Perimeter Security is Woefully Out of Date

December 16th, 2014

Investment in best-of-breed corporate IT security technologies is significantly higher than in any previous year but corporate executives are asking why high profile security breaches are growing in frequency and ferocity?

To adequately answer that question, one need only review the data. Consider, for example, the recently published Verizon: 2014 Data Breach Investigations Report of high profile security breaches. The report found that for 95% of all breaches, readily available evidence existed in an organization’s logs that it had been breached or was in the process of being breached.

More importantly, the same report also found that:

  • The “time to compromise” is shortening due to the success of advanced persistent threats’ (APT) ability to infiltrate
  • The “time to discovery” once a network has been compromised is increasing due to the fact that APTs are designed to evade detection
  • The majority of breaches were discovered by a third party or law enforcement, not by the actual organization that was breached
  • Many organizations were deemed to be compliant with the Payment Card Industry (PCI) Data Security Standard (DSS)
  • Less than 10% of these organizations actually discovered the breach on their own

These are shocking statistics, especially when you consider that IT security budgets rose 7.9 percent and global IT security spending climbed to total $71.1 billion in 2014. With continuously evolving attack profiles and too many disparate security applications and appliances requiring updates on a daily basis, it’s virtually impossible for IT administrators to stay ahead of the curve. There are some common flaws in the best-of-breed approach to network security, the underlying causes of recent high profile security breaches.

A False Sense of Security

Postmortem analysis by Verizon Business investigators of the underlying causes for a security breach found that:

“Either the technology employed, processes in place, or dereliction of duty, though unintended, were often the main causes.”

These findings are understandable given the current state of the network security where corporate IT security teams are challenged to implement a network security posture by cobbling together discrete security appliances and applications from a myriad of competing security companies. Such products focus on specific aspects of network security, leaving the IT department responsible for selecting, integrating, managing, monitoring and correlating discrete security events, alerts, logs and reports into actionable security threats.

To better understand the underlying reasons for these challenge(s), let’s take a closer look at the typical approach organizations take to secure their enterprise.

Most organizations focus on 4 main areas of network security:

  1. Perimeter defenses (firewalls, intrusion prevention devices, etc.)
  2. Log Management
  3. Vulnerability Management
  4. Endpoint security

On the surface, a focus on these four defense disciplines seems to be a reasonable approach to securing an organization’s network. After all, most highly respected data security standards (PCI, SOX, HIPAA, NERC CIP, NCUA, FISMA or SANS, etc.) require these four basic functions in their directives.

However, a closer examination reveals some serious deficiencies. We’ll examine the limitations of these point solutions in our ongoing series on the state of enterprise security.

Learn more about advanced security approaches.

Craig D'Abreo

Craig oversees the Managed Security, Threat Intelligence and Security Professional Services departments at Masergy. He is responsible for Masergy’s proactive enterprise cybersecurity threat management and operations program. Craig holds a bachelor’s degree in Computer Science and an MBA in Information Security. He is a Certified Information Security Systems Professional (CISSP) with over a decade of experience in the security industry and holds various network security certifications. He has written on various security blogs, spoken on a range of industry panels and is a recognized thought leader in the cybersecurity space.