Just a few years ago, the only security metric that mattered was whether your organization had been hacked or not.
This all-or-nothing definition of security success is now outdated. There are new, more complex metrics that measure the strength of your security posture. They include:
- Mean Time to Intrusion: How long (hours or days) would it take someone to get into your network from the outside? This should be a long time.
- Mean Time to Detection: How long does it take to notice they are in your network? This should be a short time.
- Mean Time to Remediation: How long does it take to get the bad guys out? This should be a short time.
To achieve success based on these new metrics, you much change your security mindset. When security success was measured solely in keeping people out, resources were focused primarily on putting up firewalls, building up the perimeter and making it as difficult as possible to get in.
With these three new metrics, firewalls remain an important aspect of security, but they’re not the one-and-only means of protection. In fact, next-generation firewalls come with extra capabilities not formerly available. They will not only help keep people out, but will tell you when someone has infiltrated your network.
In this regard, next-gen firewalls help you achieve success in two of the new security metrics: mean time to intrusion and mean time to detection. “Old school” firewalls only helped with the first.
So, step one in achieving security success should be to implement a next-gen firewall.
Step two is to create network segmentation. This entails separating out various parts of your network to ensure that if someone infiltrates one segment, they are stuck there and can’t access other parts.
You can segment by department, network area, physical location or data sensitivity. The goal is to create enclaves of data that can only be accessed by those who need that data to do their work, or those cleared/certified to have access.
If set up and maintained properly, this segmentation can help you achieve success in mean time to detection and remediation. Instead of trying to recognize an intrusion from across your entire network, you can monitor by segment, reducing the time needed to catch unauthorized access. And, since you have a smaller segment to secure, it takes less time to expel the bad guy rather than chasing them around the entire network.
The third key to success is to tie together all security systems with other IT systems and tracking traffic anomalies in your network using a system such as Splunk for visibility across your entire network. The right system will show you who has penetrated outer defenses and allow you to quickly investigate how it happened and how to get them out.
Security Event Management
The final piece is security event management. This is most important to minimize mean time to detection. It’s not realistic to assume that your firewalls, network segmentation and other technical security implements will keep bad guys out. You need a plan about what to do when, not if, they get in.
Part of this is ensuring that your network admins are trained in how your network is configured and where your information is. It’s amazing how many organizations don’t offer clear instructions on how data is segmented, where equipment is and how the network is updated and maintained.
This was part of the problem with the recent Office of Personnel Management breach. They simply didn’t know where all their data was. This was an egregious mistake that made it harder to detect and remediate the breach.
Comprehensive security will continue to grow more complicated as malicious actors become more sophisticated in their attacks. By measuring your organization’s or agency’s security posture against these three criteria, you will be prepared to prevent, detect and quickly end any intrusions that may occur.
Learn more at www.force3.com/blog.