With that in mind, my conversations with some analysts focused on common misconceptions about the value of perimeter security, next generation firewalls, and other cure-alls that are being purchased with the mistaken goal of providing an impenetrable wall around a company’s IT infrastructure. The latest buzzword spouted by many analysts (and commonly misunderstood) is technology that provides “detect and respond” capabilities.
The dirty secret I raised with those analysts is that this latest “silver bullet” technology is no cure-all, and in many cases provides little added value to customers beyond the previous generation of perimeter security. And yet these technologies do seem to provide political cover against almost inevitable data loss, since they're currently the analysts' recommended solution for perimeter protection.
Intrusions and kill chains
For the record, I am not saying that firewalls and other perimeter protection have no value. Perimeter protection is getting better every year, and remains an excellent investment. The problem is that many customers do not fully understand how cyber-attacks work, and so might expect that perimeter protection alone can protect their networks. Why not? They've paid more than enough money, and a salesperson probably told them it was sufficient.
An IT security professional will tell you that almost any competent attacker can walk through the best and latest perimeter protection, infecting an entire network within minutes. Today it's almost certain that infected content will make its way through corporate email servers, or users' machines will get infected via personal web email being opened at work.
In many cases your perimeter protection can detect these infections after a period of time – say, 15 minutes to 2 days. Unfortunately, this detect-and-respond chain also generates a lot of false positives, and requires full time (7/24) trained staff to analyze the alerts and determine the appropriate action. If there are too few competent people monitoring these mechanisms, an intruder’s access will only persist and expand. To understand the scope of this problem, keep in mind today's breach reports often tell us that intruders have had undetected access for more than 200 days.
Defense in depth
Given that intruders can easily get past the perimeter protections, what are the best practices to protect your corporate network?
Let’s start with the assumption that your perimeter defenses will fail some of the time. Next, you have to do a pragmatic analysis of how far an intruder could go after taking control of any one machine in your environment. Here is what you should expect: the compromised machine has a key logger installed that records every user name and password entered on the machine. Assume that any administrator account credentials that ever touch the compromised machine are now available for the attacker to access other systems. And if the compromised machine has user certificates, server certificates, or SSH keys, these are also now owned by the attacker for their use.