This post is written by Nick Harlow, Product Manager - Server Security and Security Content Analysis for IBM Security.
In part one of this series, we defined the term advanced persistent threat, outlined the threats organizations face today from both increasingly sophisticated attackers and careless or malicious insiders. Furthermore, we saw how traditional IT security approaches left organizations exposed in this more dangerous IT security landscape. In this installment, we will examine how defense in depth can provide a multi-layered approach to security that provides organizations with both the flexibility to operate as needed and the ability to reduce exposure to serious business and IT security risks they face from advanced attackers.
In order to address the threat from advanced malicious attackers and insiders, organizations should take the following steps:
- Author and enforce sufficiently strong security policies at all critical points of the IT infrastructure.
- Ensure complete visibility of the environment from the physical facilities, to the network perimeter, and down to the host OS, file system, and application layer.
- Continuously monitor the environment for anomalous behavior and take appropriate actions when this behavior is detected.
We can refer to this approach to IT security as defense-in-depth. At the network layer, defense in depth means not only blocking unwanted traffic using a firewall, but also inspecting both ingress and egress network traffic on otherwise legitimate communications channels. Attackers use common protocols and open ports to hide attack traffic; the only way to detect it is to be able to see it, understand its context, and extrapolate the correct insights. Solutions that provide these capabilities may provide the following capabilities:
- Packet filtering -- Firewalls filter packets to block unwanted traffic
- Deep packet inspection � Intrusion prevention systems inspect each network packet to detect either network protocol vulnerabilities, malicious payloads, or attack signatures
- URL filtering � Categorize URLs by content and disallow risky categories (e.g. erotic, software piracy)
- IP reputation and network geolocation � Legitimate IP addresses can be temporarily compromised as attackers will take advantage of momentary vulnerability to compromise a target system. IP reputation assesses the risk of a given address, while geolocation can pinpoint the geographic origin of traffic.
Administrators can apply these technologies at the perimeter layer as well as the host network layer and use different policies with each in order to provide the level of flexibility, visibility and protection required at each point in the IT environment. However, defense in depth does not stop with the network layer. Organizations should have visibility at the operating system, file system, and application layer of their environments as well. Host security solutions can facilitate this by providing the following capabilities:
- OS and file system monitoring � Enables detection of unwanted behavior by integrating with OS audit subsystems. In addition, this mechanism allows for the specification of critical or sensitive files to be monitored for unauthorized access.
- Antimalware � Although many advanced attacks exploit zero-day vulnerabilities, antimalware can still provide some useful protection against known malware types.
- Device control � Enforcing usage policy on devices such as printers and portable USB storage can help to stop unauthorized disclosure or theft of proprietary data.
- Data loss prevention � Uses pattern matching to detect confidential or proprietary data both at rest and in transit and can block the transmission of these data accordingly.
Today�s complex, multi-layered IT environments face advanced, growing threats from motivated and sophisticated attackers. Failure to address this security and IT governance challenge effective can result in disruption of operations, loss of productivity, the dissipation of competitive advantage, embarrassing and expensive data breaches, and loss of revenue and customers. Defense in depth can help significantly to mitigate these risks. IBM Security Systems threat management solutions can help to provide defense in depth capabilities for today�s IT environments, while minimizing the cost and complexity of security. Also learn more about IBM�s latest offering in Host Security.
Watch this video to learn more about the IBM Security Advanced Threat Protection Platform.
Get more security news by following @IBMSecurity on Twitter.
Likes before 03/04/2016 - 1
Views before 03/04/2016 - 5648