The Next New Cyberdefense Strategy: Monitor Everything
Aug 27, 2011 5:00 AM PT
The definition of "cybercrime" is ever changing, as is the severity of attacks. 2011 has already been labeled the "year of the data breach," and yet many of the breaches are not the typical SQL injection attacks or database hacks. Instead, criminals are using legitimate website functions to steal data and sometimes money, from targeted organizations. Compounding the problem, as U.S. banks and other financial institutions are enabling customers and employees to make mobile transactions, security implications around both Web and mobile functionality have become a large concern for IT.
As the majority of today's applications and services are easily accessible via the Web -- website, intranet, mobile, etc. -- online security standards are a weakness that cannot be ignored. Although acts of cybercrime may not be classified as, "physical destruction," new threats crop up daily. Online institutions and the security industry need to band together to develop effective solutions that protect as many users as possible.
The Dilemma of Convenience
In today's always-on world, consumers and employees are expecting to be able to interact with their bank, website, or employer through the Internet. This convenience is good in general; it encourages commerce and makes employees more productive. But with the increase in convenience comes inherent risk. The more functionality and data that become available through the Web, the more possible vulnerabilities the criminals can target.
The reality is that criminals go where the money is, and that is why they have targeted banks and other high-profile e-commerce sites: They can get a fast return on investment. In the past few years, we've seen the criminals change in two ways: First, they have gotten more sophisticated in the attacks that they perpetrate. I hypothesize that criminal organizations have a better understanding of most websites today than the internal product, development, or quality assurance teams for those websites. Why wouldn't they? There is a possibility for a huge payout if they are able to identify particular vulnerabilities.
The second change has been that cybercriminals are no longer limiting themselves to targeting only the highest-profile financial institutions and e-commerce companies. We are now seeing criminals target the smallest banks, very small e-commerce companies, and even other noncommercial websites where they can find either data or another commodity of value.
Many of these data breaches are being perpetrated through a Web browser, not through the traditional network intrusion. Hackers today know exactly what security systems are looking for, so they are able to circumvent the systems and simply avoid methods that will trigger alerts on the network.
As a result of this shift in the threat landscape, we have seen a rise in man-in-the-browser, man-in-the-middle and man-in-the-mobile attacks, in addition to a variety of attacks against the legitimate functionality of even the most innocuous websites. If more platform providers and application developers understood the risks around the functionality that is made available through the Internet, it would help everyone.
As more of these data breaches and thefts occur, consumers may become wary of interacting with banks, businesses and others online. That would be bad for everyone -- e-commerce sites would have less business, banks would have to accommodate an increased number of expensive face-to-face transactions, and employers would lose some employee productivity. The interesting aspect of this is that it would also be bad for the criminals, since they require lots of people interacting with organizations through the Web to support their way of life.
Benefits of Web Session Monitoring
So what's next? With websites encountering thousands of visitors and experiencing thousands of clicks per second, how are financial, government, e-commerce, and even corporate organizations expected to protect themselves?
One thing is obvious: Implementing proactive security is a necessity for any online organization today. Monitoring the traffic coming through the website has become critical in the cybersecurity space. It is impossible to determine ahead of time which page or Web functionality will be used by the criminals. Instead of trying to predict where the criminals will hit or plug every hole, a better approach is to monitor everything and react when there is a new threat identified.
I'm not encouraging website developers to leave known holes open. Definitely, plug all of the obvious vulnerabilities. However, if you are monitoring all Web sessions, for every page on your site, you'll be able to see when the criminals identify an unexpected vulnerability.
This is, of course, a first line of defense, and any organization should have a multilayered approach to security. We all know it won't be the last thing needed. There is no silver bullet to protect websites, corporate assets, or data. But putting technologies in place that can detect and stop malicious behavior in real-time across a number of organizations (government, financial services, e-commerce sites, etc.) would substantially change the way fraud and other types of website abuse are addressed industry-wide.
Ultimately, it would help us minimize the impact of data breaches, mobile threats, and new attacks that cybercriminals execute. It's hard to predict what the remainder of 2011 will bring -- though the first half certainly had its challenges. All organizations, from large to small, should take a stance and ensure they are proactively protecting not only their network, but all Web-based activity, as this is the most vulnerable platform today.