The old mindset of “see intruder, catch them” comes from the early days of physical security. In those days you had walls, guards, cameras, etc. to watch whatever you were guarding. When someone broke in you brought down the house on their heads. The problem with that is eventually it becomes counterproductive. You can only have so many people watching the house before they get in each other’s way (not to mention the more cameras you add the more people you need to monitor them). Eventually this methodology for security was abandoned by many museums and banks. Instead of fighting to keep people out, they would find a way to keep them in. This new type of security is called containment security. The bad guys can get in, but once they grab the loot… the doors lock and the bars come down. The would-be thieves are stuck until the police arrive and collect them.
The IT world is now catching up to the physical security world. They (anti-malware developers and security firms) are beginning to understand that there are simply too many things to watch to be effective. The old school of using firewalls, anti-virus software, IPS systems and more to keep the bad guys out has become an administrative nightmare. Companies like Symantec, Barracuda, Microsoft, MacAfee, and others have to review current threat information and push out updates (sometimes multiple updates in a day) just to keep two steps behind what the bad guys are doing. To say this leaves most companies vulnerable is a gross understatement.
The new trend will be to develop systems that still provide protection from common vulnerabilities and intrusion attempts, but also look to stop any intruders that get inside. It follows the same concept of containment security in the physical world. Let the bad guys get in and get what they want, then bring the gates down on them to lock them inside. After all what good is a breach if you cannot get the data back out the door. This new mindset represents a huge shift in the way we think about IT security, it assumes a breach is inevitable, and focuses on how to keep your data safe when that inevitable event happens. This new charge is being led by Symantec publically although we have had conversations with other companies that are also looking at containment as a better option for protecting vital data.
The details on how this form of security will work are still not clear, but it could be as simple as monitoring outbound traffic for suspicious patterns or blocking traffic from certain systems to the outside world by default and only allowing communication with a list of safe servers. These are things that many in the IT security world already do, but an extension of this would be to push this type of system to client PCs in a network to prevent them from being used as a vector for attack.
Although this new security mindset will help mitigate issues from unpatched software and networks, it does not completely remove the responsibility of the IT guys for keeping things up to date. All it really does is help slow and stop problems that arise from zero-day exploits that seem to pop up all too often. Sadly there are still times when even this type of security will not protect a business and it would more than likely not have helped Target at all. Still, every little bit helps and it will certainly be very interesting to see exactly how IT containment security is implemented.
Tell us what you think in our Forum