Guest View: Prevention is better than cure but what if the network has already been compromised?

Ammar Hindi

Ammar Hindi_Sourcefire-2 modified 

Photo - Ammar Hindi, Managing Director, Asia Pacific for Sourcefire, now a part of Cisco.


Much ink has been expended on the topic of cyber security and how best to prevent the bad guys from getting into your network. However, interestingly the recent Cisco Annual Security Threat Report 2014 states that 100 percent of the corporate networks studied showed signs of malicious traffic connecting to the outside world.

That one cold hard statistic revealed what we have all known in security for sometime now- the reality has changed and it is no longer a question of if you will get compromised, but instead it is a question of when and for how long.

The even colder reality for today's Chief Security Officer (CSO) is that there is a possibility that their network has already been compromised and the cyber criminals are well entrenched and well hidden.

Today's cybercriminals are thorough professionals and well resourced. Unlike the script kiddies of years gone by, or activists from today, they do not want to be spotted and they will invest time and energy in finding a crack in the defences and from that position, spread out silently across the corporate network.

The problem for the CSO is that today everything is connected. This brings huge benefits to us all at home and at work, but it also presents huge opportunities for the criminals who know that if they can get in via an employee's personal iPad; or the SCADA control system, or even a third party supplier's network; they will be able to spread across our business networks.

The trouble is that most traditional cyber security is predicated to stop attacks and attackers from getting into the network in the first place. While Firewalls and Antivirus are essential to stop the broad-based attacks, they will not stop them all, and the advanced malware and threats most businesses face will find a way through.

 The security game has changed

So as well as protecting the boundaries of the network, the CSO needs to have the ability to continually monitor his or her network and spot abnormal activities or applications or software operating in an unexpected fashion. Only by addressing the complete attack continuum - before, during and after, does the CSO have the opportunity to spot and deal with a vulnerability or attack before too much damage is done.

One striking inference one can take from many of the high profile recent attacks on some of the world's biggest businesses is just how long these attacks have obviously been going on for and how much data has been lost. After all to steal millions of identities takes time and this shows that the security teams in those organisations were probably unable to spot the data that was being extracted from their networks and shut it down in time. Instead too much damage took place that caused the reputation and business of those organisations.

The 2013 Verizon Data Breach Investigations Report highlighted that 66 percent of organisations failed to identify breaches for months or years after the initial compromise. Clearly cybercriminals are in it for the long-haul.

If the Cisco report is correct and every business has been compromised in some way, security professionals and organisations need to change their mindset. Organisations need to start looking at security and networks assuming the bad guys will get in - or indeed that they are already in there. Only then can organisations hope to deal with the inevitability of what the CSO and his or her team face today in all businesses around the world.

The security 'game' has changed, and if we don't recognize that change, we risk seeing our company highlighted in the press - for all the wrong reasons.

- Ammar Hindi is managing director, Asia Pacific, for Sourcefire, now a part of Cisco.