A solution has arrived but it requires us to fundamentally rethink how we approach IP-based security solutions
Consider that right now nearly HALF of ALL Americans are scrambling to freeze their credit lines because of a simple vulnerability and patch that was not addressed by the large credit reporting agency. Stolen data included social security numbers, names and birthdates that could put people at risk of identity theft for the rest of their lives.
The Apache Struts vulnerability was identified in early March followed by at patch released to the industry on March 10. Two months later, hackers breached Equifax servers and began stealing personal data over a two month period. On July 10, the company reported that it had experienced an intrusion that it thought was limited. In early September, the company reported the magnitude of the breach.
For Equifax, consider the enormous financial impact to shareholder value and lost productivity that might have been mitigated by a simple patch of the known vulnerability. I can only imagine the distraction of countless meetings with company officials and lawyers huddled for two months trying to decide how and when to disclose the PR nightmare. And there is no end in sight with pending litigation encompassing more than 23 class action lawsuits,
But Equifax is not alone, there are countless other organizations (large and small) challenged to maintain secure environments. See Target, Home Depot, Heartland Payment Systems, and the list goes on. And bigger and bigger data flows mean even more spectacular data crimes to come.
To some in the industry, it’s not that Equifax had bad security practices, but that such poor security hygiene is all too common. It is very common scenario with many other organizations that have not been breached yet but have lackluster security practices and where millions of people are still exposed.
“A majority of large companies have similar challenges, problems and weakness in their cybersecurity. Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months,” said Ilia Kolochenko, CEO of High-Tech Bridge, a Swiss Web security company.
Patching can take time, even for large corporations with dedicated security staff, which Equifax presumably had, noted Jeff Williams, co-founder of Contrast Security. Williams identified a different Struts vulnerability earlier this year.
But there is a new security paradigm on the horizon that is proven to prevent exactly what is happening with the majority of these breaches. It is a new approach for protecting critical infrastructure developed by the Cloud Security Alliance (CSA), rigorously tested by numerous white and black hat hackers, and is in production with industry leaders such as Google, Coca Cola, the Federal Government.
Consider that today’s DNS security paradigm is based on “access before authentication” approach and was instituted at a time when devices, networks and firewalls were essentially static. It relied on us knowing the IP addresses and using firewalls to control where the access is coming from.
With the advent of virtualization and the cloud, IT changed rapidly with the influx of mobile devices and clients accessing services and devices from anywhere. Overnight we went from trying to secure static, definable networks and services to ones that are now highly dynamic. IT is now anything but static and everyone has access to your services and devices before they are required to authenticate.
The new approach I’m referring to is already being used by large organizations but requires all of us to start fundamentally rethinking how we approach IP-based security solutions.
The current paradigm has to change and it starts with creating a “membership-based” approach that only allows access to those we designate. And the only way to know who we give access to is to authenticate first. It is a fundamentally different approach that will require having a client on every device – something not everyone is willing to accept yet. But devices are central to any IT environment. Only by putting a client on the device can you authenticate users in way that ensures that the service is completely shut off to everyone except those authenticated and authorized.
Software Defined Perimeters (SDP) employ an authenticate-first approach by securing every connection to a predetermined service, application or critical infrastructure. The primary effect of the SDP is that it allows good packets and connections while dropping bad packets and preventing bad connections. In the event of a DDoS attack, SDP proactively identifies malicious traffic, automates the ability to immediately block it, and stops the traffic from reaching the protected services.
The analogy is a big house (Equifax) that currently allows people to knock on the front door (our current environment). Bad guys are allowed to walk up to the house and knock on the door. If no one is home and the door is locked, they can start trying to pick the lock with no resistance. They might get in, they might not. But everyone has access to the door and the ability to try and exploit it. In the authentication before access house, the attacker cannot see the door, or the house, or even know it is there to begin with.
SDPs embody the new security paradigm. They incorporate industry input and lessons learned from successful commercial implementations of SDP by leading enterprises such as Google, Coca-Cola, and large government organizations like the DHS.
In the case of Equifax, and countless others to come, even if the patches were NOT in place, because attackers cannot see or even know where the services are, they cannot exploit the vulnerabilities from outside the network.
SDPs continue to be tested in organized industry “hack-a-thons” (such as RSA) with an estimated 10 billion attempts to date – all unsuccessful.
For more information, check out this white paper on Software Defined Perimeters.
Also feel free to check out the industry’s first open source reference implementation of SDP developed by Waverley Labs. The reference architecture and repository can be accessed and downloaded here.
# # #