- Email: [email protected]
Adapting to the disappearing perimeter
FEATURE tions lock down the voice network? In theory, voice and security providers have been trying to solve the voicemail hacking problem for some time, but the approach has depended far too heavily on policies that are simply not workable for the vast majority of organisations. Furthermore, such process-led models are, again, typically static and fail to address the fact that the threat landscape is constantly changing. Putting controls in place to protect against a specific hack is great – until the hacker tries something new. And this is where the voice security model needs to change and evolve fast from the hardwareled, ‘implement once, update never’ approach, to a software model that allows continuous update. The continuous update and collaborative software model enables vendors to respond to emerging threats by, for example, providing specific voicemail protection modules that can be provided as part of a cloud-based SBC to identify breach attempts, lock down the voice network and alert the organisa-
tion. In addition, the solution will log rogue numbers identified across the cloud-based network, rapidly creating a database of blacklisted numbers that can be deployed by all organisations to further protect against voicemail hacking attempts.
Conclusion The failure of the hardware SBC is not only compromising the evolution of the IT infrastructure but adding untenable business risk. According to NEC, 84% of UK businesses are considered to be unsafe from hacking, and attacks on VoIP servers represented 67% of all attacks recorded against UK-based services according to Nettitude. Risks such as toll fraud are well known. But how many organisations also realise that the voice network can be compromised to eavesdrop sensitive communications with malicious intent such as harassment or extortion? Or to gain access to private company and customer contacts? While hackers are cashing in on the widespread adoption of VoIP, the vast
majority of SBC vendors are simply failing to respond. They still advise an implement-once model. They fail to update customers on the evolving threat landscape – such as the rise in voicemail hacking. And they cannot support the agile, decoupled infrastructures now required. So just what is the value of a hardware-based SBC?
About the author Paul German is founder & CEO of VoipSec, which specialises in VoIP security. He has over 18 years’ experience in the areas of unified communications, voice and network security, having worked with a broad range of organisations, including Cisco and most recently leading the EMEA business for Sipera Systems.
Reference 1. ‘2013 Global Fraud Loss Survey’. Communications Fraud Control Association. Accessed Jul 2017. http://cfca.org/pdf/survey/ Global%20Fraud_Loss_Survey2013. pdf.
Adapting to the disappearing perimeter Steve Mansfield-Devine, editor, Network Security Security professionals have been warning for years that the traditional network perimeter is vanishing, along with the protections provided by security solutions that once lived there. In this interview, Kirsten Bay, CEO of Cyber adAPT, explains how new technologies such as the Internet of Things (IoT) are forcing us to think more deeply about the kinds of defences we use – and what we’re trying to defend. Inevitably, one of the first questions to ask is why – what are the factors that are causing an organisation’s network to become so porous and amorphous? The immediate answer, says Bay, is one that drives so many developments in IT and in business. “One of the most important elements is cost,” she says. “We’ve been looking at distributed networking for some time in relationship to the cloud. Just look at the movement of things like Office 365 or Dropbox. We’ve been building data-
August 2017
centres and trying to move people to the cloud over a decade or so and now it’s picking up a lot more steam.” Technologies such as software-defined networking and never-ending increases in sheer computing power are opening up new ways in which information is moved and shared, adds Bay. Organisations are embracing distributed networking partly because they can and partly because they increasingly think in global terms. In addition, the need to
Steve MansfieldDevine
process much greater volumes of data is pushing organisations towards the cloud. “If you look at like HANA, for example, from SAP, which came online five or six years ago, the big issue was that they could get the data in but they couldn’t get it out because of the bandwidth issues,” says Bay. “But those challenges are being solved. So we’ve been trying to move that way for some time and I think are finally getting there. But ultimately cost drives it and so naturally we in the security sector get left behind. Now we have to catch up.”
Network Security
15
FEATURE phones and tablets that workers carry with them, far beyond the workplace, remain part of your network traffic and data architecture.
Internet of Things
Kirsten Bay is president and CEO of Cyber adAPT (www.cyberadapt.com), which she founded in 2015. Her experience over the past 25 years includes sitting on a US congressional committee on cyber-security and, through her work with the Centre for North American Studies (CNAS) and the Centre for Strategic and International Studies (CSIS), helping to develop energy policy for the White House. In the UK, she has contributed her insight to a parliamentary subcommittee on recreating trust in the global economy. Cyber adAPT offers a security platform that monitors 100% of traffic inside mobile-enabled enterprise networks as a way of detecting otherwise hidden, malicious threats that make it through perimeter defences.
