Endpoint security and the Web security defenses protecting the endpoint are on the front lines in the battle against malware and targeted attacks attempting to gain access to corporate resources. Web security technologies are adapting to the growing use of cloud services and the explosion of mobile devices, which together have created a perimeter that is becoming more malleable every day. That digital fluidity is under attack by organized criminals in Eastern Europe, Russia, and China who are taking advantage of the growing complexity and strained security defenses.
These attackers seek account credentials, credit card data, healthcare information, and intellectual property. The stolen data enters the backbone of their operation, a place where organized cyber criminals have spared no expense to modernize their business operations. Criminal enterprises use integrated systems to support business intelligence and analytics to quickly examine, sort, and bundle the data. The goal is to fetch the highest price in underground hacking markets.
This strain on endpoint security requires a modern approach to risk mitigation supported by the creation of a unified defense strategy. The new approach combines network security infrastructure and endpoint security components to create agile defenses capable of sharing threat data to heighten situational awareness.
Overwhelming Delivery of Attacks via the Web
Attackers have their modernized back-end systems,but they continue to take advantage of time-tested attack techniques. A treasure trove of Web site vulnerabilities, weaknesses in content management systems, and flaws in Web browsers and browser components provide a low barrier of entry to the corporate network. The litany of high-profile data breaches continues because stealing account credentials and other personally identifiable data has a cascading effect on corporate security incidents. Attackers gain advantage using a combination of vulnerabilities, configuration weaknesses, and human fallibility. However, another factoris the siloed security systems that defend corporate resources but remain isolated from the rest of the security infrastructure.
Meanwhile, security researchers have gained increased visibility into the constantly evolving threat landscape. Targeted attacks fueled by corporate espionage and state-sponsored activity are also often delivered via the Web. These attackers use tactics similar to those of financially motivated criminals, but their campaigns often consist of multiple stages and combine zero-day exploits and sophisticated malware that evade traditional defenses. The resources behind many of these attacks support reconnaissance activity and the ability to identify the best way to stealthily gain access to the network and maintain persistence for extended periods of time, leveraging hidden backdoor access to the victim organization. IDC surveys consistently found victim organizations were breached for weeks and months before law enforcement, a business partner, or customers informed the company of a problem.
There are countless examples of attacker sophistication associated with high-profile breaches. Some of the latest threats that are cause for concern are as follows:
- Ransomware: Crypto Locker, which was designed to encrypt system data and hold victims ransom by extorting a fee for the decryption key, reaped millions of dollars from individuals and businesses in just a few short months. Copycat ransomware continues to be detected and can spread through a drive-by attack, links shared on social media sites, or malicious files hosted on popular SaaS services. This threat has raised awareness of the need for modern Web security defenses, a secure backup mechanism, and a unified security infrastructure.
- Banking malware: Despite efforts by the financial industry to eradicate the notorious Zeus banking trojan family, the threat continues to be a problem to end users and businesses. Zeus is often seen as a consumer problem, stealing account credentials and draining the bank accounts of its victims. Recent law enforcement action highlighted the costly damage to businesses. Criminals took advantage of workers infected by the banking malware delivered via hijacked advertising networks, draining corporate accounts in days. Meanwhile, legitimate sites are becoming staging grounds for drive-by attacks, raising the risk of more employee infections by malware. Businesses are at risk if privileged users aren’t protected by Web security solutions and other controls.
Web Security: A Key Component of a Unified Security Architecture
As control of and visibility into corporate assets erode, much more attention is being paid to bridging the siloed security systems and creating a unified security infrastructure supported by a network security backbone. Security is being built into network infrastructure to support user authentication, manage privileged access, and extend policies and enforcement mechanisms across the distributed network.
This transition to a unified defense is evolving to a strong centralized command-and-control point connected to decentralized sensors and policy enforcement points. The network is the support beam behind the threat-centric security model:
- The underlying network infrastructure must be open to support accessing and using global intelligence feeds and data from disparate security systems to identify vulnerabilities and address them across the distributed environment.
