Today’s hybrid networks are complex, employing every type of connectivity imaginable: traditional WAN links, internet VPN, remote access and BYOD, to name but a few. So it’s understandable that this degree of complication makes it difficult to keep a network secure. It’s no longer a matter of questioning ‘if’ an organisation will be attacked, but ‘when’. In short, anyone who thinks they’re safe from attack is wrong.
Networks are now accessible to more users than ever, including business partners, employees, contractors and customers that demand access from everywhere, at any time and using any device.
An organisation’s focus needs to change — from protection from attacks to resilience against them. The question a CISO now needs to ask is ‘how quickly would we recognise an attack and how soon could we stop it?’ Shockingly, the latest report from Mandiant showed that companies take an average of 229 days to discover threats on their network.
Protective security measures like network segregation, firewalls and IPS systems aren’t redundant; they should be enhanced with comprehensive threat intelligence and associated incident response. Logs need to be collected, correlated and investigated. Only then can attacks be spotted quickly.
Data can be accessed from anywhere, so you need to understand usage patterns and look at context such as geolocation, time of day, or access type. For example, an alarm should be raised if a user ID, which is usually used from a company device during normal business hours in a certain country, suddenly tries to gain access from an internet café in the middle of the night, from another continent.
Incident response procedures need to be kept current — without regular drills things might go wrong if an incident happens. At every stage it needs to be clear which parts of the organisation need to participate in the incident response process, and which responses are required by each unit. Your efforts will come to nothing if an attack is noticed by tools or people but nobody knows which action to take.
Automated measures and continuous reports on the state of the network further improve resilience. With the diminishing perimeter of the network, companies should continuously evaluate which connections constitute the network. It pays to regularly evaluate the security of critical applications, taking swift action to resolve any issues.