The internet has transformed the way we live our lives and the way business operates. It has transformed the communications of government and official organizations to the extent where its criticality is not in doubt. We have an open and global interconnected economy, and the trend is irreversible. The reliance on digital infrastructure to deliver our core business processes has presented significant risk, making vulnerable our most precious commodity: our data, intellectual property, reputation and increasingly our connected critical national infrastructure.
The past few years have seen an exponential rise in the number of cyber-attacks affecting the networks of businesses of all sizes, and in all sectors. No one is immune to the threat, and whilst the cost to economies is significant, the cost to individual businesses can be catastrophic. The UK's GCHQ reports that 1,000 cyber-attacks are performed every hour in Britain and 33,000 malicious emails blocked every month containing sophisticated malware. In the U.S., the number of cyber intrusions has increased by seventeen times, according to the chairman of the Joint Chiefs of Staff, General Martyn Dempsey.
The US Department of Homeland Security has revealed that twenty-three attacks have been carried out against companies connected to the US gas pipeline alone. The US Defense Science Board reported that hackers had gained access to over twenty-four major military systems, comprising top-secret information, including the designs of anti-ballistic missiles and fighter jets. 93% of large corporations and three quarters of small businesses in the UK are estimated to have had a cyber security breach in the past year. So pernicious has the threat become that, by the end of 2012, over half of European Union and NATO member nations had adopted a national cyber strategy.
The international press reports state-sponsored cyber-attacks represent a growing and significant threat, with countries looking to gain competitive commercial or political advantage through either stealing data, or compromising and disrupting key commercial, industrial and economic assets. Yet the threat to commercial companies is far broader than this. Malicious ‘insiders’ are difficult to detect through conventional methods, as they use legitimate and authorized access to networks to facilitate the theft of critical data and IP. Data loss through negligent behaviour (laptops lost, public devices left logged-on to host networks, etc.) remains a threat. In 2012, a major bank lost the details of over 250,000 customers, including names, addresses, dates of birth and Social Security numbers, when unencrypted back-up tapes were lost in transit. Increasing numbers of attacks are delivered against executives travelling to high-risk countries with little or no awareness of either the threat or behavioural mitigations.
Organizations today are faced with more complex data, in higher and higher volumes, and the commercially viable timescales that determine its use and value are getting shorter. Additionally, faced with a rapidly-changing technology base, business is having to engage with and integrate a wide range of increasingly disruptive technologies, such as mobile and cloud-based computing, BYOD (Bring Your Own Device), and a diverse range of social media tools and technologies, just to remain compatible with peers. These technologies must be integrated and offered to staff and customers in relatively short time-scales. The challenge that they represent requires a fundamental shift in traditional perceptions of information security. Organizations are critically dependent on the flow of data between disparate parts of their organizations, to a mobile workforce, and to customers who demand efficient IT services. As a consequence enterprise boundaries have become electronically porous, dynamic and ill-defined. The conventional IT security model that relies on strict border/gateway control, which is analogous to the historical physical defensive methods of moats and drawbridges to keep attackers out, has by universal consensus broken down. By this convention the IT security industry spends considerable effort trying to police the perimeters of the corporate network, and protect it from unauthorized access. The dominant instantiation of this paradigm has been the regular expression driven SIEM (Security Information and Event Management) and signature driven endpoint products in a proliferation of forms.
These forms including many which restrict users' access to the network according to a defined set of corporate security policies. The reality, however, is that many, if not all, large corporate networks are likely to have already been compromised, and that malicious actors, either external or insider, have actively been targeting data. Today's socially-engineered threats, Advanced Persistent Threats and insider attacks by definition cannot simply be locked out. Data now needs protecting in the wild and can no longer exist behind high walls.
Deterministic approaches to threat detection have therefore been taken. Such traditional deterministic approaches are reliant on the assumption that the difference between what is legitimate activity and what is illegitimate activity can be defined. An expanding set of corporate policy and rules have been written to identify client programs as either compliant or not compliant. However, such deterministic approaches require a vast amount of effort to be spent in constantly updating these rules and signatures, in an attempt to stay up to date with the changing threat environment. The definition of what is legitimate is based on what we know about past attacks. For each successful intrusion, a new rule is written, the signature is updated and the next time that same threat presents itself, access is denied or challenged. This method is effective in defending against known threats that have already been identified. However, it is incapable of responding to fresh threats that are constantly presenting either through minor adjustments to existing vectors or more significant evolution of attack methods. Consequently, current threat detection and prevention systems are still being compromised and are unable to keep out threats.
Furthermore, as the technical defenses that protect our data have become more sophisticated, attackers have increasingly turned their attention to the softest part of the network, the user. Socially-engineered attacks account for over 85% of espionage threat, and were the fastest-growing attack vector of 2012. Attackers use subtle and sophisticated methods to manipulate human users to unwittingly install attacks on their behalf, and traditional technical defenses are rendered impotent within a process where a legitimate user has decided to click on a link in a ‘weaponized’ email or visited a familiar yet now compromised website. These new forms of attack make the problem of detecting threats even harder.