In a world of ever-increasingly complex technologies, some experts advocate a move to simplify. Greg Masters reports.
No one said it was going to be easy, but the task of locking down enterprise networks seems to be getting more and more complex as attackers devise ever more sophisticated ways of penetrating defenses.
A firewall once was a bulwark against intrusions, but not anymore; particularly with workers, clients and customers accessing networks via a plethora of mobile devices – everything from smartphones and laptops to Fitbit activity trackers or other health monitoring wearables, not to mention car systems connecting with central servers to keep vehicles rolling smoothly with all the amenities.
So with the threat landscape only burgeoning is there relief in sight for the harried IT administrator charged with protecting the enterprise network? In other words, what can make the job simpler?
One thing is certain: The preponderance of attackers all over the globe only boosts the need for practiced cybersecurity practitioners and the tools and services robust enough to fend off or, at least, lessen the effects of attacks. In fact, the security industry is thriving with hundreds of vendors offering products and services intended to protect businesses from malfeasance. The ads and marketing messages tout the powers of their tools to keep the bad actors out of your proprietary databases, to block malware from infecting computer systems or stave off employees from clicking on malicious links.
But there are a lot of skilled, albeit out-of-work engineers in Russia, easily tempted by the possibility of anonymously attacking from afar for easy monetary gains. Not to mention cyber forces within the Russian and Chinese militaries intent on interfering with elections or purloining industrial blueprints or intellectual property.
We've come a long way from the days of script kiddies, coders with time on their hands to dabble in mischief for nothing more than the laughs and the peacocking of their skills. Every rise in the capacity of the internet to bring convenience to users has been accompanied by an attendant shadow world of nefarious parasites exploiting the technology for their own purposes. It's been a cat-and-mouse game of solutions evolving to counter threats that at times seem to outpace the positive achievements.
How can this world in conflict get simpler?
From the perspective of Erik Avakian (left), CISO of the commonwealth of Pennsylvania, the security tools and solutions from all of the various vendors need to integrate better with one another. While he says there have been some improvements over recent years, particularly in cross vendor solutions sharing information, Avakian believes there is room for improvement related to how these various solutions can "directly" talk to one another.
In addition to being an enterprise information security officer, Avakian is also a musician. To illustrate his idea, he makes an analogy using music. Back in the mid- to late-1970s, he explains, all the synthesizers made by different companies could not connect or talk to each other. This is similar to the issues we have today with all of the security tools and solutions from various vendors.
Finally, in the early 80s, he says, someone [Dave Smith] developed and released a new interface technology, called MIDI (Musical Instrument Digital Interface). The digital standard included a physical port that each manufacturer could include in their products that – with a special cable – enabled the different instruments from all the different vendors and manufacturers to be connected to one another.
"Instantly, all the different products could talk to one another and share musical information," Avakian explains. Eventually all manufacturers added the capability to their synthesizer products and today it is a standard, he says, with all makes and models expected to have MIDI included.
So, the question he poses to the security industry is: Why can't there be a MIDI for all the security products and solutions?
"Such a direct interface standard for cybersecurity – similar to what transformed the music world – could transform the security world as well and help enterprises reduce complexities, streamline processes and provide direct value back to the business through better visibility and insight."
Erik Avakian, CISO, commonwealth of Pennsylvania
Isaac Kohen, CEO at Teramind, agrees that consolidation would streamline operations and simplify security protocols. When he first entered the industry, programming black-box trading algorithms, IT norms were to prohibit and lock out as many people as possible to protect data, he says. But, he soon found that this was an ineffective way of solving the issue because it made the task too difficult for many people.
"Vendors can simplify their tools and services for adopters while keeping their security strong via consolidation and automation," says Kohen. Using consolidation techniques, vendors can offer robust and interconnected tools that offer a bird's-eye view with easy drill down, he says. "Security professionals need quick insight into risk and security incidents, and consolidation allows them to avoid looking at multiple reports to get their answers."
Additionally, Kohen says that automation is a key benefit for today's adopter. For example, machine learning-based detection algorithms, automated and real-time notification, and automated reactions to misuse and potential breaches simplify everyday tasks and most importantly offer immediate intervention, he says
Other experts point to the infiltration of consumer devices into the enterprise as both an improvement in efficiency, but also a risk to security. Certainly the past 10 years have seen the rise of the “consumerization of IT,” the idea that consumer technologies are now finding their way into enterprises.
