For more than 600 years, castles were the enterprise networks of Europe. They protected both people and assets against external threats, ensuring that business and administration of local affairs could be conducted safely. They lasted through centuries of conflict for a simple reason: they were effective at reducing risk, limiting the ways that they and their inhabitants could be attacked.
Their protection was based on minimising the castle’s potential attack surface: blocking easy access to the interior using heavily-fortified outer walls which repelled slings and arrows; and a moat and bridge, which funnelled all traffic to a single, well-defended gateway. This gateway was used to control ingress and egress, to filter out attackers as well as identifying the true purpose of unknown visitors before granting access to the interior; and that security principle is just as valid today as it was back then: keep out what you know to be bad, and be suspicious of those you don’t normally do business with.
The problem is, the advantages of the Web have blinded us to the simplicity of this approach. We open our enterprise networks to the entire internet, enabling connections from known malware hosts, botnet farms and areas of the Web where our organisations are unlikely ever to do business.
We can’t go on like this – as the spate of recent, well-publicised attacks against high-profile companies has shown. So let’s take a closer look at how this key medieval security principle can still be applied to today’s network infrastructures, to deliver more effective and more efficient security.
Open for Business – or to Attack?
Castle designers were the CSOs of their day, and made it easy to repel attackers with armored walls that could withstand the heaviest weaponry, and by having just one route into the castle interior backed with an array of defences. So why do organisations today allow connections to their networks from virtually anywhere on the Web? Where there’s a touch point between any internet host and a host on a company’s internal network, there’s a possibility of unwanted intrusion, inadvertently downloading malware, or of data leakage.
The problem is that we’ve been seduced by the openness of the internet. But there is a vast number of sites out there that shouldn’t be connected to, because they distribute malware, are the source of phishing attacks, control botnets, or have been hijacked for malicious purposes. There are also countries or geographic regions globally where your organisation does not currently do business – and so it’s likely that traffic from hosts in these regions may be suspicious.
At best, allowing connections from these IP addresses to your network – or allowing connections to them from within your network – creates a flood of alerts from existing security systems, creating unnecessary work for IT and security teams. At worst, it risks an attack or breach.
Shrinking the Attack Surface
So why not follow the lead of castle designers, and reduce your network’s exposure to the internet by shrinking its attack surface? By simply blocking the IP addresses – not URLs, but the unique IPs – that are known to host malware or to originate attacks, using a dedicated appliance, it’s possible to dramatically reduce your risk of being successfully targeted.
To give a couple of examples, 26% of global web application attacks originate from the BRIC countries. Also, 18% of all DDoS attacks come from Chinese IP addresses; and Russia, Ukraine, Pakistan, China, and Turkey are five of the top ten botnet command and control countries. If an organisation has no trading relationships in these countries, why support connections from IP addresses there? Simply blocking those addresses at network speeds cuts the likelihood of being the victim of a DDoS attack, or of inadvertently downloading malware such as APTs and bots.
This has the additional benefit of enabling organisations’ existing security infrastructure, and its IT teams, to function more efficiently. A typical enterprise receives around 17,000 malware alerts per week, and spends $1.27 million (£850,000) annually tracking down false positive alerts. By blocking known bad IP addresses, the numbers of alerts and false positives can be cut by 30% or more. It frees up the resources of IT teams, reduces the load on existing security solutions such as next-generation firewalls, antivirus, sandboxes and DLP, and boosts the ability to identify and respond to targeted attacks.
If the appliance is backed up by self-learning capabilities, to automate blocking of IP addresses harbouring malicious content, and by real-time intelligence on bad IP addresses, organisations can have policy-driven control over the exact size of their network’s attack surface, according to their needs – enabling them to keep out unknown, unwanted visitors.
When it comes to protecting critical assets, not much has changed since medieval times: keep out the known bad guys, be suspicious of those you don’t know, and make it easy to identify those you do trust. IP address blocking and management helps you achieve these simple objectives, further armoring your organization’s castle walls.