New Year, New Security Posture: Top Defenses for 2016
In this three-part series, we investigate how forward-looking technology teams are working to thwart 2016’s greatest security threats.
Below-the-OS attacks and detection evasion tricks are on the rise, according to McAfee Lab's threat predictions for 2016-2020. The increasingly diverse and abundant array of devices and platforms creates a growing number of vulnerable windows for organizations. However, the vast majority of attacks today are Web-based.
Verizon's 2015 data breach investigation report found that 90 to 95 percent of last year's attacks involved hackers attacking Web servers and corporate networks by manipulating online forms.
The Web-based intrusion boom is likely to continue through 2016, prompting security specialists to up the defense of their external-facing systems.
2016's heavy-hitters for maintaining strong defense
Following are three forward-looking approaches that are expected to gain even more traction in the next 12 months:
1. Multi-factor authentication: With 200 billion connected devices and counting in the forecast for 2020, it is becoming more critical to identify users before allowing them access to systems.
The traditional approach was to give users a physical asset, like a passcode fob, to generate a code for accessing a system. Now, new forms of authentication are available, from software tokens on a PC to a text message or an email that requires a response, to specialized applications that perform security checks.
Of course, laborious, time-consuming security protocols prevent users from being productive and can cause frustration. Fortunately, many end-users are already conditioned to the two-factor authentication adopted by Twitter, Apple, and Amazon, as well as the Microsoft Azure cloud platform.
2. Vulnerability management: With an institutionalized process of automated systemic scanning, organizations can go a lot further than Microsoft's "Patch Tuesday" distribution of software security patches (although Verizon reports that 70 percent of hacks could have been prevented if users had installed all available security patches).
A better approach is to use an installed or on-demand automated scanning tool to perform detailed internal and external scans across network devices, services, Web applications, databases, and other assets in on-premise and cloud environments. Including these scans in a regularly scheduled and repeatable manner will identify these vulnerabilities as soon as possible and help us track the progress we make by applying these patches.
3. Advanced endpoint security (AES): According to Verizon's key findings infographic, 38 percent of the attacks analyzed last year compromised systems within a matter of seconds—but took days to contain.
Innovative new methods are emerging to support AES as the field advances. For example Cisco's FireAMP solution wanders the cloud to analyze files faster. Bit9 imposes restrictions on processes running on endpoints. Palo Alto Networks Traps looks to identify typical attack techniques, mostly monitoring memory space, to determine if malicious activity is happening.
Organizations can also consider Microsoft’s endpoint protection and signature-based antivirus programs, available as free value-adds for a base level of licenses.
The time is ripe for advancing security posture
It's little wonder organizations are seeking to advance security not only to protect organization stakeholders, but also to maintain regulatory compliance and mitigate the risks of significant financial losses and reputational damage. Verizon research found that a data breach costs range anywhere from 9 cents to $254 per record, with an average cost of 58 cents per record. When millions of records are compromised, the costs add up quickly.
How are real-world companies incorporating these new measures into their defense strategies? Next up in the series, we'll explore examples of companies that are thwarting specific kinds of security risks.
Cisco sponsored the development of this security series.