As a consequence, Dirk Morris, chief product officer at Untangle, says employees have come to rely on the ease-of-use and the power of BYOD devices, cloud services and social media, and naturally, they don't want to check these tech tools at the door.
"Most organizations have already had to come to terms with the security challenges introduced by this trend, but many have also adopted consumer tech as a way to save money, increase business agility and improve productivity," says Morris (left). "In the process, they have shifted their fundamental perceptions as to what is an acceptable level of complexity when it comes to technology deployments."
This trend is reflected in the demand for simple, but powerful, security products that present a comprehensive solution for the whole stack of cybersecurity challenges, he explains. "In the below-enterprise market, this has resulted in the introduction of multi-function firewalls or unified threat management systems that can tackle not only an array of network security threats, but also handle a range of other services – including web security, email security, bandwidth shaping and traffic monitoring."
With the explosion of IoT devices, Morris says that he expects to see continued convergence – and simplification – with even tighter integration between network and endpoint security, as well as a host of adjacent technologies from threat intelligence to SIEM.
The cloud's silver lining
Despite moves for integration, many solutions lacks the means to communicate with each other. However, with the advent of the cloud and its mass acceptance, some see a silver lining.
In today's ever-evolving technology landscape, security has become a very fragmented space, says Neill Feather, president at SiteLock. "It's challenging for businesses to find a single security vendor that can address all of their security needs. However, there are clear leaders in the endpoint and web application space."
For security providers looking to simplify their services and drive adoption, Feather recommends they operate as a “one-stop shop” for their customers. "Not only this, but providers need to make sure their services are easy to implement and intuitive to manage internally. Cloud-based security solutions provide customers with easy on-boarding and flexibility – eliminating the use of any external hardware and dramatically reducing expense."
Should an attack or breach occur, offering a clear remediation path will become even more essential, Feather says.
Rajiv Gupta, CEO at Skyhigh Networks, points out that IT teams have little patience for security products operating in a silo, nor should they. "Nearly a third of IT security professionals ignore alerts because they are overwhelmed by too many tools and too many false alarms," he says. Security teams don't want to log into multiple dashboards and opt for platform versus patchwork solutions whenever possible, he explains.
A new trend in the industry, he says, calls for persona-based security tools, which provide workflows for different roles in the security organization to detect, enforce control and remediate incidents.
Cloud, and specifically API security, also has never been in a better position to transform business, Gupta adds. "We are starting to see organizations use security to empower IT to provide visibility, compliance and data protection without disrupting the breakneck speed of modern commerce. This new security stack is integrated and frictionless, with minimal footprint for the customer, enabling collaboration between security tools across billions of user activities."
In this case, convenience and efficacy go together, he says. "By correlating information from as many sources as possible, it cuts down on false alerts, making security tools more meaningful and accurate when they work together, and by extension are having far-reaching implications for how applications are built, how data is architected and managed, and how entire industries are using the cloud to build and re-build core business processes and operations."
Still, simplifying security tools and services is more complicated than it sounds and it will take time to sort out newer technologies working with legacy systems in place, says Joram Borenstein, VP marketing/partners and alliances at NICE Actimize.
Moreover, he says, most organizations don't do a sufficient job of keeping their tools up to date. "That being said, the best way for simplification to occur is for organizations to help drive standardization in user experience expectations, workflow requirements and general business needs."
Unfortunately, Borenstein (left) says, many organizations like to pursue things on their own and this desire often hinders the ability to encourage vendors to build things in a consistent manner, even within individual industries.
Vendors can keep their security implementations strong by adopting – and then continuing to maintain – their own secure software development lifecycle, Borenstein says, and that includes threat modelling, static analysis, testing and more.
Phil Neray, VP of industrial cybersecurity at Cyber-X Labs, points to three key ways to simplify security. The first is interoperability and integration. "One of the biggest enemies of better security is complexity," he says. To effectively address defense-in-depth, most organizations have by necessity implemented multiple security products, at different layers of the IT stack, from multiple vendors. "The trick is to have all of these products easily share data and insights in order to simplify the workflow for security analysts, such as by correlating anomalies and IOCs across endpoint, network monitoring and threat intelligence solutions."
Second on the list, Neray says, is behavioral analytics and machine learning. In the past few years, he explains, huge strides have been made in evolving or monitoring and detection capabilities beyond simply looking for signatures. "Behavioral analytics and machine learning technologies are essential for detecting anomalies faster, with fewer false positives."
