Cyber Security

The Hackers Are In! Now What?

By Dave Klein, vice president of cybersecurity at Guardicore.

Organisations are being hacked. Breaches hit the news almost weekly. The cause isn’t usually a lack of security. It’s an investment in the wrong security. Often there’s an over-reliance on perimeter solutions, especially firewalls. Organisations need to change where and how they incorporate cybersecurity to reduce risk and ensure compliance.

Well into the midday sun of the Information Age, we find enterprises facing the realisation that traditional perimeter cybersecurity techniques, especially firewalls, have become direly outdated. 

Making matters worse, we have layered security solution on top of security solution, adding to complexity and management overhead.  While the rest of the enterprise has adopted DevOps/Cloud models to better meet business goals, traditional approaches to cybersecurity haven’t kept up.

For this reason, many organisations from the US Federal government to global financial firms, today approach protection with the assumption that they’ve already been breached and must now contain an attack. It is an exercise in vigilance which has led to some very well laid out incident response plans. But these sorts of responses are reactionary, rather than proactive efforts to better protect systems from intruders in the first place. In this sense, many organisations need to shape up their approach.

There is a need for a wholesale change in how we understand and implement cybersecurity solutions. In particular, we need an understanding that applies better security across the environment and does so in an accelerated, streamlined fashion. 

There is an easy, clear cut methodology we can put in place to remedy this situation.  Let’s first, however, look at the issues that have hampered us in the battle to protect systems from attack.

Chief cause for our current dilemma: over confidence and investment in perimeter solutions – especially firewalls

Enterprises have made an inordinate investment in perimeter protection through the use of firewalls and ‘next-generation’ firewalls.  While they take up a good portion of enterprise cybersecurity investment, these devices have become proverbial screen doors in recent years incapable of stopping much. 

This is further validated by most firms’ investment in additional perimeter security appliances in everything from reverse proxy/WAFs, Web Proxy Security Devices, Email Security MTA’s and others due to the failure of firewalls to thwart even basic attacks.  The concept of perimeter security and especially firewalls is plagued by several key issues:

  1. Firewalls are easily traversed by user side exploits.  Whether delivered via spearfishing, drive by website based, or through VPN man in the middle attacks, these techniques allow the attackers malicious use of authorised devices through firewalls.
  • Direct assault against firewalls using evasion techniques. Such techniques are numerous and include use of encryption, file-less malware, polymorphic attacks and even include techniques that get past deep packet inspection and even next generation application awareness engines. Chinese state, state sponsored and criminal actors have for years been utilising certificate signed TLS communication made to look like HTTPS packets.  Traffic easily traverses enterprise firewalls with inbound attacks. Outbound data exfiltration is hidden in headers and even within the payload of faked HTTPS traffic.  This method is still used today. Hacker group APT27 recently used this approach to attack financial services firms globally as well as to attack other industries.
  • Firewall rule sprawl.  In the financial sector especially, but also in other verticals, it’s common to find firewall rule sets that have grown to thousands of pages.  Over a firewall’s lifetime, rules get added to solve a current issue but are rarely cross-referenced against those created in the past.  Often thousands of rules overlap and are contradictory.  Holes and gaps appear, hidden in the mess.  Add given most enterprises run hundreds (even thousands) of firewalls, ‘rule sprawl’ becomes a clear predicament.
  • Firewalls are perimeter devices. They are not sited where the majority of workflows exist. By far the greatest problem in today’s complex environments is that firewalls aren’t in the traffic flow, when clearly that’s where they need to be in order to protect systems from nefarious activity. This is a common weakness in automated, data centre/cloud and application centric settings that have federated environments where you share data seamlessly with customers, partners, suppliers and vendors.
  • Direct assaults on applications, data centres and clouds taking advantage of poor hygiene.  Attackers are making a wholesale shift in targets away from individuals and towards data centres, clouds and the applications they host. Evidence suggests this has offered attackers a bigger return on investment. They very easily take advantage of inherent hygiene issues found there.  Whether it be unpatched applications, poor password strength, a lack of two factor authentication, poor certificate and network services management (DNS etc), it’s all too easy. By far the biggest issue is a lack of segmentation.  This allows hackers unfettered lateral movement – also known as East West movement – between systems. Once through the firewall, hackers are free to roam.

