Imagine your home as your network, and the walls are your perimeter. What you do inside those walls is private, but what you do outside the walls, everyone can see.
See Also: 2016 State of Threat Intelligence Study
Now imagine if the doors and windows of your house were constantly changing, with more being added and others being removed. Few would argue it's better to know ahead of time that you're getting a new front door installed, as opposed to being told only after someone has installed the door and used it to enter and take your most prized possessions.
More endpoints are being added to networks faster than ever before. For hackers, more endpoints mean more doors and windows to open and exploit.
The truth is, as more data and technologies move to the cloud and more and different types of devices become connected to the Internet and each other, more endpoints are being added to a company's perimeter. For hackers, more endpoints mean more doors and windows to open and exploit.
Cybercriminals are scanning and attacking on a continuous basis. Vulnerable machines can be exploited within hours. Zero-days and phishing scams can expose an organization's data in an instant.
Attackers work from the sanctuary of the cloud and have automated their processes - and so too must those whom they attack.
Once your perimeter is breached, it's very difficult to mitigate the impact, particularly as hackers drop malware in all sorts of hidden places on your network that can remain dormant for any given period of time. Thus, with organizations increasingly expanding network perimeters globally, adopting a continuous security program is critical.
Organizations' perimeters today are very distributed, complex and highly dynamic. There are often various operations teams managing firewalls, load balancers, systems, applications and databases, making frequent changes to a network environment independent of one another.
Perimeter scanning and response to unintentional security holes created by these changes is often event-driven and only performed at designated times, rather than on a continuous, always-on basis. This presents a significant opportunity for cybercriminals to exploit newly introduced vulnerabilities and infiltrate corporate networks in between scans.
Historically, vulnerability management was all about listing and reporting potential network threats. Scans were typically conducted once a year. A report was likely sent to executives within the organization, and security teams had to manually choose to correct issues and conduct a follow-up scan.
With an increase in breaches and attacks over the years, many organizations pivoted, with security teams running scans serially and vulnerability reports showing up weekly, monthly or even daily. But like most internal reporting, as the cycles repeat and reports continue to roll in, eventually teams can overlook glaring threats.
A continuous security model shifts the data from point-in-time reports to change-detection alerts. This model can react to your fluid perimeter, and it puts you ahead of the hackers that already operate continuously. A continuous model also arms your operations team with the power to act.
Planning for Timely Action
A successful continuous security program is one where:
- The security team has defined its perimeter.
- There is a focus on implementing, auditing and improving high-priority controls.
- Automation is key - with event types and filters in place for real-time alerts.
- The security staff's time is maximized and everyone knows their role.
- Data analytics are used to identify and alert the right staff at the right time.
- The priority remains on controlling and remediating those threats that will harm your network most.
Ultimately, your security and IT audit teams should have tools and processes at least as good as your attackers. With constant assessment, comprehensive analysis and a plan for timely action in place, your continuous security program will be well primed for ensuring you're able to lock down your perimeters and close the doors on the hackers.
Jonathan Trull is the chief information security officer of Qualys and former CISO for Colorado state government.