And, third, Neray (right) points to continuous versus what he terms "snapshot" security. Driven by compliance requirements (such as PCI), some organizations have focused primarily on quarterly scans and quarterly audits to ensure security, he points out. "But cyberattackers are continuously probing our defenses for weaknesses – so relying on "snapshot" security means attackers can slip in between scans, establish beachheads in your infrastructure, then move laterally and hide their tracks so you can't even see them by the time you perform your next quarterly scan."
Modern security, Neray says, requires continuous, real-time monitoring and detection to quickly spot targeted threats and malware.
"From an identity verification and access management standpoint, we feel that the way to strengthen security is by giving users as much control over the verification process as possible," says Chris Luttrell (left), SVP product management at IDology. "The problem with fraud is that criminals are constantly adapting their attack vectors, so a system needs to be flexible and able to adapt to those shifting patterns," she says. "Creating a system that doesn't require multiple implementations is going to save everyone time and make them more efficient at fighting fraud. Some feel, from a revenue perspective, that creating solutions that are more of an inflexible black box can add up to more implementation fees down the road, but it really doesn't help your customer solve their problems."
How API are designed is key too, she says, using a simple REST interface that has a flexible xml response allows customers more options if needed, when their needs change. "And, by giving your customers a way to configure the behavior of your API in real time, without requiring you to make custom changes, gives them a way to optimize your API and quickly respond to the evolving threat landscape."
Any added security measures should be as simple as possible for customers to integrate, says David Busby, information security architect at Percona. Vendors should remember that simple integration methods mean a higher adoption rate, and a subsequent higher ROI for security investments, he says.
"Internet of Things (IoT) vendors should consider a simple firewall for their firmware," Busby says. "It can be the easiest method to protect products (regardless of zero-day exploits) from becoming the subject of a scathing news article. No one cares if the firmware is highly exploitable if no one can easily get to it."
The point is that businesses should seek to provide several options, says Busby (right). "Two-factor authentication, for example, could be provided by Google Authenticator, DUO Security, Authy, etc. The latter two providers are a simple API hook away. Though there are some minimal cost considerations, implementing simple logic in an application can allow for many possibilities."
IT admins should also think about the methods used for the second authentication factor, he adds. "Don't just assume a smartphone is enough. DUO, for example, can support a multitude of options – like Universal Two Factor, a standard published by the FIDO Alliance. And don't underestimate the humble hardware token! More often than not, these are considered a far easier solution, and there are many options available.”
Don't believe the hype
However, Ian Trump, global security lead at SolarWinds MSP, warns against hype from security vendors. “Cloud, machine learning, AI, block chain, post quantum – the list is extensive, confusing and leaves anyone listening who is not in security marketing with blood rushing out of their ears," he says.
At best, Trump says, the technology stack/vendor solution is 33 percent of the people, process and technology security challenge. "What I was hoping for at [February's] RSA Conference was hubris from technology vendors. What I received was an endless supply of free drinks and how the security vendors 'have the security business problem solved.'"
Apparently, he says, his security business problem was solved before the vendors even knew anything about his business.
So, what's the big RSA take away, he asks. Vendor security tools don't live in a security vacuum and no one has the solution. Further, if the fundamentals of security are not in place, an end-user doesn't have a chance, regardless of what tools are in place. The fundamentals, he explains, include user security training, controlling administrative access and removing frequently exploited software.
"The math is easy: spend less time on the technology and more time on the people and process, the 66 percent of the security problem," Trump (left) says. "That will allow you to start racking up the wins."
Don't believe the hype that there is a software solution or blinking light box that solves all the security problems, it is just not possible, he adds. "The threat landscape includes folks just asking for you to transfer money because the 'CEO needs it right away.' There is no vendor security tool that fixes stupidity. If you have no defined process and have not invested in and trained your people, blaming the technology is like yelling at the clouds."
Teramind's Kohen agrees, saying that educating the workforce is a priority in simplifying the security posture. Recently, he worked with a university whose administration staff received an email to their university emails to update their account information and passwords. It was a phishing scam that provided the hackers with multiple administrator passwords. When he – alongside the IT security team – investigated the issue, he realized people didn't understand that it's not as easy as just changing a password again and that it's not someone manually digging through their information.
“The department put forward an initiative to explain how phishing scams work and that the consequences are someone has all the data you had access to – including people's personal data."
In particular, most likely due to the high success rate of the hackers the first time, this university's administration team was targeted multiple times afterwards. The hackers, however, failed to extract any additional information due to the administration team's new set of knowledge as they reported each phishing email afterwards and started a university-wide alert every time they received a suspicious email.