Do You Need a Guard Dog? How Physical Perimeter Security Offers a Lesson for Network Security
People will go to great lengths to secure their homes against criminals. That’s especially the case when there’s a tangible threat of robbery or violence amid political turmoil. John DiLullo, Lastline’s CEO, learned this fact firsthand on a recent trip to Nicaragua. As he wrote in his recent blog post, the perimeter of the house in which he was staying featured some impressive security measures: 10-foot concrete walls topped with razor wire surrounding the property, security cameras, and even a private neighborhood security watch.
Making the Connection to Cyber Security
The extreme level of home security that John witnessed has its fair share of similarities with network security. Just like the Nicaraguan homeowner with multiple security measures, we defend our organizations and employees against external threats with various protective efforts:
- Next-generation firewalls (NGFWs): This security gateway acts similarly to the 10-foot concrete walls adorned with razor wire. Per TechTarget’s definition, the purpose of an NGFW is to block external actors at the perimeter. It does this by augmenting the capabilities of a traditional firewall with features such as secure shell (SSH) inspection, reputation-based malware detection, and application control.
- Intrusion detection system (IDS): An IDS functions like a security camera. As noted by Techopedia, it’s a type of security tool that monitors for malicious activities and security policy violations. When it detects anything suspicious, the IDS alerts you that someone is attempting to compromise an information system. But as with the security camera, an IDS can’t take action on its own to fix the security issue. It monitors but does not actively block or prevent threats from getting in.
- Sandbox: Some gated neighborhoods have a security guard who controls which individuals can enter the community. These guards vary in the level of scrutiny they apply to visitors, but their purpose is always the same: attempt to uncover the intent or “true self” of the person requesting access before he or she reaches their intended destination. This functionality is similar to that of a network sandbox that inspects files and website content for malicious intent. But it differs in one key respect: while the security guard makes himself known, the sandbox wants to stay hidden from an incoming file so it believes it has reached its intended destination, thereby encouraging the file to reveal its “true self.” If it exhibits any malicious behavior, the sandbox can then remove, quarantine, and block the file before it reaches a host system, just as a security guard can deny access to an unwanted visitor.
- Threat intelligence: A private neighborhood security watch is similar to a threat intelligence network. This force represents a collective effort designed to protect all homeowners within the covered neighborhood against common threats like burglars. In the context of network security, organizations across industries and regions can use a threat intelligence network to defend against common cyberthreats. A significant part of this network involves sharing information with one another so that each individual member can make informed decisions about emerging threats and their security.
Perimeter Security and Why It’s No Longer Adequate
What this analogy makes clear is that the cyber defense measures discussed above all fit into the traditional perimeter security model. The philosophy behind this approach was that we could trust everything already inside our networks but that we couldn’t verify the safety of anything outside the network. In response, we were told to employ tools like firewalls to secure the perimeter against external threats.
Today, however, this perimeter-centric model can no longer provide an adequate level of defense. A previous blog post for Lastline attributes this development to two forces. First, mobile workforces and the cloud have helped to make the perimeter more porous, thereby making it impossible for us to take the black-and-white view of blocking everything outside the network. Second, bad actors are developing increasingly sophisticated attacks, including those which leverage unknown exploits to bypass detection by security tools.
Cyber criminals aren’t the only ones who are this innovative. John observed such ingenuity during his stay in Nicaragua. As quoted in his blog post:
“Physical security investments are ever growing because criminals continue to find ways past the existing traditional defenses. They use 12′ ladders to hurdle 10′ walls. Razor wire is defeated with an old piece of carpet. Cameras blinded with spray paint.”
Going the Extra Security Distance
Given the ever-changing threat landscape, we need to do something to bolster our defenses and stay one step ahead of cyber criminals. This effort should take increasingly sophisticated attacks and a porous network perimeter into consideration. That’s a lot to do. What type of response can do all of that?
In John’s case, many people got dogs. They did so not just to objectively augment their home’s security. They also did so to prevent their homes from standing out among those of their neighbors as an easier target.
“Crime was a certainty; the only question was one of victim selection. And, the least appealing target would have an advantage. All the homes had walls, and barbed wire and cameras. And now, they also have dogs. To be secure was important. To be the least hospitable target was equally important.”
The same conclusion is true in IT security. Plenty of us have perimeter security measures in place, but we need to add extra defenses so as to not be a hospitable target. As we all know, criminals are known to develop attacks based on their understanding of state-of-the-art security. They craft these campaigns so that they will evade detection by our traditional perimeter security measures, and they then launch their attacks against a wide range of targets. Those of us who lack additional protection will likely get compromised; if the criminal is successful, those without extra defenses won’t be able to detect and/or defeat the attack. Such is the way in which these attacks prove especially effective against organizations that have not kept up with the threat landscape.
What these organizations need is a guard dog. More specifically, they need visibility inside their network – a sophisticated security utility to monitor the network for anomalous behavior. This tool should blend AI and threat intelligence together to provide high fidelity insight into potential threats while minimizing false positives.