Today’s news from the New York Times that Chinese hackers had attacked the New York Times network over the last four months is a reminder of the inadequacy of perimeter defenses by themselves. The folks at Mandiant helped the NYTimes to figure this out – those guys rock!
As the article points out, the hackers are exceptionally sophisticated in their methods of penetrating the network. The hackers installed 45 pieces of malware over three months, and Symantec (the NYTimes uses their products) detected one (1!) of them. This is a reflection of signature-based AV’s inadequacy, and Symantec points out that “Antivirus software alone is not enough.” The NYTimes article points suggests that hackers in China “are behind a far-reaching spying campaign aimed at an expanding set of targets including corporations, government agencies, activist groups and media organizations inside the United States.”
Barbarians are at the gate, and yes you need to maintain that gate (aka network perimeter security), but more importantly you need to protect what matters inside the gate – focus protection as close as possible around enterprise sensitive data.
The sensitive data typically resides on servers, so protecting enterprise data requires a combination of technologies to combat sophisticated threats – encryption for data at rest, database activity monitoring (DAM, also called database audit & protection), and Security Information and Event Management (SIEM) to gather together information on what is happening. And a best practice is to ensure that your encryption provides access control at the file level to minimize the possibility of compromised credentials compromising data. At the end of the day, a best practice is for organizations to deploy encryption as close as possible to the data to protect and control access to sensitive data as a key countermeasure against the bad guys.