How do you combat today's cybersecurity threats if the intruders are already inside your network?
A panel of security executives tackled this topic at the Cornerstones of Trust on Tuesday in Foster City, Calif. The annual conference is co-hosted by the Information Systems Security Association's Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.
The idea of keeping intruders out with traditional, perimeter-based security is useless against the advanced persistent threat -- targeted attack activity by organized groups of cybercriminals to infiltrate an organization and steal data over time without being detected, panelists said.
"Aurora and similar attacks mean organizations that depend on a perimeter-based strategy are victims and will remain so," said Gary Terrell, CISO at Adobe Systems Inc.
Along with Google, Adobe was among about 20 companies targeted by Operation Aurora late last year . APT became a stark reality for Adobe on Jan. 2, when Google informed it was victimized by Aurora, Terrell said.
John Wang, security architect at NASA, said the government is more experienced with APT than other industry sectors.
"APT for us is more old hat…From my perspective, we're at war," he said. "Perimeter defenses are no longer effective, if they ever were. It's harder to fight a war from the inside than maintaining the perimeter. It requires additional resources."
Criminals are after an organization's crown jewels, money or infrastructure, Wang said. "The fight starts with understanding what you're trying to protect," he added.
For Leslie Lambert, former CISO at Sun Microsystems who recently joined Juniper Networks Inc. as CISO, assuming that the bad actors behind cybersecurity threats are already inside the network raises the issue of how sensitive data is secured. Juniper has acknowledged that it was among the victims of Operation Aurora.
"If they're already in, how have you applied the principals of data protection?" she asked.
An inside-out security strategy can include several tactics, including DNS monitoring, which can help track down those who are already infected, Terrell said. Reputation-based file scanning, which can go beyond traditional antivirus to uncover customized malware, data loss prevention tools, and adaptive authentication based on a variety of user attributes are other useful tactics, he said.
Wang said organizations need to take a defense-in-depth approach -- a strategy that hasn't gotten as much attention with all the focus on perimeter defenses. That approach includes log aggregation, application whitelisting, "encryption everywhere," and a security operations center for incident response, he said.
However, all those security measures become cost prohibitive, he added. Vendors need to embed more security functionality into systems and the decision makers at organizations need to consider security costs up front.
Organizations have to figure out what it is they're trying to protect with limited resources, Wang said: "You can't protect everything."
Understanding attackers and their methods and motivations is an important part of the strategy to combat cybersecurity threats, Terrell said in response to a question from an audience member. "Intelligence is critical," he said. "It has to be a priority."
The panel was moderated by Jacques Francoeur, senior director of identity and information at SAIC and executive director of the CSO Council Bay Area. All of the executives on Tuesday's panel serve on the council, a nonprofit that provides top security executives with a way to securely share information.