- The underlying network infrastructure must be capable of enabling bidirectional communication to protect myriad endpoints and the data repositories they use. Network infrastructure should support multiple deployment models — physical, virtual, cloud, or services — to address the distributed nature of the corporate network.
- The underlying network infrastructure must support data analytics and integrate with emerging specialized threat analysis and protection products. These emerging products are designed to identify advanced threats by leveraging data from external and internal sources and often by bridging the divide between Web, email, and network security.
- The underlying network infrastructure must pull together fragmented security solutions to support security operations and accelerate incident response.
Growing Cisco Security Portfolio Supports Unified Security Architecture
Cisco’s $2.7 billion acquisition of Sourcefire in 2013 catapulted the networking giant as a modern player in the security market, but it was only the first step in supporting a unified defense strategy. Sourcefire’s advanced threat protection, endpoint visibility and control, and incorporated cloud threat intelligence support Cisco’s portfolio. Cisco quickly executed on integrating Sourcefire’s components. Sourcefire’s Advanced Malware Protection (AMP) technology was added into Cisco’s email and Web security appliances and Cloud Web Security Service. Cisco pledged to continue to foster Sourcefire’s open source roots and extend the FirePower network security appliance line.
The acquisitions also bolstered the Cisco Security Technical Alliance program, establishing a healthy ecosystem of technology partners willing to embrace Cisco’s threat-centric model. A core part of establishing a unified defense strategy is extending consistent policies across the distributed network. Cisco’s Identity Services Engine (ISE) is a modern platform that acts as the access policy broker for employee and guest access to corporate resources. It uses Cisco’s Platform Exchange Grid (pxGrid) technology to share contextual data with integrated partner ecosystem solutions. This technology bridges isolated solutions into a cohesive security architecture.
Cisco Threat-Focused Web Protection
Cisco’s offerings include IronPort-branded Web security gateway appliances and Cisco Cloud Web Security, an SaaS solution. An on-premises/cloud configuration is also available for Cisco Web Security Appliance/Service deployments via a hybrid licensing offering.
Web security will continue to be the entry point of most attacks. The following measures could enable any organization to begin building the bridges necessary for a unified defense:
- Assess risk: Thoroughly analyze existing security investments before rationalizing the purchase of emerging technologies. Consider ways to gain more value from existing security investments. Identify and evaluate technologies designed to bridge communication gaps in existing security solutions.
- Increase visibility: Real-time content and security scanning is an essential part of Web security protection. Be more proactive about generating reports to gain visibility into which users and groups consistently generate the most risk. Assess the security infrastructure protecting the organization’s key assets. Identify the at-risk employees with privileges to those key assets, and address the security policies and enforcement mechanisms that mitigate the increased risk posed by those employees.
- Monitor proactively: Move from highly fragmented and poorly implemented defenses to predictive protection. This includes evaluating the usefulness of threat intelligence and contextual awareness gleaned from existing monitoring solutions deployed on the network.
- Examine response: Identify process and technology gaps that hinder incident response and remediation from silicon to cloud. Give incident responders the right tools to efficiently carry out remediation activities. Review recent incidents and address process breakdowns. Consider improvements that extend existing policies and automate response as much as possible to give IT security time to address the most critical issues.
IDC believes that increased pressures on enterprise security groups will continue to drive the requirement for more automation within a cohesive security architecture. Security infrastructure must have components capable of sharing threat data and using it to conform to situational security posture changes. With large-scale attacks occurring and the incessant pace of high-profile data breaches, it is clear that all companies need to be more prepared to deal with these attacks. IT is a necessary component of doing good business, and IT security remains at the top of the IT department’s spending list.
A unified defense posture can provide increased visibility and enough context behind alerts for incident responders. There has been an emphasis on solutions that can bridge endpoint, mobile, and network visibility, linking them to an on-premises or cloud-based analysis engine capable of providing responders with the most relevant and actionable information. Networking vendors are adding endpoint security technologies to gain visibility and bolster the effectiveness of network defenses. Web security is one of the key endpoint components that can provide the necessary context to better protect end users. Web is often the first line of defense against attacks. It is increasingly being extended through SaaS and on-premises deployments to protect workers regardless of their location or the devices they are using.