A change in focus
Today, however, with the advance of technology like cloud and smart devices, and trends such as BYOD and mobile working, the focus has shifted. Perimeter security is no longer as important because increasingly organisations have borderless networks. Now it’s more about protecting users and devices, instead of the network itself.
A typical way of doing this is adhering to these five elements that form a core part of risk frameworks used by the US body NIST, and the UK’s National Cyber Security Centre (NCSC).
1.Identify — identify the assets, systems and data that need protecting
2.Detect — implement ways to detect an attack
3.Protect — develop ways to protect against an attack
4.Respond — craft a plan to react to an attack
5.Recover — ensure the organisation can continue operations after an attack
This approach is also coupled with a move toward cyber resilience that provides organisations with a more holistic view of cyber security. More mature organisations are devoting time and effort to looking at how they can layer security and be more effective in responding to and recovering from an attack.
Security teams typically look at things like testing incident response services; detecting threats within the network; and using internal network segmentation and other controls to build strength in-depth.
Response and recovery
Red team engagements are one of the services that can be used to build this cyber resilience. Red teaming is a full-attack simulation that focuses on all areas of the organisation, from breaching networks and systems, to using social engineering tactics, and gaining physical access to premises and devices.
While red teaming helps organisation identify critical issues that need remediating, it can also be goal-led. These goals are developed between the security provider and the organisation and are then used to build scenarios to test incident response, for example. This could include increasing noise on the network by running aggressive port scans, starting to enumerate hosts, or changing group permissions in Active Directory – all of which should trigger incident response capabilities. In this way, the organisation’s security is being tested but so is their resilience and responsiveness of security teams.
There’s no easy answer to who is winning — attacker or defender. It’s an ongoing cycle because as technology advances and is used to boost security, it can also be used by attackers to improve attack methods and create new threat vectors.
Success for organisations therefore hinges on not just preventing an attack, but mitigating the impact of an attack and ensuring the business knows how to respond and quickly resume operations.