Changing workforce To these pressures and opportunities you can add changes in the nature and structure of workforces. Remote working is more common now, workforces are often spread over wider geographical areas and technologies such as mobile are having profound effects on the way people work. A combination of all of these is contributing to the dissolution of the network perimeter, says Bay. She points out how the composition of the workforce has altered. Many of the people working in larger organisations are contractors or consultants. They may be brought in to work on a major project, but will then move on, sometimes to a different part of the world. This greatly complicates the picture in terms of the data they need to do their jobs – where it’s stored and how it’s delivered. Also now, of course, many organisations are 24/7 operations, especially if they are web-based or have globally distributed business units, subsidiaries and partners. And, as Bay points out, the 16
Network Security
To complicate matters further, there has been a critical shift in what we perceive as a network node. It’s not just servers, desktops and laptops anymore. The Internet of Things (IoT) has the potential to massively expand the network with devices that are somewhat alien to the traditional network manager’s mindset. “We’ve started to look at some of the schematics of how you break that out,” says Bay, “because by the very definition of it being a thing, it could be anything, right? Organisationally, the physical security side is what’s being the most impacted. Looking at an enterprise, you’re thinking about badge readers, HVAC systems, elevators, surveillance cameras for CCTV. These are elements of technologies in cyber organisations where they’re all connected. You’re even talking about presentation machines, where you have projectors that are now connected to the Internet. So, all of those elements are potential vulnerabilities for institutions.
“They feel like they’re doing a pretty good job of the normal blocking and tackling that they need to do in the network, but realising that it’s just not enough and they don’t know where their vulnerabilities are” “I was at a large bank a couple of weeks ago and they felt they were doing a pretty good job of the normal blocking and tackling that they need to do in the network, but they realised that it’s just not enough and they don’t know where their vulnerabilities are on the physical side. The physical security aspect of the business is really starting to gain traction.” There has been talk for years about convergence between physical security and data security but it has never really
got off the ground. With the growth in network-connected devices, particularly within the physical security arena, this could be the spur for this convergence to finally happen, believes Bay. “We’re at the beginning of it,” she says, “and there are also the other legs of that stool which is the AI [artificial intelligence] piece. I was just looking at an article that was saying that Walmart is now going to consider facial recognition in its stores, so it can see if people are unhappy and can to do something about the customer having a bad experience.1 All of these elements brought together create a whole different level of complexity in the security model.”
“Ultimately cost drives it and so naturally we in the security sector get left behind. Now we have to catch up” We’re entering a period where many technologies are starting to interconnect, says Bay – with virtual reality being another prime example. And the variety and complexity of the implementations that will arise make it difficult to foresee the potential security implications. “Think about the fact that you can store the facial recognition data of a person, that you can link that to their identity, that you can link that to their accounts,” she says. The current situation, in which someone might be fretting about the security and privacy obligations of storing a social security number or a birth date will seem trivial by comparison.
Where’s the security? The critical question, then, is where security fits into this picture. Back in the old days, it was simple. You might implement anti-malware protections on your mail server and install a firewall between your network and the Internet and that was the job done. With the perimeter all but gone, where do you place your security software and hardware? “It’s interesting to think about the endpoint,” says Bay. “One of the things that we’ve started to look at is whether we embed it in to the chipset. How much processing speed do you need in the chip-
August 2017
FEATURE set? It goes back to this concept of distributed networking and we may well go back to the dumb terminal concept, where our devices are all being run through the cloud and not onsite. That could be one way that we start to solve this but it really has to be a built-in model.” Bay harks back 12 years to when she was carrying out econometric studies looking at built-in security and the value we placed on data. Today, we’re faced with maintaining the pace of innovation and development in technology and its applications while also having to address these ever-more pressing issues of security. “Part of it is security awareness, part of it is built-in security, and part of it is creating layers that we have to pass through along the way, where we do behaviour analysis, traffic analysis,” she says. Preventing a device from talking to the network at all is one option, but it’s hardly ideal and certainly doesn’t represent any kind of a solution. A better approach, she believes, is to “converge traffic into certain locations to be inspected and then pass it on, like a tollbooth.”
Close to the data Given that it’s the data we’re trying to protect, is there a case of putting the security solution as close as possible to the data itself?
“One thing I really try to emphasise to our customers is, before you go buy more tools, let’s really evaluate what it is that you’re trying to protect” “That’s a possibility,” says Bay. “The problem is we’re really not very good at the asset quantification and qualification. It’s interesting when we talk about the technology elements of what we have to do. One thing I really try to emphasise to our customers is, before you go buy more tools, let’s really evaluate what it is that you’re trying to protect.” A common experience for Bay occurs when a customer uses a tool to locate payment card data and other personally identifiable information (PII) residing on devices. “Inevitably you
August 2017
Time taken to identify and contain attacks. Source: Ponemon Institute/IBM.
get someone who says, well I didn’t realise that data was over there, why is that over there? So part of the problem is getting to the prioritisation piece where we can start to get data in the right places, that we understand what data it is that we’re trying to protect. People feel completely overwhelmed trying to get to that data-level protection. It’s incumbent on us to achieve better asset qualification and then start to look at how we can protect those assets and put them in places where we can guard them more readily.”
“It’s important to do it through the lens of the motivation and intent of the adversary and really think about how you block certain elements of that kill chain – look at where those vulnerabilities are, and how individuals are now the primary vectors. That’s the big key” That sounds like a far more proactive approach than simply plugging in a firewall and that’s no accident. Bay feels that the security function in an organisation needs to become more proactive by adopting, for example, activities such as intelligence sharing and threat hunting.
