In a previous article I highlighted three congruent developments (increasingly sophisticated threats, more rigorous compliance regimes, business and IT opportunities) which have elevated security to the status of a strategic issue for many organisations. In this article I address one of these dimensions in more detail and how organisations can reduce their exposure to the latest cyber threats.
Our adversaries have many advantages in their favour. They can harness the power and flexibility of the internet to multiply the impact of their operations (like botnets), and can rapidly shift the control of their attacks to new locations.
New vulnerabilities in software are discovered, propagated and exploits developed very quickly by internet based groups and collaborators. The huge asymmetric advantages of cyber attack have attracted many large well resourced organisations — not just state sponsored groups but organised crime has been attracted by the rich financial rewards.
Cyber attack is now big business whether it is stealing IP, harvesting and selling on credit card and banking details, or developing the ability to disrupt and degrade business operations for speculative profit (such as, in the banking sector).
How can organisations protect themselves against these threats? There is no single answer — it requires an integrated approach which builds defence in depth across all layers of the security architecture.
Typically there are 4 layers of defence which organisations need to consider in developing their strategy (see diagram below):
Layer 1 comprises ICT technologies architected to operate securely in an appropriate cyber threat environment — an area often neglected during the design and implementation stage.
In a high threat environment, for example, software assurance methodologies should be adopted and appropriate use made of relevant design standards.
Layer 2 is the traditional security overlay of devices (such as firewalls, intrusion detection systems and end-point protection) often implemented as point solutions but which increasingly need to be integrated and managed centrally from a security operations centre to provide a coherent and responsive alerting and security incident management service.
The breadth and maturity of security devices continues to develop; for example, the new generation of data loss prevention products enable the protection of critical information wherever it resides.
Layer 3 is the intelligence layer where information from devices inside the network and external intelligence feeds combine to provide situational awareness in and around the network. For many organisations this is a new function and if implemented correctly can provide real time awareness which can trigger rapid responses to the emergence of new threats and attacks.
The particular challenge for systems in layers 2 and 3 is to protect against the most sophisticated malware (APTs) which often exploit undiscovered vulnerabilities and are invulnerable to signature based detection. A number of security organisations are developing systems to collect and analyse the large data volumes and identify the anomalous patterns of behaviour which can reveal such attacks.
Layer 4 is the national cyber layer and is an essential component of the strategy to join up Government and industry SOCs to provide tip-offs, alerts and intelligence in real time.
Moves to establish such a network are only just beginning although, in the US, the DoD's Defense Industrial Base Program is already in place and providing such a service to relevant companies. This will add another layer to the defence of critical national systems.
If all these elements are integrated into a holistic security architecture, with managed information flows between them, this can provide the defence in depth needed to reduce the probability of successful attacks, even by the most sophisticated adversaries.
Nick Hopkinson was formerly CIO at GCHQ. He is now cyber security director at CSC: an IT services company providing cyber security solutions for business