Defense in Depth, Part 1: The risk of advanced threats
Melissa Stevens 270005B76W MELISSAS@US.IBM.COM | | Tags:  ibmsecurity advanced-threats network-security security security-intelligence
0 Comments | 4,326 Visits
This post was contributed by Nick Harlow, Product Manager - Server Security and Security Content Analysis for IBM Security.
Today’s complex information technology (IT) environments consist of many systems, connected to serve the needs of a given organization. In order to bring order and governance to this complexity, IT architects often organize these environments around the concept of layers. A typical multi-layered IT architecture might include the following layers: network perimeter, edge systems, and core business systems. These core business systems can include both employee workstations and critical servers running internal as well as customer-facing applications.
In the recent past, it was reasonable to secure an environment such as this with a network firewall around the perimeter and an anti-malware agent installed on key systems. This approach to security would allow the organization to block traffic on unnecessary network ports and detect malware infections. This relatively shallow approach to security provides some level of protection from external threats, but allows for single security policy for all systems within the network perimeter because the perimeter firewall is the only enforcement point. We can characterize this approach as “hard on the outside, soft on the inside.”
This approach is insufficient to address security challenges in the current environment. In recent years, attackers have become increasingly technically sophisticated and well-funded. Gone are the days when a malicious attacker was a programming enthusiast exploring systems out of curiosity or mischief. More often, today’s attacker is highly motivated and well funded by either a criminal organization or in some recent cases a rogue nation state. Frequently, they target an organization specifically to breach defense undetected, gather information about the environment quietly for a period of months or years, and orchestrate a coordinated, custom attack to steal valuable information, disrupt operations -- sometimes both. In some cases, such as 2010’s Stuxnet attack and its recent variant Flame, the goal was to disable or destroy physical systems thought to be highly secure behind many layers of defense. Often these attackers construct custom malware to exploit a previously undisclosed software vulnerability, in which case traditional signature-based anti-malware will be useless. This phenomenon has come to be known as Advanced Persistent Threat.
The tough exterior/soft interior approach described above has an additional drawback in that it does nothing to counter the threat posed by malicious or careless insiders. Insiders can pose a threat by acting in ways that heighten the risk profile of the organization. A careless insider might install unapproved applications that open the IT environment up to a breach. Similarly, a malicious insider such as a disgruntled employee could deliberately sabotage the organization’s systems.
Clearly, the IT security landscape has grown significantly more dangerous in recent years, leaving many organizations at elevated risk of attack. In the second installment of this series, we will explore in detail how defense in depth can help to meet the security challenges organizations face now and in the years to come.