Data breaches occur because of network “blind spots,” or parts of an IT infrastructure too difficult to monitor. Many organizations focus on perimeter security that protects their networks from outside threats, but ignore activity on their internal LANs. This oversight results in untracked traffic flows, or conversations, on different parts of the network.
Putting the internal threat in context, Forrester found in 2013 that 36 percent of data breaches came from inadvertent misuse of company data by employees. One common blind spot is if a disgruntled employee uploads confidential information to databases outside the organization – once discovered, the damage has already been done.
Quite simply, you can’t protect what you can’t see. But what if you could see that unauthorized upload, and stop that data breach as it occurs? It’s possible through defense in depth, a security posture that has multiple redundant layers that monitor and protect an entire network. Let’s examine five components of a strong defense in depth approach that can protect your data and offer a better view of your IT environment.
Building a strong defense in depth posture
Read the traffic patterns. To achieve complete visibility, IP traffic flows should be monitored at the enterprise edge firewall, at the internal network, and at all endpoints. Most routers, switches, and firewalls from the major vendors (Cisco, HP, and Juniper, to name a few) are capable of logging information flows, but that information is often unmanaged or ignored. Monitoring and analyzing these data flows and conversations gives IT the ability to measure all activity on the network and find additional blind spots and weaknesses. Deploying your current assets as a Network as a Sensor (NaaS) is the beginning of a defense in depth approach to security.
Set activity baselines. By using existing equipment for NaaS, IT can establish baseline policies of traffic flows and data consumption for every type of employee within an organization. For example, a payroll clerk works with small, but important, chunks of data. If the network sees that payroll clerk uploading huge swathes of data to another server, it can notify IT to the unusual activity. These baseline policies strengthen the security posture by looking for the outliers on the network.
Enforce those limits. NaaS can also morph into Network as an Enforcer (NaaE). Once IT sets policies, the NaaE acts on those baselines to stop breaches before they’re carried out. This is a complex system of network controls and reactions, but it’s a simple idea: Once the NaaE sees a baseline has been compromised, it acts as a behavior analyst, finding the source of that infraction and shutting down access or blocking data delivery, based on what’s written in the policy.
An example of this is Lancope’s Stealthwatch system. Recently purchased by Cisco, Lancope is capable of detecting unusual activity on a network and then accelerating incident reports and shutting down areas of the network to reduce organizational risk. Back to that payroll clerk – if a NaaE system, like Stealthwatch, sees a baseline is being breached, it can enforce the policy, which could knock the user off the network for a short time as IT investigates.
Beef up other security. We’re talking about defense in depth, but NaaS and NaaE solutions may be too complex or costly for some organizations. Security is a crowded space (that’s a good problem to have), so organizations can also invest in security information and event management (SIEM) systems like Splunk, Next-Generation Firewalls (NGFWs), application-based firewalls, and plenty of other intrusion prevention systems. If there are any gaps in your defense, consider upgrading with a stronger component that provides a broad defense in depth posture.
Be proactive, and trade up and upgrade. The threats IT faces are more complex than a decade ago, but many organizations are still running non-NGFWs and outdated systems. Hardware and software refreshes running the newest technology will immediately improve defense in depth. Plus, new solutions that are application-based systems will allow IT to tailor security to fit the needs of your organization.
Security isn’t just the moat
A moat may have been great security against invading attackers, but it didn’t stop a Trojan horse. It’s true that stopping threats at the perimeter is easier, and less costly, than a full security environment. But visibility into the entire IT environment will improve your defense in depth, and that visibility will help protect your organization from internal threats and data breaches.
IT should strive for a strong defense in depth approach, and it starts with identifying your blind spots. That may be harder said than done, but improving your IT environment will tighten up security from external threats and on the LAN, and will stop breaches before they can occur. IT can do that by employing some all-encompassing solutions, like Stealthwatch, but replacing old equipment and upgrading software will also round out a strong defense in depth program.
If you have questions about defense in depth, contact your SHI account executive.