Infosec 2012: Organisations need new approach to defending networks

Networks cannot be defended against advanced attacks, which demand a new response from business, say security experts at Infosec 2012

Next-generation cyber attacks demand a new and advanced response from business, a panel of experts told delegates at the Infosec Europe 2012 conference in London.

The panel agreed it is more accurate to talk about advanced attackers, rather than advanced persistent threats (APTs) or advanced evasion techniques (AETs).

These new generation attacks do not always used the most advanced techniques, said Scott Crawford, managing research director, Enterprise Management Associates.

The attackers are "advanced" because they know what techniques to use to get the data they want, and that often means using well-known techniques which still work, he said.

"For example, the breach of RSA was accomplished using phishing e-mails and good old social engineering," said Crawford.

Increase network visibility

To deal with advanced attackers, organisations should begin by assuming they have already been compromised, said Spencer Mott, chief information security officer at Electronic Arts.

Assume corporate networks cannot be defended against advanced attacks and focus resources instead on defending the most valuable information assets, he said.

For many organisations this may mean having to re-organise to focus on internal processes and shift thinking to reflect that each user of IT systems shares responsibility for security.

"We are beginning to see a shift in emphasis to achieve greater visibility of what is going on in company networks to see who is accessing is accessing what," said Crawford.

However, he believes companies should also be proactively seeking to apply forensic analysis to their environments to identify current and potential threats before a breach is detected.

Organisational change, he said, will also involve building the capability to analyse all the data collected from security tools to turn it into actionable intelligence.

Immature detection technologies, said Crawford, meant that many organisations had been compromised or at least penetrated for a lot longer than they realised.

"Adopting this view will help move organisations towards better breach containment strategies and setting up or tapping into a data analysis capability," he said.

Mitigate attacks

Organisations should ensure that when a breach does occur, they can track the activity of attackers and demonstrate to customers and regulators they did everything they could to mitigate the attack.

"Be able to show the board was aware of and took the threat seriously, as well as the advanced nature of the attackers," said Mott.

Mott said most businesses are behind the curve when it comes to defending against advanced attackers.

"But this issue really needs to be debated at a national and international debate, because essentially many of these attackers are nation states aiming to breach companies and do us harm," he said.

The panel agreed that information-sharing between organisations within an industry, country and internationally could be a valuable resource to combat advanced attackers.

"There is a lot to be gained from sharing information and, while the financial sector has taken the lead, we are a long way from having a common body of data that can be used by all," said Crawford.

Mott said there is a lot of scope for tackling advanced attacks by sharing information, but says the industry must first establish common frameworks for talking about threats and defences.

"There is also scope for joint operations; organisations could set up joint security operations centres. We need a common output everyone can use and understand," he said.

Read more on Hackers and cybercrime prevention