The traditional notion of blocking cyber threats from entering the network needs an overhaul, according to some security experts.
In the last few years it has become very clear that attackers have become very adept in overwhelming network defenses so IT departments should focus instead on dealing with threats once they are inside the network, according to Dave Merkel, chief technology officer of cyber security firm FireEye Inc. These so-called advanced persistent threats (APT) are also often carried out by state-sponsored groups that target commercial, government and military systems.
The old strategy of knowing what malicious codes look like in order to prevent them from getting into your system no longer works, he said in a recent interview with CIO Today.
Having a firewall is much like having a fence for a housing complex but not having a guard to watch the inner streets, said Ed Amoroso, chief security officer of AT&T.
Of course this doesn’t mean that perimeter defenses will become irrelevant. However, this shift in strategy places an emphasis in network monitoring as knowing what’s happening inside the corporate environment become more critical so that security teams can lay out traps for exploits.
For example, FireEye (NASDAQ: FEYE) estimates that on average attackers lie in wait inside a victim’s computer system for about 230 days without of being detected. In the recent breach of Anthem Inc., where the personal information of some 80 million customers of the U.S. healthcare provider were accessed, it is believed that hackers have been inside the system for more than a month.
In the Sony Pictures hack late last year the intrusion went unnoticed until the system was crippled and massive amounts of data were exposed.
Merkel said there is now a growing awareness in North America and Asia of automated programs that scan and monitor for unusual network activity as well as encryption tools and software that separate sensitive data in domains that require special credentials to access.
South Korean computer security company Cuvepia Inc., provides an example of how the new watch-don’t-block strategy works.
Kwon Seok-chul, the company’s CEO said Cuvepia’s latest monitoring tool keeps a log of all network activity. It divides the activities into those from authorized users and potential attackers. The systems sounds an alarm when parameters for a potential attack are triggered.
He said in one case, the security team of a company watched for about an hour as a hacker scanned its network and installed tools to disable passwords and bypass antivirus programs. The team eventually cut the attacker’s connection to the system based on the unique ID of the program that Cuvepia’s software showed the hacker was using.
“Because the hackers are in your palm, you can enforce any measure that you want,” said Kwon.