Cybercrime has become a booming industry, accelerating in the last 5 years, complete with automated tools, customer support, and guarantees for product effectiveness. Security professionals need to enable a productive work environment while providing all of the controls needed to protect the organisation’s data and customers. How effective this is depends on how advanced defences are and the breadth and depth of visibility. Here we outline the architecture that is necessary for blocking attacks and preventing breaches:
- Enforce allowed interactions between your data and your users
The network is like a virtual highway connecting users and customers to important data and dramatically increasing productivity. Data is constantly in transit, and because sources, destinations, and the paths in between them are becoming more virtualised, network traffic is increasingly complex. Roads that lead to critical data stores and valuable assets must be protected because it’s not always obvious when access is abused.
Choose a solution that: effectively reduces the attack surface by granularly identifying approved interactions between users and data based on the specific data you’re trying to protect – what it contains, where it’s located, how it should be used, and by whom.
- Identify threats on all applications, ports, users and devices, all the time
Attackers purposely craft threats to lurk in the dark corners of organisations by utilising deceptive techniques, like applications that port-hop and use non-standard ports, using protocols that aren’t anticipated, and disguising themselves as benign files.
Choose a solution that: more effectively segments the network based on expected interactions and behaviour. Control who and what can communicate, and how. Understand how each application, user, and device is used, how they may be leveraged at different stages of an attack.
- Protect data at multiple stages in the attack lifecycle
All attacks are comprised of multiple stages strung together to form the attack lifecycle and all stages must succeed before the attacker’s objective can be met. Stand-alone security tools, like traditional IPS or Web proxies that focus solely on one stage may fail, especially where new or unknown techniques are used.
Choose a solution that: focuses on attack behaviours at multiple stages from blocking delivery through compromised Web pages and malicious files through stopping the execution of files (installation) containing known malware through accurate payload identification to shutting down outbound command and control communication.
- Outsmart advanced threats specifically designed to outmanoeuvre security tools
It’s incredibly easy for attackers to modify existing malware and exploits to make them essentially “unknown” to bypass traditional defences. These minor variations in threats create moving targets for security tools with static protections. What’s more, malicious URLs and command and control domains come and go quickly, often only remaining active for a few hours or days at a time.
Choose a solution that: can handle the load, by an enormous and constantly growing library of exploit-and hash-based signatures, or by a smaller set of payload-based signatures capable of detecting and preventing multiple variations individually.
- Facilitate the translation of new intelligence into protections within security policies
The challenge with sophisticated attacks for security teams is that some of the attack components may be completely new – true zero-day threats. Furthermore, those threats, when taken in isolation, may not indicate anything interesting that they should investigate.
Choose a solution that: is self-learning. A constant feed of newly created protections against newly discovered attacks, broken down into its components, translated into protections, and distributed to points of enforcement within your segmented network, increases the effectiveness of cybersecurity.
- Be up to date with intelligence and protections against the latest attacks
What protected the network against attacks this morning may be ineffective now. Keeping prevention capabilities current helps minimise risk of infection and restricts attackers to threats containing pristine, zero-day exploits and malware, and brand new command and control domains.
Choose a solution that: can compile threat data quickly from new attacks into intelligence and produce protections against those threats as soon as attackers operationalise them. This includes attacks on your network and other organisations around the world.
- Enable quick and accurate mitigation
After being hit by a sophisticated attack, it’s critical to identify the infection quickly and protect other devices and network segments against its spread. Because most network defences comprise best-of-breed tools from multiple vendors, prevention becomes difficult. The process is arduous, highly manual and time consuming.
Choose a solution that: correlates suspicious behaviours to highly accurate infection alerts, so you know that infection has taken place and can prioritise accordingly to swiftly limit your network’s exposure.
- Coordinate actions comprehensively across individual security technologies
Security technologies and individual sensors throughout the network contain information-gathering and enforcement capabilities that, if built to work together, have the power to secure the organisation more effectively. The big picture sets the context of the attack for understanding where gaps in security may exist, where protections must be created, and distributing enforcement to block the attack and close those gaps.
Choose a solution that: is natively integrated or has open APIs that can be easily integrated in a customised way. These are best suited to comprehensively share intelligence and update policies across the entire network, and immediately alert you to infection, regardless of location.
- Keep your business running
Many organisations struggle when it comes to choosing between security and enabling the thousands of applications that accelerate business efficiency and profitability. More often than not, turning on security features means that users must accept high latency or worse, restriction from using the applications or accessing the data they need.
Choose a solution that: has dedicated, specific processing for management, security, and content scanning, so traffic isn’t processed more than once.
- Be easy to use
Organisations cannot afford the extra time associated with arduous monitoring, investigation, and reporting. Having simple policies set up, and correlated threat data ready and available on one device within one interface, gives security teams a complete view of what’s going on within their network infrastructure and data, without hassle.
Choose a vendor who: correlates security data both at a local level, so you know exactly what’s going on in your network and can respond accordingly, and on a global level, providing you with actionable intelligence on threat campaign details.
The best location to execute secure application enablement is at every location within the network and cloud, and on endpoints. Attempts to claim effective security using single-function devices in a bolt-on approach are unrealistic. In order to truly prevent a breach, a holistic cybersecurity solution that can dynamically adapt to the changing threat landscape is crucial. We partner with Palo Alto Networks, the next-generation security company maintaining trust in the digital age by helping organisations prevent cyber breaches.
‘10 Things Your Cybersecurity Solution Must Do’ taken from Palo Alto Networks cybersecurity buyer’s guide entitled ‘The Definitive Guide for Evaluating Cybersecurity Solutions’.