Data centers are under attack. Hardly a day goes by without some kind of hack being uncovered. Intellectual property is stolen, cash ripped off from bank systems, websites brought down and millions of identities stolen.
It might seem to some that the IT people they trusted for decades to look after their data are no longer up to the task. But that isn’t a fair assessment. What’s happened is that the size and volume of attacks has exploded, as well as the number of potential attack vectors. It’s a bit like a fortified city that is under attack from insurgents already inside—and meanwhile, officials won’t let them close the gates due to an ongoing boom in trade.
That’s how it looks from the data center perspective. Line of business managers demand cloud apps NOW. They aren’t willing to wait a year for it to be developed internally, or even a month or two for that app to be approved by IT.
“It’s a fool’s errand to be able to block or vet the thousands of cloud apps out there,” says Sanjay Beri, CEO and co-founder of security firm Netskope. “Further, much of the information you’re trying to safeguard is being shared by apps in a way that never touches the network perimeter device—direct to the cloud in places like airports and coffee shops.”
That means that a firewall with an exhaustive list of blocked apps never gets the chance to act when the usage of the app is remote or mobile. Similarly, anti-virus (AV) software is struggling to cope with today’s threats.
The New Perimeter
Perimeter defense has traditionally been about controlling traffic flowing in and out of a data center network. Best practices include the implementation of a layered set of complementary defenses. Beyond a router, which connects the internal and external networks, the primary technology that underpins perimeter protection is a firewall, which filters out potentially dangerous or unknown traffic that may constitute a threat based on a set of rules about the types of traffic and permitted source/destination addresses on the network. Most organizations also deploy intrusion detection or intrusion prevention systems (IDS/IPS), which look for suspicious traffic once it has passed through the firewall.
“The most effective strategies implement multiple layers of complementary controls, all of which a potential intruder must circumvent to gain access,” says Rob Sadowski, director of technology solutions at RSA, the security division of EMC. “However, perimeter defense alone is not enough to protect against sophisticated threats. Organizations need to develop intelligence-driven network monitoring, threat detection, and incident response capabilities as well.”
While firewalls, network perimeter appliances and AV may have lost some of their potency, that doesn’t mean they should be abandoned. They still have a role to play in preventing a direct attempt to “storm the ramparts.”
“Firewalls should still play a role, but the ‘human firewall’ should be given more attention,” says Stu Sjouwerman, CEO of security firm KnowBe4. “The perimeter has to be extended to every device and every employee.”
“Think about how easy it still is to exploit phishing emails,” he says. “Cyber security is as much about people as it is about technology, so training is a big part of prevention.”
A recent phishing attack on one company in the northeastern seaboard, for example, had data center staff scrambling for days. It all started with someone opening a cleverly engineered link in an email. That let the bad guys into the company address books. Shortly thereafter, employees were receiving emails from trusted internal sources asking them to open an attached fax. Many did. The infection spread rapidly and brought down several systems.
Such incidents make it clear that staff training is a vital element of the data center security arsenal. According to the Cybercrime Survey, companies that train employees spend 76 percent less on security incidents compared to those who don’t. The savings amounted to $500,000 per year compared to those who didn’t.
The data center perimeter, then, must be protected at all modern entrance gates. This extends from the network edge and the corporate firewall outward to mobile applications and the cloud, and inward to every employee and every device. But that’s a daunting task for anyone. It’s a bit like trying to protect the president on a visit to Manhattan. The only option is to place the city in virtual lockdown, and spend a fortune to deploy an army of Secret Service staff backed up by drones in the air as well as jet fighters on standby. Few data centers can afford that level of protection.
The good news is that they may not need to. Boisvert thinks that prioritization is essential, not only to contain costs, but to increase effectiveness in the fight against cyber-attacks.
“Stop trying to protect everything,” he says. “Protect what’s vital and accept that the rest may be compromised.”
Just as it is possible to contain costs by concentrating on the data center’s “crown jewels,” similarly data centers can make the job easier by incorporating analytics and intelligence techniques.
“State-of-the-art tools such as network forensics and analytics can help the incident management and response teams get the information they need when time is of the essence,” says Sadowski.
What is evolving is a big data approach to analytics. The idea is to use software to do the heavy lifting to combat cyber-threats.
Analytics vendor SAS already has products in this space, but it has a project ongoing that aims to analyze data at scale far more effectively. The goal is to detect how normal something is behaving.
“The hacker is deviating from normal by communicating with machines they don’t normally communicate with,” says Bryan Harris, director of R&D for cyber analytics at SAS. “With the context of what machines should be doing, and the hosts, ports and protocols they interact with, you can identify outliers.”
