Why perimeter security fails to defend businesses from cyberattacks
'The bad guys have just as much smart resources as the good guys do, arguably more money, and absolutely no need to play by the rules.'
This feature is part of a series focused exclusively on cybersecurity. To view other posts in the series, check out the spotlight page.
Since the start of the consumer internet in 1995, people have moved huge parts of their personal lives online, conducting everything from banking to interactions with the government.
Seemingly by accident, over the course of 20 years the internet became the underpinning of a huge amount of commerce and human interactions. But that was never its design. The underlying internet technology was never designed to be secure, according to John Parkinson, affiliate partner at Waterstone Management Group. "They were, in fact, designed with a security through obscurity strategy."
"When you attach 10s of millions of businesses and billions of people to the internet, suddenly you attach value," Parkinson said. "These are things worth stealing."
For a long time, companies thought they could increase perimeter network defenses and adequately secure their internal systems. Emphasis was placed on building larger walls by focusing on firewalls and intrusion detection. But not enough emphasis was placed on application security, according to Parkinson.
"We're still trying to build better castle walls, despite the fact that the attackers will always have better weapons than the walls can resist."
Affiliate partner at Waterstone Management Group
Now, with 20-25 years of accumulated code running through many businesses, keeping up with attackers and defending internal systems seems almost an insurmountable challenge. With the thousands of reported cyberattacks and data breaches in the last two years alone, it is clear the model of cybersecurity focused on keeping the “bad guys” out is not working.
"If you're on the defensive side, you have to keep the attackers out all the time," said Dr. Andy Yen, CEO and founder of ProtonMail. But, "if you're on the offensive side, you only have to get in once."
The imbalance between the sophistication of attackers and overwhelmed defenders has led to failure by public and private organizations. With attackers steadily outpacing the skills and resources of the defenders, not to mention their proclivity for breaking the law, the number of breaches and cyberattacks has steadily increased each year. Just two to three years ago, about 20,000 cyberattacks were attempted per week, according to Microsoft data. Now, that number is up to between 600,000 and 700,000 attempted cyberattacks each week.
"The bad guys have just as much smart resources as the good guys do, arguably more money, and absolutely no need to play by the rules," Parkinson said. "We're still trying to build better castle walls, despite the fact that the attackers will always have better weapons than the walls can resist."
The flaw in the code
One of the root causes of industry cybersecurity failings stems from the underlying architecture of systems.
The increase in cyberattacks and defense tactics has led some companies to increase security budgets, even though increased investment doesn't always pay off. In a recent survey of 2,000 enterprise security practitioners, Accenture found more than half would invest more in cybersecurity, even though those investments have "not significantly deterred regular and ongoing breaches."
Awareness and spending are up, but a critical flaw in how systems are constructed persists. People are still writing software that contains bad or flawed code, which attackers can easily exploit to breach a system, according to Parkinson.
Rather than merely keeping data in a fort and hoping attackers don't get in, some companies have turned security architecture on its head.
"ProtonMail came out of the idea that the model is broken," Yen said. Instead of hoping perimeter security holds, ProtonMail employs end to end (E2E) encryption, encrypting data on both the client and server side. If a server is breached, it only contains E2E encrypted data, attackers cannot access the data because the server cannot read it.
If everything is encrypted, companies don't have to worry so much about keeping attackers out, according to Yen, who thinks that's the future direction of cybersecurity. But even though E2E encryption holds the potential for securing companies, it is a very difficult tech challenge for companies.
"It basically requires you to re-architect your entire platform from the ground up with encryption in mind," said Yen. For example, ask Microsoft to completely redesign Exchange and Outlook to fully support E2E encryption. "That's a giant undertaking," he said.
Though it is very difficult for incumbent companies to roll out E2E encryption on existing services, startups have more flexibility and can design systems from the ground up with encryption in mind.
Beyond the breach
Even if a company's systems are fully encrypted, written without a single flaw, companies cannot guarantee systems are secure and infallible when put up against even the most daring cybercriminal.
"When it comes to cybersecurity, and security in general, there's no such thing as 100% secure," Yen said. "By construction, you cannot get that because in every system is going to be someway in."
Even with its encrypted servers, ProtonMail is still subject to regular cyberattacks. The company provides encrypted email services to sensitive industries, governments, dissidents, activists and journalists across the world, making it a target for a lot of attackers hoping to disrupt or compromise ProtonMail’s clientele.
Attackers still try to breach ProtonMail's systems daily, though the effort would prove fruitless because all the data is encrypted, according to Yen. What the hackers try to do then is conduct DDoS attacks, "because if you can't steal the data, the best thing you can do after that is to make it unavailable."
"When it comes to cybersecurity, and security in general, there's no such thing as 100% secure. By construction, you cannot get that because in every system is going to be someway in."
Dr. Andy Yen
CEO and founder of ProtonMail
In November 2015, Switzerland-based ProtonMail was subject to a DDoS attack felt around Europe, significant not for the size of the attack, but for the strategy and sophistication used.
"It is one of the first attacks where the attackers had a complete disregard for collateral damage," Yen said. "So, to get to us, they also attacked critical Swiss infrastructures.
During the attack, many Swiss companies were taken offline and key internet routes in and out of Switzerland were disrupted. It was one of the few attacks, at the time, where the impact was not localized to the target but global within Europe. People lost internet in places like Paris, London, Moscow and Germany just because of the attack on ProtonMail.
Rather than breaching ProtonMail's systems, attackers tried to take down the company's supporting infrastructure, attacking the internet service providers and data centers. The attackers "ultimately tried to create a situation where it would become toxic for any ISP or any data center to try to host us," Yen said.
As a result, ProtonMail couldn't find a provider that worked and instead opted to become its own ISP, according to Yen. "It's kind of crazy to think about that you have to become the ISP to beat an attack, but that's what we had to do."
It's getting a bit better
Not every company will face daily cyberattacks or have to become its own service provider to stay online. But that's not to say companies shouldn't still be prepared for an attack.
Now, companies know to watch for what the natural state of a system is, keeping an eye on anomalies, which could indicate an attack either is underway or has taken place. As a common part of current defense strategies, organizations employ intelligence to understand how they could be attacked and how attackers operate.
There is also a lot of potential in artificial intelligence and machine learning to help rapidly assess and understand where the bad guys could hide in a deluge of data.
Even so, there is are still major threats to companies as the adversaries continue to operate in a more agile way. While companies have taken three steps forward in security, attackers have taken five steps.
"We have gotten better, but not enough and not fast enough," Parkinson said. "It takes a while for evolutionary pressures to build up both from the business side and technology side."
Until companies address the holes in their architecture and fully understand their vulnerabilities, they will remain vulnerable to sophisticated attackers. According to Yen, in the next five to 10 years, the security environment is going to lead companies to more quickly transition to the cloud, outsourcing protection to companies specializing in security.
Follow Naomi Eide on Twitter