If there is an active intruder in your network, you would likely not know. Like most organizations, you would be in the dark.
It is entirely possible that months or even years ago, an outsider gained access to the network and quietly began to explore it and expand their area of control. Over the first weeks and months, the attacker gained access to all the servers and began looking for files that might have value.
They may have access to the email server, and it may provide abundant material suitable for extortion or other purposes. If some of these confidential emails become public or are provided to competitors, investors or other interested parties, the damage could be catastrophic.
In this instance, the attacker had not done anything with the assets. The attacker is quietly lingering, waiting for the right time to capitalize on their position.
Today the vast majority of enterprises have no effective means of detecting an active attacker on their network. Is someone lurking in your network? Your company probably has no idea.
Without a doubt, one of the most important new capabilities of enterprise security should be to detect an attacker early in the process, before theft or damage can occur. A parallel capability is also quite valuable—the ability to know whether the network is free from attackers. I call this security assurance.
With the costs and penalties of a data breach becoming increasingly more expensive, enterprise executives and boards of directors should start demanding that their security heads provide regular reporting attesting that the network is safe from internal or external attackers. The question to ask should be: is there an active attacker currently on our network? The answer should be definitive and based on full visibility that detects attacker activity, namely the internal reconnaissance and lateral movement necessary to carry out an active attack.
Soon, regulatory bodies will start penalizing organizations that have a data breach if they have not taken available precautions to protect the data. The General Data Protection Regulation (GDPR) describes the need to take appropriate steps to protect the data of EU citizens. Future litigation will likely revolve around this issue.
Did the organization employ the means to find an active attacker? Did they continually monitor for the presence of attacker? Did executives and the board hold the security team accountable for detecting and shutting down attacks?
The ability to attest to a network being free from attackers should become a primary measure for security. Today, organizations often report on things like the number of end-user computers hit with malware that required help desk support, or the number of vulnerabilities found and addressed in network defenses. These are all fine, but a more meaningful metric would be a clear sign that the network is safe from a hidden intruder.
Customers and partners may start asking for this kind of certification. Large law firms already have to go through significant security reviews with their biggest clients. Companies that take credit card payments have to go through PCI reviews. Both types of review processes could greatly benefit from an attestation that the network is attacker-free, particularly since the implication is that if there were an attacker they would know about it and be able to defeat it.
As a first priority, companies need a new level of internal visibility that can precisely detect active attackers. Most enterprises lack this today, largely because they have not even considered it. In fact, many don’t even know about some of the most promising technologies.
At the same time, the procedures and strategies have generally not been developed to utilize these new tools. It does not mean giving up on preventative security, but it does mean shifting some budget and resources to add network attack detection.
By modernizing security, enterprises should gain the ability to defeat internally- and externally-based attackers. The next priority is to start offering security assurance reporting to those accountable for the health and viability of the enterprise. Executives and boards need to ask the right questions, and security teams need to provide answers.