Solution providers need to take a data-centric approach in providing customers with the best possible security against the growing sophistication of cyberattacks, an expert said Tuesday at XChange Solution Provider 2012.
The typical strategy of shoring up the perimeter of a corporate network with vendor-built firewalls, intrusion prevention systems, Web gateways and other technologies won't keep out hackers, said Brent Huston, CEO of MicroSolved, a Columbus, Ohio-based provider of security assessments and penetration testing. Today's hackers are familiar with off-the-shelf technology and are continuously developing toolkits to find vulnerabilities.
"Today, the way security systems are deployed, they start at the perimeter and work inward. That's a broken model," Huston said. "Criminals know that and that's why they're exploiting us at the level that they are. Attackers already know about commercial, off-the-shelf tools."
[Related: XChange Solution Provider 2012 Coverage]
To confound hackers, Huston recommended starting first with the customer. Find out the information the business wants to protect and where it is located. Then build layers of security around the data, with each layer providing logs that are constantly monitored for signs of a breach. In addition, avoid predictability. Mix technology from multiple vendors.
"Around each of the core assets, we need perimeters, with visibility, prevention, detection and response," Huston said. "You need that because systems have gotten more complex. Everything talks to everything."
Once the core, data-centric security is built, Huston advised attendees at the XChange session to focus on threat evolution. Much like technology companies, hackers are constantly innovating, developing new tools and tactics for breaking into computer systems. "You can rest assured that every day when you build these perimeters and you build these small compartments [around data], there's an attacker or a group of them waking up somewhere in the world to figure out how to hack those things," Huston said.
While some security professionals may find hacker persistence frustrating, Huston called it "job security" for smart security VARs.
Jared Osego, network consultant for Tucson, Ariz.-based Nextrio, said Huston's talk made him think about a number of issues, such as the need to mix and match product, focusing on the data, getting educated on compliance standards and fully understanding the customer's concerns before starting work.
"We've been mulling the idea of trying to come up with some managed security solution that we want to offer, so this is really outlining things that we really need to focus on -- things that we haven't taken under consideration up to this point," said Osego. Nextrio is a privately held company specializing in IT network services.