A persistent failure to capitalise on the benefits of integration has left security practitioners playing catchup as security best-practice shifts away from networks and towards the application and data running on them, one expert has warned as he reinforced the urgency of changing thinking around security away from conventional 'defence in depth' strategies.
Driven by competition between security players, years of industry focus on best-of-breed security point solutions had driven incomplete integration practices that fostered gaps that were now being exploited by cybercriminals, Tenable Network Security vice president of strategy Matt Alderman told CSO Australia in the wake of his recent keynote presentation at the RSA Conference 2016 Asia Pacific & Japan in Singapore.
“There were promises in the past that certain technologies could have integrated all of this security data together and presented it in a way that would have made sense,” Alderman said. “But it never happened. By not connecting these point solutions, all we have done is create gaps – and the gaps are where we are getting attacked.”
Recent years had seen the addition of mobile devices, cloud applications and other modalities that had so complicated security infrastructure that many organisations would benefit from simply starting over on their security environments – as some companies were doing by progressively moving their core computing environments into highly scalable cloud environments.
Such migrations had often, however, exposed complex nests of interdependencies that had been established to meet compliance requirements – and which were not easily dissembled and rebuilt into an equally-compliant environment that also incorporated cloud offerings.
Meeting these requirements had forced organisations to look for ways of building an integrated security environment that would extend equally across on-premises and cloud-based components of enterprise architectures. However, with the security industry still focused on preventative, reactive strategies the modernisation of security had for many organisations come to be associated with compromises to crucial governance, risk and compliance demands.
“At the end of the day our fundamental problem in this industry is that we react to technology,” Alderman said. “We are not proactive with security at all, and never have been. Security has always been this afterthought of layering controls around our IT infrastructure, so we have always been playing catchup from a security perspective.”
Effectively moving to a comprehensive security model would require concrete steps in nine key areas, Alderman said. These included asset inventories – “the most fundamental thing, and we ignore it,” he noted” – as well as finding a way to identify and remediate device vulnerabilities; locking down endpoints as part of the shift from a network to an application focus; and improving the analysis of code to rapidly identify insecure elements.
“If you're not addressing device vulnerabilities it doesn't matter what else is on the network,” Alderman said. “You're giving attackers the front door through simple phishing attacks. And we are way behind in understanding how to assess applications for vulnerabilities; we need to understand that or it will burn us.”
Other key areas of focus included improvement of monitoring logs from network, application and cloud infrastructure; examination of user accounts; the use of behaviour analysis to baseline normal activity; establishing means to identify and follow lateral movement as attackers utilise credentials to move throughout the network; and automation to help facilitate these processes.
“Security only gets harder when you do it in the cloud,” he said. “There is compartmentalisation of infrastructure and you've got to understand what is going on in every layer. You need to prioritise where you respond to incidents, what is critical to the environment and where to focus your resources. And while there are tools, they have to be integrated together to allow customers to manage those different elements in a much more centralised way.”
Alderman's warnings echo the findings of a recent Ponemon Institute study in which 70 percent of Australian IT-security practitioners said the security constructs of cloud environments made it harder to manage privacy and data regulations than on on-premises networks, and 58 percent said cloud services made it more difficult to protect confidential or sensitive information.
Providing these protections required a reinvention of security models that offers organisations the possibility of redesigning their security around an application-centric, Alderman said, rather than a network-perspective, paradigm that better suits cloud-based operational modes since “that's where our sensitive data is.”
“We really have to think differently, and to move away from thinking that it's all about protecting the IT infrastructure,” he explained, “to knowing that it's all about protecting the application. That's the biggest shift, that people aren't ready for yet.”
Despite years of progress, vendors were still only part of the way towards facilitating that shift: security specialists often struggled to link technologies with business requirements and overall risk profiles, meaning that users that rely too heavily on vendor solutions risk leaving vulnerable gaps unaddressed over time.
“At some point you have to bring the business and security sides together to understand how to truly manage risk,” Alderman said, noting that “there has to be alignment of risk and reward at some time. It's the only way you're going to be able to execute on a security plan.”
Better alignment between security and business practitioners would help revitalise discussions around security as an increasing proportion of the business moves to the cloud – a trend that has previously predicted would see 30 percent of companies moving the majority of their enterprise applications to the cloud by 2018.
The ongoing 'cloud shift', the firm has more recently predicted, would see more than $US1 trillion worth of IT spending moved to cloud-based alternatives by 2020, according to Gartner. By then, 43 percent of business process outsourcing, 37 percent of application software, 17 percent of system infrastructure and 10 percent of all applications infrastructure software deployments will have shifted to the cloud.
“These major trends and technologies will drive a radical shift in the way we approach security,” Alderman said. “The stakes are only getting higher as more and more stuff is stored outside corporate data centres. And if we just take this reactionary approach, we are going to be way behind.“