Twenty-five years is a long time by any standard. But in the Internet Age, it's literally an eternity.
That's why, as SC Magazine looks back on the quarter century since its own inception, it is almost impossible to comprehend the pace and scope of change that has taken place in corporate information security as executives have turned their focus from access management and firewalls to identity management and anti-virus to intrusion detection and behavioral analytics. Also, the position of chief security officer, or chief information security officer, has rocketed in recent years from virtual non-existence to tremendously important, as headlines trumpet cybersecurity breaches on a daily basis and board members seek answers to these growing issues.
OUR EXPERTS: Through the years
Gaurav Banga, co-founder and CEO, Bromium
Michael Daly, CTO, Raytheon Cybersecurity and Special Missions
Dave Frymier, VP/CISO, Unisys
Ron Gula, CEO, Tenable
Robert Henry, CISO, Santa Clara University
Vikram Phatak, CEO and chairman, NSS Labs
Hitesh Sheth, president and CEO, Vectra Networks
Amit Yoran, president, RSA
“Back in the 1990s, nobody knew anything. Everything about information security was still so new,” says Vikram Phatak, CEO and chairman of the board for NSS Labs, a research and advisory firm that advises companies on cybersecurity based on its analysts' research as well as lab test data. Since entering this industry in the mid-90s, Phatak has seen the CSO role go from one of simply “educating employees that they need to use firewalls” to advising top executives on the holistic problems of information security, which, he says, have become more widespread and profound with the advent of networking, virtual private networks, social media and mobile.
“The paradigm we originally had for information security is based on a world that doesn't exist any more,” Phatak says. “The perimeter has long since dissolved and…the entire paradigm of protecting things is based on outdated ideas. We all really need to have another look at what makes sense.”
Since 1994's release of Firewalls and Internet Security: Repelling the Wily Hacker [by William Cheswick, Steven Bellovin and Aviel Rubin] introduced a new paradigm of enabling internal collaboration, but securing information from the outside, the industry has largely been focused on creating controls, such as internet gateways, to improve collaboration with the outside world, says Gaurav Banga, co-founder and CEO of Bromium. “But, 20 years later,” he adds, “we still struggle to maintain security while enabling productivity.”
Robert Henry, chief information security officer for Santa Clara University, also points out that in the past information security generally focused on trying to prevent threats that could lead to breaches by trying to stop everything at the organization's internet. “With the primacy of mobile devices, there is no longer a border,” Henry says. “That doesn't mean ignoring the perimeter. It means acknowledging that threats are going to arrive inside the networks and then we need to identify them and respond to them quickly.”
Hitesh Sheth, president and CEO for Vectra Networks, also believes the changing definition of the workplace has led to a sea change in our view of corporate security. “We've gone from an environment where people were essentially stationary with fixed computing assets to one where everything is porous and people are mobile and applications and data and information are all in the cloud,” says Sheth. “The sense that you can fence something is gone. It's just gone.”
According to RSA President Amit Yoran the “explosion of awareness” around the issue of information security has, in and of itself, changed the threat landscape and the way that it is viewed and managed, as well as the rapid onslaught on new technologies that have made it easier to do work but (arguably) harder to secure systems. “That's been a fundamental challenge for the industry,” Yoran says. “The world rushes forward and embraces technology for performance enhancements and delivering new capabilities to customers and being more effective, without really understanding what is involved.”
Simply put: “The threat is ubiquitous,” says Ron Gula (left), CEO of Tenable. “In the past, risks and vulnerabilities were there, there were forces at play interested in exploiting the information. But it didn't affect people as much [as today] or their lives, it was a novelty story. Now it's every day, and everyone.”
As chief technology officer for Raytheon Cybersecurity and Special Missions, Michael Daly has been overseeing information security issues for more than 16 years. His IT security group has gone from a “small department of six employees unknown to senior leadership” to a much larger team that routinely briefs the company's board of directors and C-suite. “It requires a different kind of employee, a different kind of engineer.”
Indeed, as Ian Amit, vice president for ZeroFOX, a company that specializes in social media risk management, points up, the chief security officer was typically often part of the IT operation and under the CTO. But now, with lines blurring, the chief security officer is more often likely to be part of the top executive team, working hand in glove with legal, regulatory and marketing teams as well as lines of business.
The new threat landscape
As Bromium's Banga describes it, after the emergence of the network, the focus shifted to the endpoint. “Anti-virus became the backstop for firewalls,” he says. “More recently, we have seen these solutions become more sophisticated with the introduction of behavioral analysis and Big Data capabilities.” These developments have occurred while the environments we seek to secure have grown increasingly complex, Banga adds. “Internet, cloud and mobility have taken center stage for business, instead of being the backdrop,” he says. “Signature writers for detection-based solutions have fallen behind, unable to keep up with complex environments. As a result, detection-based solutions are failing, leaving the endpoint and network vulnerable once more.”
Recent evolutions, particularly in mobile, have brought a slew of new paradigms. “We have evolved from a world where access management was the problem statement to one where cyberthreats are the problem statement,” says Vectra Networks's Sheth. “And that's all been pretty recent.” He believes that the situation will get much worse before things get better as attacks are becoming more automated and attackers smarter and more organized and the attack surface keeps getting bigger. “With the number of connected devices,” he says, “the number of potential avenues for attack is getting so much larger.”
