Sun Tzu, Chinese general, military strategist and author of ‘The Art of War’ once said: “If he sends reinforcements everywhere, he will everywhere be weak.”
As enterprise networks face an unprecedented number of cyber-attacks and start to resemble battlefields on multiple fronts, these words have striking application. In a recent global survey by the Economist Intelligence Unit (EIU), eight in 10 C-suite business executives and leading security executives across the Asia-Pacific Japan (APJ) region indicated that they have experienced an increase in cyber-attacks on their firms in 2015. More than one-fifth also expect to be hit by a serious cyber-attack within the next 90 days.
While determining how best to defend against this avalanche of cyber-attacks is no doubt a key priority for every organization, the EIU study also found that many companies find it difficult to develop a coherent strategy. Business leaders tend to think strategically and long-term, whereas security leaders prefer a tactical approach to security, one that focuses on individual solutions to each possible attack.
The problem with tactical approaches is that the number and types of attacks are consistently becoming more sophisticated and successful – they are estimated to have cost APJ businesses US$81 billion in the past 12 months, more than any other region. As organizations accommodate employee demands for workplace mobility and continue on their digital transformation journeys, applications and user data are on more devices in more locations than ever before. Spreading your forces in a vain attempt to police every inch of ‘ever-expanding territory’ allows enemies the advantage of choosing their battles and overwhelming any piecemeal efforts.
By trying to defend attacks on all fronts individually, cyber security teams find themselves in the unfavorable situation described by Sun Tzu. Cyber security becomes a game of ‘Whack-A-Mole’, in which corporate defenses simply react to the newest and biggest threat. The sheer number of news headlines around successful cyber-attacks alone is proof that this reactive, tactical approach to security has reached the limits of its effectiveness. It is time for a new approach.
A Strategic Approach to Security
In his statement: “Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win,” Sun Tzu highlights the importance of a strategic approach. A firm must first align its security strategy with its most important security priorities. The most precious asset most organizations have, according to the EIU survey, is the trust of their customers. 37 per cent also believe that the ‘loss of customers’ trust as a safe company to do business with’ will cause the most damage in the event of a successful cyber-attack. Any holistic, strategic cyber security plan must therefore begin here.
Data breaches usually start with network reconnaissance. A hacker typically starts by gaining entry to non-critical parts of the infrastructure. Once inside the network, the attacker can go looking for other more lucrative areas to exploit, often going undetected when internal security is not up to par.
Research shows that hackers typically spend 205 days in corporate systems planning an attack. If firms can spot ‘enemy scouts’ and address an invasion at its early stage, they can reduce the gravity of the effects. A flexible and strategic, architecture-based defense will therefore allow IT departments – once notified of an attack taking place – to identify, mitigate, and contain the threat.
Transforming Security with Network Virtualization
C-suite business executives and leading security executives across the APJ region highlighted ‘threats that move faster than our defenses’, ‘penetration through non-standard employee devices (BYOD)’ and ‘cloud architecture’ as among the top risks or vulnerabilities to cyber-attacks. A strategic approach to security must therefore include visibility over compute, network, storage, cloud and mobile devices.
Network virtualization offers organizations the new, architecture-based security they need to defend themselves. Acting as a ubiquitous layer in between physical infrastructure and applications, network virtualization provides visibility over fog of war – an application-oriented lens into the infrastructure that enables IT to align security controls to protecting what matters most. This means that should a component within the network become compromised, its attributes are quickly and automatically updated or deleted, and quarantine controls enforced to stop the threat from moving laterally.
The assumption has to be that not only will organizations be attacked, but that some attacks will be successful. An IT leader looking to deal with today’s deluge of cyber-attacks and uphold brand reputation must now work closely with his or her C-suite business leaders to rethink the company’s security strategy. As Sun Tzu might add: “the worst calamities that befall an army arise from hesitation.”