Security at scale for the enterprise: Borrowing a page from home security handbooks
Philippe Courtot, president and CEO, Qualys
Unfortunately, we are getting too accustomed to seeing headlines about companies getting compromised and their consumer data or intellectual property falling into the hands of bad guys. Organizations are losing the battle against the hackers.
Why is this happening when the industry is throwing its brightest people and substantial resources at the problem? Frankly, the tools that organizations have relied on to protect their networks are antiquated and no longer work. Many of these solutions were designed in the “good old days” when the assets being protected all were behind the corporate firewall. That world no longer exists.
Much has changed in recent years. The corporate perimeter has expanded drastically to what I like to call the “cloud perimeter” as enterprises evolve to support internet commerce, internet hosting, web-based business services, mobile devices, and social networks. In short, the attack surface available to hackers has vastly increased in size and continues to grow organically as business units lean on the web to become more efficient and agile.
The multiplicity of internet-facing systems and the sensitive traffic that flows between them gives hackers a target-rich environment. And once inside, they are very difficult to eradicate, staying for months to make the most of the infiltration, and then leaving methods for re-entry once you think they've been defeated.
In this new world the challenge is threefold. First, we must get a complete view of our organization's cloud perimeter, which is often off-premises and ever-changing. Second, we must continually monitor these assets and their traffic flows, evaluating them with an awareness of the specific attributes and security posture of each endpoint system. Third, we must be able to detect anomalies and quickly act.
Unfortunately, “old guard” solutions don't make the grade in this new world. They don't give us a reliable way to inventory the assets on our cloud perimeter, are too complex to install and maintain even once you do have visibility, and rely on generic firewalling techniques that are not sensitive to the attack vectors specific to a given endpoint type.
Interestingly enough, home security systems offer a model for the direction that enterprise security needs to evolve. My son's home was burglarized recently. In response, he bought an off-the-shelf solution that includes mobile monitoring for several hundred dollars. A few years ago that would have cost 5-10 times as much in hardware, installation and service. Home security has become affordable, easy to deploy and control. This is because they combine low-cost cameras and sensors, wireless networks for easy installation, and centralized alert-based control via the internet.
In the same way that the cloud enables better protection of the home, it can help secure the enterprise. Cloud-based security offers several advantages to legacy solutions, including endless scalability, continual monitoring, centralized management, and the use of Big Data computing power to identify new threats. Also, because the heavy lifting is done in the cloud, the “sensors' in the enterprise security world can be software-based and lightweight, running on anything from a server farm to a smartphone, allowing for a standardized approach covering all endpoints.So, perhaps enterprise IT should borrow a page from the home security handbook, using the benefits of the cloud to solve the security issues created by an internet-based world. Indeed in time we may look back at the exploits of the last few months as a tipping point towards a world using cloud-based security.