As computing environments have grown more complex with the massive adoption of internet, cloud and mobility, Banga says “our users are now vulnerable to its infrastructure. Threats such as Darkhotel provide evidence that even connecting to the internet through a Wi-Fi access point is inherently dangerous. Attacks delivered through malvertising, or malicious advertisements, serve as a reminder that not even mainstream sites, such as YouTube, can be trusted by default.”
There's no argument that the emergence and widespread embrace of sites like Facebook and Twitter alone, on a personal as well as professional basis, has had profound ripple effects on the threat landscape. “It's funny to see in the past six or seven years how social media has affected security,” Amit says. While the use of social media sites at work was initially frowned upon or blocked, most organizations have given way to the tidal wave of these networking sites, which Amit says “continue to pierce the idea of a ‘perimeter'” as social media sites have become a prominent attack vector.
Dave Frymier, vice president and chief information security officer for Unisys, says these technology changes are necessitating a new era of continuous monitoring and basic analytics. And still, he says, it might not be enough to protect an organization that is not committed to good security. “It's been a mantra in IT and security for more than a decade: People should be able to access anything, anytime and anywhere,” he says. “But that might have to change if you're going to protect the information.” He says senior managers and auditors are increasingly turning to CISOs to “bridge the gap between what the CTO wants and what the infrastructure can actually do.”
So, with that in mind, what is the right tool for this continually evolving job of protecting an organization's information assets?
Legacy solutions are obsolete, say industry insiders like Banga (left). “CISOs are turning to best-of-breed solutions that deliver entire platforms that address the entire threat lifecycle – from protection to detection and remediation,” Banga says. “CISOs are realizing that the problem must be solved at the endpoint and are turning to isolation and self-remediation.” For example, he says, just as a nurse wears disposable gloves to interact with a patient, removes them to use a machine and puts them on again before dealing with another patient, similarly, virtual environments enable this sort of “disposable computing, enforcing the isolation of potential malicious code.”
Yoran is also seeing a significant shift from the legacy mindset of applying controls and believing we're all safe to a ‘hey, we're going to be compromised' philosophy that is more focused on helping organizations safely experience compromise and detect it fast and with limited exposure. “The single biggest mistake security teams make is not understanding the depth of the attack…not having the ability to observe what is happening from multiple vantage points,” Yoran says. “That gives the bad guys the ability to wreak havoc without it being known that they were there.”
Additionally, Yoran has noticed an increasing trend in overlap between identity and security. Although traditionally seen as separate and distinct, those functions are beginning to merge as more sophisticated attacks evolve that make use of vulnerabilities in identity management.
In his role managing information security for Santa Clara University, Henry says he has become much more focused on risk assessment and continuous improvement. “The evolving Critical Security Controls for cyber defense, now being maintained and updated by the nonprofit Council on Cyber Security, has become the roadmap for my team. It provides a framework performing and reporting on risk assessment, mitigation and monitoring.”
At Raytheon, Daly has had to expand the skill sets throughout the information security organization around network security, in firewalls and access control and identity management, and lately data analytics and understanding global security threats. The growing awareness of damaging insider threats has also changed the way organizations are handling managing their information security, as headlines about Edward Snowden and Chelsea Manning have dominated the news this past year. “We're not there yet with tools,” Daly admits. “But we are developing in cyberanalytics and making good progress on our side. We just don't see the products capable of dealing with broad sets of data and making sense of it all.”
Tenable's Gula says he is worried about what it even mean to be secure in this current environment. “Security doesn't come from buying a product, like a firewall or anti-virus,” he says. “Tons of people with these products get compromised all the time.” He believes this rapidly changing market will give rise to “threat data sharing services” which would allow organizations to share indicators of vulnerability or a potential breach, rather than for companies to keep utilizing the anti-virus model.
“The entire system still relies on waiting for and finding patient zero,” Gula says.
A look ahead
While changes are afoot, Gula believes that the “long tail of the traditional network will go on for the foreseeable future.” And with it, arguably, many of the traditional approaches to information security management. “This is not going to all change overnight at banks or other large institutions,” Gula says, although he adds that we will start to see the emergence of more companies that are virtualized with their information assets scattered across mobile platforms and cloud servers at Amazon. “These new models are growing, and they are entirely transparent to the user,” he says.
In an arena like higher education, which Henry says has traditionally been open and transparent in reporting incidents, “the philosophy is if we share the information we can get other smart people thinking about solutions that are for all of our benefit.” However, he believe that going forward it will be more difficult in corporate environments to share information because there are intellectual property and regulatory issues involved. He points out that at the Silicon Valley 2014 Cyber Security Summit last summer, it was encouraging to hear representatives from government, industry and higher education collaborating on making information-sharing less risky for all.
Meanwhile, Sheth believes there will definitely be a “significant shift in the way people think about implementing security.” To improve their track record, he believes more organizations will dedicate resources to more quickly detect and analyze breaches when they happen, as opposed to simply trying to prevent breaches all together. He says this will create an opportunity to get ahead of the problem, using data science from reactive and predictive modeling. In the next 24 months, he believes there will be significant traction in this area of information security as the technology improves and more organizations come to grips with the idea that “they don't have the dollars to throw at all the human capital they would otherwise need.”