The UK Government recently boasted that it will be spending £850 million on "cutting edge capabilities" in the fight against cyber-crime. While I'm sure most UK companies will welcome any government help, it's not the amount of money you throw at the problem but how it is used. On hearing the words "cyber-crime" many people conjure up visions of highly-skilled hackers hired by nefarious nation states tasked with breaking into complex systems for financial gain. These days they are more likely to be foreign nationals working for sophisticated criminal enterprises as opposed to tech-savvy kids hacking into networks for fun, but ultimately, organizations are still in the position of having to 'lock all the doors and windows' to prevent compromise form occurring. Sadly, despite significant investments in "Defense in Depth" security, all too often, networks remain shockingly open to security attacks and opportunistic hacks in ways that don't require much sophistication to break into.
One major reason is a combination of complexity and the high rate of network changes many organizations experience. In fact, complexity is the best friend of a hacker - the more complicated a system is, the more difficult it will be to seal it hermetically. Unfortunately, today's computer networks are extremely complex and it's only getting worse. Take virtualized or cloud-based servers. Often they have looser security standards and controls than internal networks. In a lot of cases, security people don't manage all aspects these servers so struggle to quickly regain control in the event of an intrusion.
Add to that a hacker's other friend - change - and you've got not only a window but a revolving back door open to your network. Even if a network was perfectly secure at some point, subsequent changes will increase the chances of a vulnerability that exposes it to intruders All should be approved, tested and logged, but in a busy IT department this doesn't always happen.
So, what's the remedy? Before spending millions to protect against sophisticated attacks, companies first need to take care of the low hanging fruit. This includes segmenting networks in a way that maximizes security and ensuring that traffic logging, provided by the good old network firewall or its more recent evolution - the next-generation firewall - is on at all times. Splitting your network into sub-networks will not only boost performance but also improve security by containing network attacks to a local network. And not to mention that it makes it harder for your network to be viewed from the outside world. Similarly, network logging, the process of storing critical information about network events, offers an important tool to categorize network failures and issues. Real-time, automated log-based intrusion detection and analysis tools will help capture network activity from areas like routers, servers, terminals and access points and make it much simpler to diagnose where attacks are coming from.
Because networks are so dynamic, the next step is to put a repeatable change process in place that includes automation, risk analysis and an exhaustive audit trail. Networks are complex systems with a lot of interdependence. An effective network automation solution helps network owners take a holistic approach and implement security changes across multiple subnets and technologies from different vendors with minimal human intervention. It also enables a best practice by automatically logging security changes so requests to approve or deny network access can be recorded to ensure you not only stay in control but deliver continuous compliance.
In conclusion, investing in keeping the doors locked will undoubtedly help keep the threats out, but today's networks have so many doors that without automation, it is more than likely that one will end up open. However, unlike most door locks, in network security you CAN and should have an automated solution, one that will control all your locks (i.e. multi-vendor), enable standard, customizable change processes, and offer continuous monitoring and alerts of unauthorized or risky changes.