Enterprise systems (e.g., a network of computers) utilize a perimeter security approach that relies upon identification of specific patterns associated with malware (e.g. virus signatures). However, modern enterprise systems no longer have easily definable perimeters due to adoption of cloud infrastructure and partnering, wherein part of the enterprise network (e.g., data storage) is hosted by a third party (e.g., data storage warehouses). The rapid evolution of malware threats also outpaces the ability to define and distribute signatures that are used to identify and protect against the malware.
Further, enterprise policy allows bring your own device (BYOD) where an employee brings and uses a personal device at work, which connects to the enterprise network. Thus, devices outside the control of enterprise system policy and protection, if only temporarily, connect to the enterprise network and allow an intruder to compromise the enterprise system. For example, an employee may use a company laptop while away from their desk and connect to the Internet using a public Wi-Fi hotspot, thereby allowing the intruder access to the laptop. When the employee later returns to the office and connects the laptop to the enterprise network, the intruder gains access to the enterprise system from the inside.
Attacks to enterprise systems are often promulgated by “insiders”. An employee may be unaware of a compromised device, as the device itself may show no signs of compromise. However, when connected to the enterprise network, the malware on the devices has access to, and may thereby compromise, other components of the enterprise network, particularly since it is connected within the perimeter defenses of the enterprise network.
Most cyberdefense solutions operate at the perimeter of the enterprise network—Firewalls, Virus Scanners, Intrusion Detection Systems all sit between incoming data and the enterprise.
But what if the threat is already in the enterprise? A BYOD smartphone infected at a coffee shop and then connected to the enterprise WiFi network. A laptop infected over Airplane WiFi and then reattached to the enterprise hardwired network. These threats appear to originate within the enterprise and appear to come from valid users.
These perimeter defense systems work by examining the incoming data, looking for signatures that appear to be threats. This leaves them vulnerable to the “zero-day” problem: how do you identify a threat you don't have a signature for yet?
Compliance Enforcement
Numerous regulations govern how an enterprise system must deal with valuable, confidential and/or personal information of their employees or customers. HIPAA, PCI, ISO17799 and other such regulations not only specify privacy requirements and security controls, they also lay out penalties for organizations that fail to comply. Many of these penalties are on a per-incident basis, which can result in thousands of violations as a result of a single breach.
One approach to enforcement of such regulations is to define responsibilities and access for specific employees. These employees are allowed to access protected data, typically with tight restrictions on the specific data they are allowed to access, how much they can access at one time, and where they can access data from—such as only using an encrypted workstation on enterprise premises. These users would be separate from the administrator responsible for the maintenance of the database the protected data is stored in. This separation of responsibilities means that more than one person would be required to modify protected data.
The tools for enforcement of these policies are typically limited in capability and disconnected. Lists of employees, their access rights, and allowed endpoints quickly become out of date as employees leave, arrive, change roles, and upgrade hardware. Expediency often results in employees accumulating greater access than is desirable. An external audit of policy compliance would identify no coherent way to make sure that the stated policies are being adhered to.