Today’s cyber-attack campaigns require organizations to evolve from traditional, prevention-focused techniques to a more pragmatic posture that recognizes that attacks and breaches are inevitable. But while it’s received wisdom that organizations should determine which threats pose the most danger to their unique environments, and then align resources to focus on the most relevant, that’s a goal that belies incredible complexity given the ever-increasing volume of the available attack surface.
Looking to fill the breach, no pun intended, NSS Labs has announced the NSS Cyber Resiliency Center (CRC), a software-as-a-service (SaaS) offering to help enterprises manage cyber-risk. It’s targeted at CIOs and CISOs who are looking to evaluate their security posture, identify which threats target their specific applications and could bypass their particular security controls, and then plan and model a response.
The idea is to run “what if?” scenarios that model a given environment’s deployed security layers, to show which threats are able to exploit their attack surface, and then virtually swap out different security products and/or desktop applications to assess which technologies best suit their varying risk tolerance and cost constraints.
The firm is pulling from its NSS Research & Testing data, which comprises a library of independent test results for leading security products as well as in-depth vendor, product and market research. It uses that empirical data on which threats will bypass security products from a wide variety of vendors so that clients can build a profile of their specific attack surface and then actively monitor which incoming threats are both targeting their deployed applications and can bypass the security systems currently in place.
“The NSS Cyber Resiliency Center is the first platform to provide enterprises with two key pieces of information: which systems and applications are being targeted by the adversary, and which of those attacks bypass my current security? Knowing the answers to those questions empowers an organization to plan and respond,” said Vikram Phatak, CEO at NSS Labs, in a statement. “Proactively understanding the capabilities of the adversary, understanding how breaches occur, and having a strong cyber resiliency program enables organizations to manage cyber risk in a way that has never before been possible.”
These kinds of tools are one piece of the risk-management puzzle, but it’s also necessary to evolve the organizational mindset from an outdated, prevention-only strategy to the cyber-risk management stance. Organizations need to plan for flexible network architectures that will allow dynamic re-provisioning of critical resources to isolate and replace infected portions of the network, according to NSS. Also, while it sounds counter-intuitive, organizations should shy away from remediating a breach immediately, the firm said. Instead, they should isolate the infected portion of the network and learn why the attack was successful while it is still underway, then redesign architecture to withstand similar attacks.
“Security controls should be viewed not as complete protection against attack, but rather as a means of maneuvering the adversary into attacking a target of the organization’s choosing, and also as a means of proactively managing the impact of network penetrations,” explained NSS’ Bob Walder and Chris Morales, in a blog.
During NSS’ 2013 network intrusion prevention system (IPS) group test, average security effectiveness (which factors in exploit block rate, anti-evasion capabilities, and stability/reliability) across the 10 products tested was 94%. During the 2013 next-generation firewall (NGFW) group test, eight out of nine products scored more than 90% for security effectiveness. The highest security effectiveness score in that test was 98.5 percent.
“However, it is not the 98.5% that is caught that is the issue, it is the 1.5% that is missed,” the researchers noted. “If even a small fraction of that same 1.5% of current threats is missed by the NGFW, IPS, and endpoint protection (EPP) system, then we have the beginnings of a breach.”