It’s an increasingly challenging world for IT security professionals. Yet those who ensure they’re deploying the right mix of network monitoring and threat mitigation solutions and focus on continuing their employee education efforts have the best chance of keeping their networks secure.
Those were the key takeaways from a morning of presentations by IT security leaders at the CDW Protect SummIT in Philadelphia.
“There’s more and more of a thin line between what’s legit and what’s not,” said G. Mark Hardy, president of the National Security Corporation, a security consulting firm.
He led audience members through a typical phishing attempt, one masked as an email from a seemingly highly credentialed professional. The security professionals in attendance knew better. However, Hardy said, “You think other people don’t click on those things? At some point, they do.”
If there was any doubt that threat actors are working harder and getting smarter, Chris Kachigian soon erased them. Kachigian, the senior director of global solutions architecture for cybersecurity firm CrowdStrike, delivered the results of his company’s “2019 Global Threat Report,” which found, among other things, that organizations around the world are experiencing 280 billion cybersecurity events a day — nearly 3 trillion per week or as many as 4 million per second.
“Attackers only need to find one way in,” Hardy said. “Doesn’t sound very fair, does it?”
What Is a Zero-Trust Network?
Among security professionals, the increasing interest developing “zero-trust” networks is part of the response to the growing threat. Zero trust is a security model that requires strict identity verification for every person and device that seeks to gain network access, regardless of where they sit in relation to the network perimeter.
“Here’s how I describe zero trust to people who don’t know,” said David Lewis, global advisory CISO for Duo Security, a Cisco brand, as he showed a slide with a photo of a burning house. “It’s very simple: Everything’s on fire.”
Although many technology providers offer solutions that they claim are essential to moving toward a zero-trust network, the model itself does not demand any specific technology solution. Rather, it’s an approach to cybersecurity that many believe is critical to ensuring maximum network protection.
“When we look at zero trust, we’re really talking about things we should have been doing for 30 years,” Lewis explained. “We’re talking about network segmentation, inventory management and so on.”
That is not to say that a zero-trust model is nothing more than a new way of describing the process of following best practices. It’s a process — often a long one — that requires rethinking how networks are configured, how executives and IT teams think about security, and how employees work.
It requires multifactor authentication as standard and a new understanding of what’s meant by perimeter security — and even what the perimeter itself is. “The perimeter is anywhere an access decision is being made, and we need to remember that,” Lewis said.
For these reasons, Lewis advises companies embarking on a transition to zero trust to ready themselves for the long haul — even Google took seven years to complete its transition — and to set realistic interim goals for themselves. Moreover, businesses should refrain from thinking about zero trust as merely another solution acquisition process.
“Don’t go to a vendor and say, ‘We heard about zero trust, where do we go from here?’” Lewis said. “Do your homework before you talk to one of us.”
Nation-State Threat Actors Are Growing
Kachigian noted that CrowdStrike’s research suggests good news and bad news for security teams. The bad news is that globally, state-sponsored cyberattacks — and the sophisticated tactics they usually entail — are growing rapidly. Russia has been especially active and is the world’s leader in devising attacks that move through networks quickly after initial penetration, with an average “breakout time” of under 19 minutes.
The good news is that breakout time generally is actually growing, meaning organizations are getting better at responding to attacks. The average breakout time in 2018 was more than 4 hours and 30 minutes, Kachigian said, which is ample time for organizations to slow and ultimately thwart attacks after the initial intrusion.
“We recommend that organizations strive to follow what we call the 1-10-60 rule,” he said, meaning that an attack should take no longer than 1 minute to detect, 10 minutes to investigate and 60 minutes to contain and remediate.
“If you can get everything contained and remediated within that first 60 minutes, you can stop virtually every attack,” he said.
Check out our event page for more articles and videos from the CDW Protect SummIT.