There is a clear cut, achievable strategy for us to enhance security, reduce risk and cut costs

Fortunately, most cyber security professionals understand the above issues.  They know that the traditional focus on the perimeter is no longer adequate protection, since attackers can today easily penetrate such security.  Security leaders are becoming aware that since perimeter security breaches are almost inevitable, they must now focus on securing the enterprise from within, to prevent the aforementioned lateral movement and protect sensitive areas when breaches occur. 

While this might at first sound challenging, it is in fact surprisingly easy to achieve. The good news is that for just a little expert effort, enterprises can significantly reduce their risk exposure, while also boosting compliance. There are two major components to this strategy.

1.    Adoption of the Zero Trust Framework

Founded by Forrester, whose cyber-security practice is currently led by Dr. Chase Cunningham, Zero Trust is an easy to adopt framework that outlines steps an enterprise can take to shore up its security.  The concept seeks to simplify and streamline adoption by prioritising what matters most.  Instead of focusing on the solutions, it clearly focuses on the business elements within the enterprise that need to be protected.

2.    Accelerated risk reduction, compliance validation and cost savings by implementing Software-Defined Segmentation

Aligned with and by far the most helpful solution in adopting Zero Trust is Software-Defined Segmentation.  Unlike traditional legacy segmentation techniques like VLANs & ACLs on premises and Security Groups in both public and private clouds which are a management nightmare, cumbersome, lack visibility are not granular enough to effectively protect against threats and ensure compliance, Software-Defined Segmentation:

  • Works across all of your platforms, old and new providing in depth visibility and management which is decoupled from the diverse underlying platforms and operating systems themselves, thus providing an abstraction layer where all functions work seamlessly.
  • Follows the workload and includes well needed granularity.  Instead of being stuck with mere port and IP address level policies (typical of traditional segmentation) which do little to stop threats, software-defined segmentation allows tight, granular policies by process, identity and by FQDN. 
  • To enhance speed and innovation software-defined segmentation also incorporates automated provisioning, management and autoscaling of workloads enhanced by increased use of playbooks and scripts like Chef, Puppet and Ansible.  These scripts allow a “done once, done right” approach which greatly reduces the need for manual moves, adds, changes and deletes.

By gaining granular and in-depth visibility and management within a single platform, software-defined segmentation allows you to segment in an accelerated fashion – accomplishing in days what used to take months or years.

Especially for the financial sector, which must comply with multiple compliance standards from SWIFT, PCI through GDPR and California Privacy, adopting Software Defined Segmentation offers considerable cost savings in merely reducing scope and providing real-time and historical validation of compliance.

Furthermore, software-defined segmentation provides a buffer of protection for an enterprise to subsequently shore up those aforementioned hygiene issues within their internal applications, data centres and clouds.  Software-defined segmentation gives you time to patch, enable strong password enforcement, two factor authentication, better certificate management and to incorporate better incident response plans.

The adoption of the Zero Trust Framework and Software-Defined Segmentation can bring effective cybersecurity to the enterprise in an accelerated, flexible and simplified fashion.

About the author

Dave Klein is senior director of cybersecurity engineering & architecture at Guardicore. He has over 20 years of experience working with large organisations in the design and implementation of security solutions across very large scale data centre and cloud environments.

At Guardicore, Dave works with Guardicore customers in architecture and implementation of advanced data centre and hybrid cloud security solutions for the rapid detection, containment and remediation of security breaches.

Before Guardicore, Dave Klein spent ten years as a contractor working with various US Government agencies including: US DoD, Civilian Agencies, Congress and Executive Office of the President.