Traditional Security Models are Dead

Robert Mueller, former Director of the FBI, has said of security that “there are only two types of companies: those that have been hacked, and those that will be”. From Home Depot and Target to Skype and Neiman Marcus, it often seems as if nobody is safe any more. What’s worse is that most of these attacks have come from within the security perimeter and were undetected for long periods of time, leaving the attackers plenty of time to do what they came to do.

According to a Mandiant M-Trends report from 2012 and 2013, the median length of time an attacker went undetected in a system after compromise was 243 days with an average of 43 systems accessed. What’s worse is that in 100% of those cases valid credentials were used to access the system, and 63% of victims were notified of the breach by an external entity. Those are certainly not promising statistics for those of us trying to manage IT operations for a large enterprise. It’s even worse for smaller companies who can’t staff quality security personnel.

While some companies might believe they are immune, or not a high value target based on any number of factors, they couldn’t be more wrong. Hackers these days are not the script-kiddies of the last 20 years, but rather nation states or organized collectives with a variety of motivations. Sometimes the attackers are looking for money and target credit cards, other times they are looking for identities—social security numbers tied to names and addresses—with which they can take a more advanced and longer term view of the value of their attack.

The other threat that a lot of companies fail to plan for, however, is reputation damage. Even if you have nothing of value that a hacker might want access to, you likely have a brand value that can be severely and systemically damaged. Consider the most recent attacks against Yahoo, Sony Corporate, and both the Playstation and Xbox networks. These attacks may not cause direct financial damage, but the lasting brand damage can cost millions more.

Given this current state of security, I’m curious what you do to secure your network and monitor for advanced persistent threats against your infrastructure. Are you relying on logging and firewalls alone, or have you moved into a more advanced monitoring model?