In 2015, the number of zero-day vulnerabilities discovered increased 125 percent (from 24 to 54) from the year before, according to data compiled by Symantec.
1 In addition, massive data breaches were again reported last year, resulting in an estimated 429 million identities exposed to cyber villains.
2 That’s a huge number. But Symantec speculates the real number may be closer to 500 million identities exposed, if all organizations reported the full extent of their breaches.
3
As much as we may wish otherwise, threat actors are well-organized, sophisticated, and persistent. And they have become masters at researching vulnerabilities and creating targeted attacks to exploit them.
Advanced Persistent Threats
Protecting the perimeter of our corporate networks with intrusion prevention and detection systems (IDPS), next-gen firewalls, and anti-malware/anti-virus solutions is vital in order to safeguard our systems and data from the continuous onslaught of cyber attacks. But regardless of the sophistication of our perimeter defenses, the odds are they will be breached at some point.
Threat actors are adept at creating advanced persistent threats (APTs) designed to breach standard layered security. APTs carefully research their targets to understand their network security infrastructure and then use techniques such as social engineering to deliver malware to specific targets within the company, including systems and people. APTs are designed to penetrate perimeter defenses and to settle inside corporate networks where they seek to remain undetected, launching other attacks against vulnerable targets from within and stealing data over time. Perpetrators know that it takes approximately 250 days (or roughly six months) on average for breaches like these to be detected, which gives them a lot of time to extract and analyze corporate data.
Advanced threat protection solutions can help identify suspicious behavior on the network and block APTs from spreading through sandboxing techniques, but no single solution can be expected to stop them all. And as we have seen in the past, well-designed APTs have been successful in stealing personally identifiable information (PII), account numbers, and credit card data from some large, sophisticated companies.
A solid perimeter defense strategy is one component of a well-designed security architecture. But what happens when those safeguards are breached?
Protection Inside the Perimeter
As security professionals, we should assume our perimeter defenses will be breached eventually. To think any other way would be naïve. Our goals should be to identify breaches quickly when they occur and to minimize the amount of damage that can be done. We need to design security from the inside out beginning with the data and move more protection inside the perimeter of our networks using network segmentation, internal segmentation firewalls, and micro-segmentation in the data center.
Network Segmentation
Once a network is infiltrated by an unauthorized user or malware, one way of minimizing exposure is through network segmentation. Properly done, network segmentation seeks to divide and separate the network based on a careful analysis of business function, applications, data, and users in order to prevent unauthorized access to critical records. While it’s no small undertaking, the benefits far outweigh the costs.
As segmentation is implemented, we need to move closer to a zero-trust model—where entities are first assumed to be untrusted—and isolate network segments to prevent unauthorized entities from traversing the backbone network and infiltrating production systems.
Internal Segmentation Firewalls (ISFW)
Internal segmentation firewalls (ISFW) are placed between network segments and focus on network traffic traveling within corporate networks inside the perimeter. Unlike perimeter firewalls, ISFWs are put in place to screen internal traffic seeking to travel between segments to add another layer of protection and to keep untrusted entities from traversing network segments and gaining access to sensitive data and applications.
Micro-Segmentation in the Data Center
A software-defined data center (SDDC) provides a multitude of business advantages. It allows businesses to be more agile, enabling network, compute, and storage resources to be allocated quickly and efficiently, so applications can be deployed faster. In addition, a SDDC allows security technology to be implemented into the hypervisor of virtual environments. This creates the opportunity for security policies to be established for specific workloads independently from the hardware, allowing security to be maintained regardless of where the workload runs or what changes are made below the abstraction layer.
Given the cyber risks we face every day, a solid perimeter defense strategy simply is not enough. For better protection against today’s advanced persistent threats, security needs to move further inside the perimeter of our corporate networks using internal segmentation strategies.
For more information on how ePlus can help you implement better security through internal segmentation, click here to contact us.visit
www.eplus.com/security.
