In the 2014 FEI Leadership Summit session, Real World Cyber Threats, Vernon Habersetzer, an Information Security Engineer with Wells Fargo, said effective information security depends not on a single technology or strategy, but on a layered approach that needs to be monitored continually as threat patterns change.
"You have to assume adversaries are inside, and watch your network to see what's going on," Habersetzer said. "The average time of detection is four to six months, which is scary because there can be a lot of damage to a company in four months."
Habersetzer advocated attendees implement an aggressive defense-in-depth strategy that's based on monitoring network traffic patterns and mapping data flows. For instance, network forensic software can monitor traffic to map which users and servers are exchanging data on a routine basis. If a server unexpectedly begins to send data internationally that could indicate the server, or a user's laptop connected to it, has been compromised.
"If you can't see the threat, you can't respond to it," Habersetzer said. "You need to be able to see your traffic."
Cloud Complications
The growing use of cloud applications can complicate the security challenge because the organization's security team doesn't control the provider's servers and, in some instances, may not know a department or employee is using a cloud service.
If the security team knows about a cloud service, Habersetzer recommended discussing the organization's security procedures and concerns with the provider's security teams. A cloud provider should be able to provide information about its security controls and help the organization mitigate potential threats.
Fundamentals Count
One of the common frustrations for security researchers is that many companies experiencing breaches are victimized by longstanding threats that have been identified months or years ago.
Some common vulnerabilities, for instance, include failures to encrypt sensitive data, not matching systems to update software and users that employ weak passwords.
"A lot of the attacks haven't changed that much in the past 15 years," Habersetzer said. "In a lot of breaches, there are basic security measures that companies haven't put into place."
But even companies with strong security defenses remain vulnerable to attacks.
"There's no guarantee that you'll be able to keep adversaries out," Habersetzer said. "You're going to lose from time to time -- everybody does -- but you have to continually try."