Published on July 1, 2013
In a sense, the entire discussion around BYOD processes in the enterprise is moot. Everyone has a smart phone. Many have found they prefer a tablet to a PC, and will bring their tablet to work. These devices connect seamlessly to the network through WiFi, and very quickly become a critical part of the infrastructure and workflow for many employees in every part of the organization. The development and adoption of BYOD policies is a necessary, if somewhat futile rear-guard action to attempt to mitigate the most egregious risks associated with personal devices connected to the corporate network.
These devices provide a number of new attack vectors, including a huge increase in the number of potential network access points vulnerable to Spear Phishing and social engineering attacks. But there is one vector that stands out, both for the ease of successful compromise and the tremendous difficulty in prevention. That attack vector is the App. One need only to think about the incredible spread of adware, spyware and other malicious software through toolbars, wallpaper, P2P clients and so many other executable files people downloaded enthusiastically in very large numbers a few years ago. Now, one of the great selling points of iOS and Android is the “hundreds of thousands of apps available”, many of them free games and fun little widgets that so many find irresistible. It is almost ridiculously easy to include lightweight compromise code in these tiny programs that will later reach out to C&C nodes to install the real malicious payload.
It’s one thing when users are unknowingly redirected to malicious sites or are tricked into providing their user information. But the ability of vast numbers of users to install unknown and untrusted executables on what will the next day be an enterprise network-connected device is unprecedented. And with some types of users significantly more vulnerable to this approach than others, it’s possible that a small number of users can introduce malware from multiple attackers over time. And with so many different malware exploits and Remote Access Toolkits in use, Virus and Malware Scanners that depend on signatures are doomed to failure, even as they appear to be providing a successful defensive layer.
The answer, unsurprisingly, is security intelligence. A robust and comprehensive security analytics solution is not a defensive, prevention-oriented tool. It is designed to utilize ALL the information available to the Information Security team to detect unusual or suspicious behaviors in real time. Once an attacker successfully comprises a user account, he will look like a legitimate user when he accesses network resources. The key to detection at that point is not Identity and Access Management, but rather the ability to observe and evaluate the behaviors, actions and transactions of the attacker on the network - and the ability to observe those actions in real time, so an incident response team has a chance to mitigate the potential harm before it can occur.
Attackers will continue to find ways to compromise network security, and users will continue to occasionally act irresponsibly or thoughtlessly. No matter how hard an enterprise security team works to prevent successful penetrations, there must be an effective detection layer in place to allow the organization to deal with successful attacks before they become something so much worse. Securonix works with the tools and data you already have to provide that kind of real-time detection without disrupting IT operations or impacting performance.