The New York Times recently published an article, “Hacked vs. Hackers: Game On,” discussing the current state of network security, and in it made a couple of interesting points about the prevalence of breaches, the need for federal regulation, and how current network defense technology is failing.
While I agree that better defenses are needed because traditional detect-and-prevent solutions aren’t doing enough, I don’t agree that a better solution isn’t out there. But as long as there is money to be earned, attackers will not stop conjuring new methods of attack, making security a constant battle. The winners in this sphere will be the ones who are innovating security measures at an equally rapid rate.
If there is no silver bullet, traditional firewall and antivirus technology are like rubber bullets. To be fair, many companies realized this years ago and have already switched to next-generation enterprise security technology, deployed sandboxes, and have turned up the dial a couple of notches on their IT security and remediation teams. Customers of web applications, particularly those with enterprise contracts, are demanding safer products, 3rd party penetration testing, and brisk vulnerability remediation time.
However, while much progress has been made in the past few years, there is still a gaping hole where network security is concerned because even most next-generation security technology isn’t doing enough to keep up with determined attackers. Detection-focused technologies are great at detection, but costly and slow when it comes to prevention. Stand-alone, point solutions are great at preventing attacks whose delivery methods are primitive or well known, but are no match for advanced threats. Stateful, next-generation solutions are great at identifying traffic with certain protocols on certain ports, but are blind when it comes to the evasive maneuvers of clever attacks.
To echo the New York Times, “patch and pray” is not a good security strategy — for some it isn’t a strategy, period. Upgrading to the latest, patched version of an application is a luxury not available to enterprises that can’t afford even a few seconds of system downtime. Even when upgrades are done diligently, organizations are still at the mercy of their vendors. If the vendor doesn’t deem a vulnerability a priority, it’s not getting fixed. Likewise with deployed security devices, too many alerts or false positives thwart any kind of timely preventive or remediable reaction.
Securing a network — really securing it, not just checking off boxes on someone else’s to-do list — requires deep understanding of how attacks are delivered, and security components deployed at each step within that delivery chain. Those components must be closely integrated with each other so the data they supply gives a complete picture of who, what, when, where, why, and how an attack was launched. Only then can security professionals can begin to think about and plan their network defenses more strategically.
Palo Alto Networks is and has been thinking this way for years, and it’s in this aspect that our story diverges from the rest of the “next-generation security” pack. We built a platform that extends its protections against advanced threats to data centers, public and private clouds, and endpoints — both in-office and mobile. Customers have our exhaustive threat intelligence to rely on, and are backstopped by one of the industry’s best support organizations. We live and breathe “prevention” because we know how important network, data, and cybersecurity is, even if the rest of the world is stuck on “detect and remediate.”
There is definitely some truth to the premise that a catastrophic event with severe physical destruction or loss of life must occur in order to get the proper amount of attention cybersecurity needs. There aren’t any recorded deaths as a result of a cyber attack — and, gawd, I hope it never comes to that — but the potential for death and destruction is staring us in the face. But the other piece necessary for garnering deserved attention is making sure the public really understands what a cyber attack is — the how, what, who, and why important in grasping any complex concept.
The public is somewhat shielded from the gritty reality of cyber crime, primarily because it requires some technical knowledge, but also because what business in their right mind would want to admit details of their failings after a particularly dangerous breach in a way that the masses would understand? Breaches mean headlines, and as we’ve seen this past year, headlines for breaches mean C-level executives lose their jobs and business their reputations.
When the federal government finally does step in and start regulating data security and breach handling — which is where I’m certain we’re headed — the sense of urgency associated with security will naturally increase, and liability will be very clear-cut.
Until then, it’s up to us, the security vendors to admit traditional technologies aren’t doing enough, that there are gaps. But it’s one thing to be realistic about the state of security, or lack thereof, and another to admit defeat and say it can’t be done.
I’ve seen the havoc a breach can wreak not just on the business but on the lives and livelihoods of the everyday people who are at the ultimate receiving end any attack. This is why I think working in security is important. At the end of the day, it’s about preventing attackers from targeting my family, my friends, my country, and the technology and ideas that will ultimately make the world better.
I know this problem can be solved, and I know that Palo Alto Networks is solving it. Head here to read about our Enterprise Security Platform, which fills the gaps, intelligently fortifies network defenses, and takes a preventative approach protecting businesses and governments from advanced threats.