The bolt-on challenge: closing security gaps

IT environments have expanded to include networks, endpoints, mobile devices and virtual assets – and so have security tools. Most organizations have ended up with a set of disparate technologies across these control points that were never designed to work together.

The result? Breaches happen. It’s a fact of life.

As our protection methods improve and security effectiveness levels reach new heights, the bad guys are digging deeper and using increasingly advanced techniques and new attack vectors to circumvent existing protection methods. This is a key cause for concern, as addressed by Masagos Zulkifli bin Masagos Muhammad, Senior Minister of State for Singapore’s home and foreign affairs, at the GovernmentWare 2013 conference held last October. The minister stressed that with cybercrime rising 42 percent in 2012 over the previous year, there is also an increasing need for companies to combat such threats effectively.

However, existing security architecture in many organizations is often disparate or poorly integrated and any integration done to date, if any, is typically one way. Instead of providing a continuous reflection of activity as it unfolds, data gathered is usually a snapshot in time. Also, visibility and analysis are not automatically correlated and translated into action, which prevents organizations from being able to contain and stop damage, as well as prevent future attacks.

An integrated set of automated controls and intelligence is required to complement and support greater visibility and analysis. Organizations need to shift away from point-in-time data and move towards a continuous approach that allows them to remain vigilant when combatting against today’s sophisticated attack techniques. Take for example malware that disguises itself to evade detection before exhibiting malicious behavior later, or when indicators of compromise are imperceptible and only show signs of an attack when distinct data points are correlated. Both cases clearly highlight the need for integration as a means to address the full attack continuum at all times, and only by adopting such an approach will organizations be able to adapt defenses and take action to protect their assets.

What organizations require is a tightly integrated enterprise security architecture. Based on a 2012 survey by market research firm Enterprise Strategy Group, 44% of enterprise security professionals believe that their organizations are likely to design and build more integrated enterprise security architecture over the next two years. This is so as to improve security controls with central policy management, monitoring and distributed policy enforcement.

Enterprise security architecture equips organizations with greater visibility and awareness, and enables continuous security before, during, and after an attack. This allows the aggregation of data and events across the extended network and security from an exercise at a point in time to one of continual analysis and decision-making. Based on these real-time insights, organizations can employ intelligent automation to enforce security policies across control points even after a breach has occurred.

After an attack, it is essential for organizations to mitigate the impact and prevent similar occurrences from happening in future. Infrastructure that continuously gathers and analyzes data to create security intelligence enables organizations to identify and correlate indicators of compromise, detect sophisticated malware that is able to alter its behavior to avoid detection, and remediate accordingly. Also, compromises that may have gone undetected for weeks or months can be identified, scoped, contained and cleaned up rapidly. Moving forward, organizational security can become even more effective by automatically updating protections and implementing integrated rules on the perimeter security gateway, within security appliances protecting internal networks, on endpoints and on mobile devices, so as to detect and block the same attack.

Over time, IT environments will continue to expand and spawn new attack vectors that we have yet to imagine. There is thus a need for organizations to implement integrated security architecture, as this provides a dynamic foundation that allows security measures to remain continually effective and relevant in a changing world.

Attackers don’t discriminate and will use every weapon at their disposal to accomplish their mission. As defenders, we need to as well. Equipped with a powerful enterprise security architecture based on awareness and continuous capabilities, organizations will thus be able to close security gaps across all sectors of the ever-extending network at all times – before, during, and after the attack.

DhillonAmitpal is Senior Product Manager for Asia Pacific at Sourcefire, now a part of Cisco