(Ed: Keep reading to the end as there is a challenge being offered to any doubters)
I just finished reading an article by Infosecurity Magazine and I guess I have to say that I am somewhere between stunned / shocked /amused, and not at all surprised at the content. Apparently, the magazine polled 1,000 global IT leaders and asked them if “their perimeter security was effective in keeping unauthorized users out of their network”. Apparently, 94% of these IT leaders feel their perimeter security IS effective. In the UK, this number climbs to 96%, with a whopping 58% feeling “extremely confident” in the strength of their perimeter.
Now to be fair, the article also says that another finding of the research was that “68% of respondents claimed that unauthorized people could access their network”. So now I am confused. Confident in their perimeter security while unauthorized people are accessing their network. Hmmmm.
After laughing for a while, I had to stop and think….is this so unusual? Isn’t this the whole reason that we hear about breach after breach after breach every single day? Isn’t this overconfidence (or ignorance, or gross negligence, or whatever you want to call sticking your head in the sand like an ostrich) why enterprise organizations are constantly under attack?
How can any organization of size be “extremely confident” that their perimeter security will save them?
Perhaps there are a couple obvious answers:
(1) The IT leaders do not know if they have been breached. I am quite sure there are a lot of IT leaders in this category. I have met many of them and they spout the “it hasn’t happened to us” or “it hasn’t hurt us so far” mantra.
Since the average malware dwell time in the network sits somewhere between 3 and 6 months (and over a year in the EMEA region), this would seem to be an accurate observation. Furthermore, I am not sure they have the tools to actually hunt down the malware that hides in the network, so even if they wanted to know if they were breached, it would be a challenge.
(2) They aren’t acknowledging (or don’t know) that perimeter security is only a very minor part of the overall picture. Like any successful business structure, proper IT security consists of people, process and controls….and when I say controls, I am talking about a VERY layered set of technologies that have been properly configured to take into account both what it is they are defending (e.g. financial data in a database) and how it impacts their business operations.
Security controls MUST be fully aware of the environment they protect. At a minimum, they must watch both network communications and endpoint behavior. IT Sec teams must have the tools necessary to ensure that they do not normalize deviancy in the network. Identify the suspicious and confirm it so you have high confidence in your response.
Furthermore, and this is just talking about the perimeter that makes these people so comfortable, they must treat every single incoming communication as a potential attack against their network. As one example, if these IT leaders do not neutralize EVERY SINGLE incoming email (including the neutralization of active content in attachments and embedded links) then they do not even have perimeter security. Approximately 94% of all cyber attacks come in through email. So if you don’t thoroughly inspect and neutralize it all with CDR, then you don’t really have a perimeter.
Anyhow, perhaps these IT leaders were misquoted or their answers were taken out of context, but I am not so sure. I suppose time will tell if they become the next headline.
So, as a challenge to any IT leader who believes their network is malware-free and they have not yet been breached (possibly because of exceptional perimeter security), CyberHunter Solutions will perform a forensic endpoint investigation of up to 100 Windows or Linux endpoints at no cost. If you are lucky enough to get a clean bill of health for your network, then you will have the evidence to prove you are doing a great job! However, you may be quite surprised at what you find hiding inside your enterprise.
