Credit: Glen Maloney, ExtraHop
Security remains a top challenge and hindrance for companies. Why is that?
It comes down to the fact that cybercriminals are extremely well funded and adept at making a lot of money. It’s been estimated that, in Australia alone, cybercriminals cost the economy around $1 billion in lost revenue each year. With so much potential money available, cyberattacks are becoming increasingly sophisticated, and this trend is not going to change anytime soon.
Security also remains a challenge because it is a complex thing to get right. Organisations should realise that tools such as next-generation firewalls (NGFW), data protection tools and web gateway solutions take a lot of fine tuning when first deployed and are primarily focused on north/south threat detection Vs broader contextual awareness. Unfortunately, if a particular solution is having a detrimental impact on business performance or revenue streams, it tends to get turned off and potentially leaves the organisation exposed to threats and blind to the telemetry needed to investigate compromise if it occurs.
It can be all too easy for some organisations to adopt the view that a cyberattack won’t happen to them. History, however, tells another story.
How does lack of network visibility still plague businesses?
If there is a lack of network visibility within an organisation, blind spots can easily occur. It’s a problem that is exacerbated by the growing use of cloud platforms, Bring Your Own Device programs and Internet of Things projects. Because it’s often challenging to load agents everywhere they are needed, there end up being many open doors for cybercriminals to exploit.
Another area of particular concern is the growing trend for cybercriminals to use encrypted data traffic to deliver malware. You can't protect against what you can't see, so organisations need to ensure they have the means to see inside encrypted traffic. I think this will become an increasing challenge for organisations in the coming years.
What are some of the top challenges for security in the cloud space?
One of the biggest challenges I see stems from the fact that many organisations still try to configure their on-premise security tools to work within cloud environments. On-premises tools were never designed with cloud platforms in mind. When forced into duty protecting sprawling cloud attack surfaces, those tools leave visibility gaps that make getting a complete view of what is happening impossible.
Another challenge comes from misconfiguration mistakes. You only have to consider the recent CapitalOne data breach, in which a hacker exploited a misconfigured web application firewall to expose the sensitive data of more than 100 million customers, to see a real-world example. Add in other challenges such as insecure APIs and unauthorised access to cloud resources, and it becomes clear that securing cloud workloads requires a cloud-first approach to security that on-premises tools can’t provide.
Where should IT security channel companies invest and position themselves in the market?
There is growing market demand for IT security channel companies with an understanding of the cloud. Many organisations want to take advantage of cloud platforms but don’t understand the security implications and the steps they need to take, and they are looking for a partner with specialised knowledge who can guide them through the migration process. Such a partner can assist with important things such as application dependency mapping and determining what data is being accessed and where.
By positioning themselves as an expert in this area, security channel companies will be well placed to take advantage of what will continue to be a strongly growing market in coming years.
Where should organisations focus their energy in the current threat landscape? (Where are the easy wins?)
Many organisations have already invested in tools such as next-generation firewalls, endpoint detection and response (EDR) solutions and security information and event management (SIEM) platforms. What they lack is the final piece needed to complete the Gartner SOC Visibility Triad: a network detection and response (NDR) capabilities. NDR solutions collect, mine, and continuously analyse network wire data to detect threats, misconfigurations and policy violations
Earlier this year, Gartner released a market guide that established Network Traffic Analysis (NTA), also known as NDR, as an emerging category of security product. With interest in the area growing quickly, I would not be surprised to see it become its own magic quadrant.
I am also having many discussions with customers about the benefits of bringing their security operations centre (SOC) and their network operations centre (NOC) together to create a SNOC. This will ensure that security events can’t fall through the cracks or go undetected because one centre thought it was being addressed by the other. The result is better overall security.
What do you see as some of the biggest threats to Australian businesses in the year ahead?
I think one of the biggest threats comes as a result of the increased usage of cloud platforms without a corresponding move from on-premises to hybrid or cloud-native security products. Many of the organisations that I speak with still don't understand the implications this has or who has responsibility to ensure effective protection measures are in place.
Under the Shared Responsibility Model for cloud security, cloud service providers (CSPs) secure the infrastructure of the cloud, while customers bear the responsibility for protecting their infrastructure in the cloud.
What does this mean in the real world? There could be instances when developers for a CSP customer spin up resources, but they don't consider how to secure them. If those insecurities go undetected by tools that are not designed to protect cloud workloads and an attacker uses those insecurities to gain access to data, it's the customer who's responsible for any costs associated with the breach. We have already seen some serious cases of data breaches on cloud platforms and, unfortunately, we will inevitably see more.
Another area of threat continues to be ransomware attacks. They are appealing for the bad guys as they represent a very effective way to make money as many victims opt to pay the ransom in the hope of regaining access to their data. Public awareness of ransomware may have dipped a bit lately but it remains a significant threat.
There are many different security frameworks out there, what frameworks are Australian customers looking to adhere too?
It’s been available for a while now, however the Australian Signals Directorate’s “Essential Top Eight” still seems to get a lot of attention as it provides a solid foundation on which to build an effective security infrastructure.
I am also having more conversations about the prudential standard CPS 234 while more advanced security teams are looking towards the MITRE ATT&CK Framework. This is already strong in the United States and is now making its way into this region.