If one machine is doing something even a little different, the data center manager is alerted. He or she can then determine if an actual threat is present. This approach to security is expanding. Expect the Symantecs, RSAs and McAfees of this world to either partner with analytics firms like SAS or to develop their own analytics engines.
“Real-time, high-speed advanced analytics will be the best solution for high-level resilience,” says Boisvert.
He also advocates what he calls threat intelligence. One aspect is the sharing of data on attempted incursions among companies or industries as a means of leveling the playing field. After all, the bad guys have gotten very organized. They can buy code for Distributed Denial of Service (DDoS) attacks online. In Eastern Europe and perhaps areas of Asia, there appears to be a convergence of government interest and organized crime.
“Organized crime has been a major threat actor, acting on the behest of the state in some cases and even getting some direction on targets,” said Boisvert. “If you mess up our banking and retail industries, for example, it disrupts the U.S. economy.”
The take away is that data centers can no longer act in isolation. They should be actively pooling resources and providing more of a united front against the black hats.
Management and Response
Many data centers are heavily focused on responding quickly to immediate threats. While this is certainly important, it isn’t a winning long-term approach. Jake Williams, a certified instructor for SANS Institute thinks some data center managers need to understand the difference between security incident management and incident response. While they are closely related, incident management is more of a business function while incident response is more technical.
“Those that attempt incident response without good incident management processes tend to be overwhelmed by constant requests for status updates,” says Williams. “Neither of these roles works well without the other.”
Best practices in incident response call for a documented process that is always followed. Doing so requires drilling and testing. It may be easy to recall all of the steps required to contain an incident today, but stress levels rise substantially during an actual breach. One answer, says Williams, is the creation of checklists to ensure that all tasks are accomplished in the order intended.
“Documentation during the incident is key and checklists can help,” says Williams. (Free incident response checklists are available at sans.org).
Another crucial aspect of becoming better organized is to install a Security Information and Event Management (SIEM) program to collect, correlate, automate and analyze logs. Though a SIEM can be a costly investment, there are open source SIEM products that can be deployed. The SecurityOnion Linux distribution, for example, includes OSSIM, which is a free SIEM product.
Like Boisvert, Williams is a fan of training, emphasizing the education of data center staff in incident response.
“Incident responders and managers alike need training and periodic drilling in their own environments,” he says.
Some of the most effective ingredients are incident dry runs, where incident responders and managers work through a mock incident. These exercises often highlight deficiencies in training, procedures or availability of resources.
With so many cautions, best practices, technologies and attack vectors to take into account, Rajneesh Chopra, vice president of product management at Netskope, reminds data center managers not to leave end users out of the loop. Take the case of a group of users that have had their user credentials stolen.
“Immediately inform affected users that they should change their passwords,” says Chopra. “You might also inform them of apps with weak password controls and that they’re at risk if they continue to use the app. In extreme circumstances, you might even have to lock down that app entirely.”
Piero DePaoli, senior director for Global Product Marketing at Symantec, says the best way to protect data center infrastructure is to assume the perimeter doesn’t exist and protect each component inside the data center.
“Organizations need server-specific security with default-deny policies on every server in the data center,” he says. “Simply applying antivirus or the same security that’s on laptops is not enough. Laptop security by default allows all and attempts to block malicious items. Security on a server needs to be applied in the exact opposite fashion: block everything and only allow approved items to run.”
This entails hardening the infrastructure so physical and virtual servers are only authorized to communicate over specific ports, protocols and IP addresses. Secondly, use application whitelisting to only allow specific, approved applications to run and deny all others. Additionally, use file integrity and configuration monitoring to identify attempted changes and even suspicious administrator actions in real time, says DePaoli.
No Stone Unturned
One final word of advice: If a serious breach occurs, leave no stone unturned in the investigation. A tactic used recently by attackers is to bury malware deep within the data center and have it stay inactive for a while after it is inserted. That way, even if the incursion is discovered and mop up efforts are carried out, the malware can remain inside. Several banks, for example, fell prey to this approach. The attackers quietly withdrew funds little by little over many months from various accounts—not quite enough to draw much attention but amounting to millions over time.
“Follow every last piece of evidence you have until you are certain that you have uncovered all of the attackers, and clearly identified the hosts they have compromised and understood the tactics and tools used against you,” says Scott Crane, director of product management for Arbor Networks. “This analysis can be time consuming, but it is the best way to learn from an incident and ensure you are properly prepared to deal with the next one.”
Drew Robb is a freelance writer based in Florida.