're going to do is limit the damage when prevention fails."

Part of the incident response equation will be analyzing and understanding cybercriminal intent. Merely discovering traces of malware or an infiltrated database is no longer enough, according to Chickowski, and data protection specialists are now designing their defenses in response to potential attacker motives.

According to Microsoft Trustworthy Computing director Tim Rains, big data analysis may hold the key to progress.

"Instead of artifacts, big data captures and correlates all audit events, looking for anomalies in real time. It's not just a buzzword," Rains told Dark Reading.

Not surprisingly, this strategy of containment has military roots. The Air Force was among the first to realize the futility of strictly perimeter-based cybersecurity defenses several years ago by employing a variety of sensors to monitor attackers that had found their way behind enemy lines. By moving away from prevention and toward proactive hunting, Chickowski noted, the focus became identifying enemies and clamping down before they were able to siphon sensitive assets.

While some fear that this may be a defeatist approach, others simply contend that it is a pragmatic response to a new reality. With security architecture inherently progressing slower than hackers' intent to exploit its weaknesses, contingency planning is imperative. While MTD strategies show real promise, containment may be the next best option in the interim. By identifying what cybercriminals may be after and protecting it accordingly, a breached perimeter may not necessarily spell the undoing of the entire system.

Data Security News from SimplySecurity.com by Trend Micro