In other words, nameless hackers have penetrated your network and covered their tracks, but they're not invisible. In most cases, infiltrators of enterprise networks don't know where the information they want is located and have to look for it. In so doing, they often give away their presence by violating what Mudge terms the physics of networks.
"Think about your internal environment. It's pretty well defined compared to the Internet, where you truly have distributed data. If I saw somebody accessing a bunch of diff databases or database servers for finance, marketing, R&D, that doesn't make any sense," Mudge says, providing one example.
Companies such as Intrusic, which Mudge helped found, sell products that look for those kinds of "tells." And more companies are investing in SEM (security event management) tools that correlate data from multiple security products.
But security experts agree that effective technology to combat the insider threat is still off in the future. Meanwhile, IT managers should train qualified internal incident response teams to look for telltale signs -- and prepare dynamic and resilient responses to attacks so that panic doesn't ensue when things start breaking.
Wars of attrition
What about preventing attacks before they start? Unfortunately, effective prosecution of organized cybercrime groups and state-sponsored hackers is a long way off. Realistically, the best strategy is a smart, flexible defense that makes attacks increasingly costly, causing hackers to simply move on.
Booze Allen Hamilton recently experienced just such a phenomenon with a major overseas bank whose customers were being targeted in phishing attacks and were having funds wired out of their compromised accounts. Booze designed a solution for the bank that used honeypots to identify compromised accounts but also told the client that patching that hole would just force the attackers to use different channels.
"A month or two later, the attackers moved into the telephony channel -- phone phishing," says Ron Ritchey, an expert on secure network design at Booz Allen Hamilton. "It's like you throw a rock in the stream to redirect it to another area." Still, because the bank had forewarning, it had a response plan ready for the phone phishing attacks when they happened.
The idea is akin game theory's "war of attrition," in which contestants incur progressively increasing costs as they compete. At some point, the cost of staying in the game for one party outweighs the value of what they're trying to win, Mudge says. Fixing obvious problems can go a long way because at this point most enterprises are easy prey.
"Large enterprises are interested in business continuity, not catching crooks," says Tim Keanini, CTO of nCircle Network Security. "If they can find a way to raise the cost to the adversary, it becomes a way to make it just a hair too costly for them to figure it out." Keanini says that technologies such as virtualization could be used to introduce enough diversity and variability within and between enterprise architectures to make it too expensive and time consuming to try to break in.
Cover your assets
With so many avenues of attack, the biggest problem many companies have is determining what they need to protect most. "When I talk to executives, it's scary," Sytex's Cole says. "I'll ask them: 'What are your critical assets? What pieces of data will cause you the most damage if they got into the wrong hands?' And they don't know. They'll kind of dance around the question."
This lack of visibility makes executives prey to investing in security technology for technology's sake, without considering whether it's actually making their organization more secure. "Executives may feel good. They may say, 'I have firewalls and IDS,' and sleep well at night, but it means nothing if they don't know what their IP is and whether those security products are really working," Cole adds.