Enterprise networks are vulnerable to a wide variety of attacks ranging from data leaks to the spread of malware to insider threats. Because enterprise networks often contain sensitive or valuable information, companies try to deploy a large number of software tools to secure them. But despite the deployment of expensive software and hardware tools systems still remain highly vulnerable.
Firewalls are Only Partial Solution
While vendors promote their firewalls as a reliable solution to most of the enterprise security problems, the experience has taught that firewalls are unable to deal with many threats since configuration errors can always leave a door open for hackers to enter the network. Many polymorphic viruses are hard to be caught by any firewall software since analyzing polymorphic viruses is not possible by simple packet scans that most firewalls rely on.
Firewalls have some other limitations as well. Firewalls are essentially access control systems with limited intelligence to pro-actively act on yet undefined threats. Restrictive access control policies result in people opening temporary backdoors for accessing certain servers and resources. People often forget to close the backdoor leaving hackers to enter the network with ease.
IDS / IPS / SIEM Have Limitations Too
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Systems have become an essential tool in the detection and prevention of the systems and companies have invested millions of dollars in planning them. Besides some minor differences in features and management consoles, most commercial IPS and IDS systems work similarly. IDS is a passive system in which a data sensor detects a potential security breach, logs the information and signals an alert on the console, or the owner. IPS systems can act on the detection of the suspicious activity by taking necessary actions such as resetting a connection or reconfiguring the firewalls to block the traffic from the suspected malicious source.
IDS and IPS can also be bypassed either due to human behavior or by using some clever hacking techniques. These techniques vary from avoiding known pattern replications to fragmentation of attack signatures. Another problem with IDS/IPS system is false positives which impacts operational inefficiencies since someone need to examine the logs and interpret them in a meaningful ways.
Some vendors have combined their IDS/IPS with security event information management (SIEM) products. The use of these tools is not easy, and managing them on daily basis requires additional security resources. Hence, the benefits they provide are lost if the systems are run unattended.
Data Loss Prevention Tools Have a Role to Play
Data loss/leak Prevention (DLP) systems are increasingly being deployed by the organizations that deal with critical financial information. A DLP system is designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
Most DLP systems do well inadvertent transfer of critical data to outside of the enterprise. But, rules can fail to capture the data being transmitted and encrypted data can just flow through the DLPs. Most DLPs use pattern matching or statistical algorithms to filter the outbound data. With this approach, DLP systems are usually not able to distinguish between individual data items and are thus not able to identify flows of sensitive data if they are encrypted, compressed, or otherwise obfuscated
DLP systems can be useful to an extent but it is important to understand that bypassing the DLP restrictions is easy. A simple way to bypass DLP restrictions is to print and copy/scan or take a photo of the documents.
Dealing with Software Vulnerabilities is Hard
Enterprises run a large amount of software to manage their business processes. Most, if not all, this software is often bought from third party vendors with no access to source code. Therefore, there is an implied trust that the vendor code is trust worthy.
Unfortunately, it is nearly impossible to prove absence of bugs in any software. Some of these bugs can have security implications making system vulnerable to all kinds of attacks.
Software vulnerabilities can be for a variety to reasons. For example, software can be badly designed, it is poorly coded or it is poorly configured on the system. Regardless of the reasons, a vulnerable software system can be exploited by attackers and the system could be compromised, the attacker might take control of the system to damage it, to launch new attacks or obtain some privileged information that he can use for his own benefit.
The one solution is to rely on vendors that have good secure system design practices or the system that has some known history of dealing with the security threats. Other solution is to layer the operational software with other security tools and software.
So What Can you Do?
In short, it is important to analyze your security requirements and then deploy tools that best fit your work environment. You don’t need to get the most expensive software or hardware devices but the right kind of software.
Fortunately, you can build a strong security moat around your enterprises using free to use open source software. However, you will need knowledgeable persons to select and deploy them properly.