Hello? 1995 called and wants its IT security back

The firewalled perimeter. The gift that keeps on giving … data breaches.

This week Verizon Enterprise Solutions released its annual Data Breach Investigations Report. As one of the most widely read and respected reports on the state of IT security, the DBIR is a treasure trove of breach trend data that we’ll all be talking about until the next one is released. I urge everyone in IT to download and read it. Besides being full of great insights, it’s entertaining and at times extremely funny. 

Four points in this year’s DBIR really shine a light on the root causes of the continuing perfect storm of data breaches hitting companies and governments around the world.

All of these important trend points are related to the increasing obsolescence of IT security dependent on a firewalled perimeter. 

From the DBIR:

1. Breach detection deficit: The time it takes for an attacker to get past the firewall and compromise an enterprise or government entity is typically measured in minutes and exfiltration of stolen data takes place in days. But only a small fraction of breaches are actually detected in a span of days. In fact, the time it takes for a breach to be detected is measured in weeks or months. We call this the “breach detection lag” and the DBIR says it is getting worse. (See pages 10 and 11 of the report).
2. Compromised user attack vector: Attackers targeting individuals with phishing remains widespread and very damaging. The DBIR reports that 63% of confirmed data breaches involved a legitimate but compromised user credential. In other words, the same vector that took down Target, Home Depot, and supposedly the U.S. OPM, Anthem and many others continues to be the top attack vector. (See pages 17-21 and page 62 of the report).
3. Third-party attack vector: Outside firms (consultants, suppliers, vendors, contractors) continue to be a major part of the attack vector to get into an enterprise. For example, 97% of attacks on retail point of sale applications used a legitimate partner’s credentials, the same basic vector as the Target breach three years ago (albeit a different kind of partner). (See pages 31-34 of the report).
4. Insiders: The misuse by an insider of his or her credentials continues to be a major attack vector, especially in healthcare, finance and government. The vector is possible because the enterprise victims do not enforce meaningful internal segmentation or controls over which applications can be accessed by users once a user is past the firewall. (Pages 35-38 of the report).

These points illustrate that the vast majority of security architectures continue to be based on obsolete firewalled perimeters, with minimal segmentation or access control imposed internally. It’s the quaint notion that you can build an architecture based on firewalls and keep the bad guys out.

And it’s an idea older than many of the people now reading this blog post.

When Firewalls Fail

When the original firewalled perimeter was state-of-the-art, relatively little mission-critical data was digitized and shared broadly on networks. Today, data related to patients, students, credit cards, critical operations, and proprietary intellectual property is digitized and shared everywhere. It's accessed by employees and non-employees, including partners, consumers, law firms, supply chain, contractors and others.

Firewalls were state-of-the-art when the corporate IT department pretty much dictated what sort of end-points were allowed in the IT environment. Now employees utilize a dizzying array of new devices to access data, including personal devices such as smartphones and tablets. The Internet of Things also exponentially increases the volume of end-points interfacing with applications.

Back when firewalls were hot, “The Cloud” was what we called the wave of smoke that rolled out of Spicoli’s van whenever he stumbled out in Fast Times at Ridgemont High.

“The Cloud” back when firewalls were state-of-the-art

Now the Cloud, SD-WAN and Bring-You-Own-Application mean that sensitive data is spread all over the place, into environments where IT has absolutely zero control.

Firewalls are increasingly less relevant as the centerpiece of the security architecture. Users don’t respect the firewalled perimeter. Applications don’t respect the firewalled perimeter. And just like Spicoli did not respect Mr. Hand, the Cloud certainly doesn’t respect the firewalled perimeter.

Of course firewalls are still needed, just like some form of anti-virus, anti-malware and end-point protections are still needed and always will be.

But basing your security architecture and trust model around the notion of a “trusted” network protected by firewalls is a surefire way to get your company into the hacking headlines.  You might as well post all your most sensitive data to the Dark Web and cut out the middle man.

Modernizing Security

The findings of the 2016 DBIR make it painfully obvious that vendors of these legacy firewall products still are selling the same old thing.

But the firewall’s starring role in security is being supplanted by modern security products such as software-defined perimeter tools, adaptive access control, enterprise mobility management tools, micro-segmentation tools, next-generation VPNs, secure application overlays and containerization.

Enterprises must re-think and re-boot the security architecture. Here are the principles we see as most effective:

1. IT security is no longer about managing devices and infrastructure. The fundamental assumption that devices or infrastructure can be "trusted" is simply wrong. IT security must focus instead on users and applications and how they interact, while insulating both from the suspect infrastructure.
2. Security managers should shrink the attack surface by carefully controlling which users can access which applications in all internal and external locations. Access control should stop dealing with devices and networks and instead must be oriented around users and applications. Role-based access control can gate user access to only those applications needed to do their jobs. 
3. Enterprises should design the architecture with breach containment in mind. Assume every user is compromised. Assume attackers are already past the firewall. Assume malware is already inside. How do you segment the environment and isolate the most sensitive applications to minimize damage?

But we do have another choice, of course. We could choose to do nothing. We could all just sit back, relax, trust our firewalls will do the job, and reminisce through another episode of Friends.

Then we can read about the results of that strategy in next year’s Verizon DBIR.

For another perspective on breach containment and the evolution of IT security, check out the recent webinar Certes did with analyst firm Intellyx: https://youtu.be/ad-CK7h77WQ