“That’s why network traffic analysis, as an example, has become really important in the overall security stack,” she says, “because it enables you – especially from an end device perspective – to stop attacks from happening more easily. “That’s where I think the machine learning components are going to be important. You can look at large user bases and how they’re targeted to develop predictive analysis. That enables you to do more proactive policy set-ups in your organisations. It’s important to do it through the lens of the motivation and intent of the adversary and really think about how you block certain elements of that kill chain – look at where those vulnerabilities are, and how individuals are now the primary vectors. That’s the big key – how we look at the motivation and intent of the adversary and how they’re leveraging individuals, recognising that the perimeter around an enterprise organisation is much more difficult to crack now, but the individual is still easy to compromise. There are millions of ways to compromise individuals.”
Speed of response The trick is knowing about the attack. Too many organisations discover that they’ve been breached when their databases are published on Pastebin. Studies, such as the Ponemon ‘Cost of a data
Network Security
17
FEATURE breach’, have shown that it’s common for attackers to be able to roam a target’s networks for days – often months – before being detected.2 Stopping an attack early in the kill chain can prevent much of the damage. Bay thinks we need systems that give us the ability to detect and react much earlier. “The threat hunting concept for me is still challenging,” she says. “It almost feels like needles in a haystack of needles. But there are things that we learn in the process and the information-sharing component is really important.” Because we’re talking about distributed networking, there’s going to have to be distributed security, says Bay. She foresees ‘security tollbooths’ through which traffic is passed in order to be analysed – much like what happens now with firewalls but in a more distributed topology. These tollbooths would also be able to gather intelligence about this data and any threats that are discovered which can then be fed back into security systems. If this sounds rather more complex than the networking and security architectures we’re used to, it’s because it is. And it’s also going to require a higher level of skills and capabilities than most organisations are used to having, says Bay “We’re already short on staff capabilities,” she says. “People are now moving towards managed service providers who are much more sophisticated. What’s interesting is that we don’t really have a technology problem, we have an incident response problem. So how do we help smooth out the incident response solution to become more efficient, faster and more intelligent in the sense that you actually have context and learning in what you’re doing from the incident response perspective and that learning gets pushed into the play books?”
Someone else’s computer As with so many things, security is made all the more complex when your data is being stored on someone else’s 18
Network Security
The cloud access security broker model.
computer – which is to say, in the cloud. Cloud service providers (CSPs) will work with their customers up to a point, but issues such as security audits can become a sticking point. You may also be limited in terms of the access controls you can put around your data. This can raise tricky questions about who owns the data, who controls it and who’s responsible for ensuring its integrity and confidentiality.
“It’s about looking at cyber-security as risk management, not risk mitigation and that is part of business process. It’s a very unsexy statement but it’s something I’ve been talking about for years” One step in addressing these issues is the cloud access security broker (CASB) – a system that takes care of the link between devices and the cloud services they’re accessing. The CASB will enforce policies, monitor activity, issue alerts and take actions – for example, to prevent malware infection. “For example, we look at people who just want to have a secure connection between a device and Office 365, Dropbox or AWS,” says Bay. “You can develop solutions where you have certificates that are associated with those services, so you have the capability to own the certificates all around
those connection points, ensuring it’s always secure every time those connections happen. Many companies now are looking at whether to take that approach versus trying to have full-on VPNs where people are always connected and securely connected and then they monitor just those specific connections that matter to them in the more distributed networking world.”
Catching up Aside from chipping away at the conventional model of the network with its definable perimeter, technologies such as cloud and IoT have introduced security issues simply because they have been adopted very rapidly with little time to consider security implications, let alone come up with solutions. Alas, the developers of innovative technologies still rarely build security into their systems – it’s usually an afterthought, if it’s thought about at all. And with the accelerating pace of progress, can security keep up? “We keep hoping so, right?” says Bay. “It’s something we’ve been talking about for a long time. I think we’re getting better. Security people were always considered the business prevention unit, so there’s still that.” The age-old problem of organisations feeling they need to get their new products and services to market in the shortest possible time, with security being seen as an impediment to that,
August 2017
FEATURE remains a serious issue. Bay says she’s worked with a number of computer science programmes – including many well-respected courses – that still don’t require any security component. “I scratch my head because if we’re not starting there, we’re not going to get anywhere,” she says. Given that new computing paradigms such as cloud computing and IoT are significantly altering the very shape of information technology, we need a corresponding shift in security, says Bay. “And as uninteresting as this sounds,” she says, “it’s about looking at cybersecurity as risk management, not risk mitigation and that is part of business process. It’s a very unsexy statement but it’s something I’ve been talking about for years.”
“It’s interesting that we are now seeing attacks that are really impacting financial quarters and maybe we’ll start to look at them differently. That’s where we have to start” Bay points to the June attack on FedEx, which left many of the company’s facilities resorting to pencil and paper to carry out transactions.3 “They didn’t have cyber insurance,” says Bay. “I was stunned when I read that. What we as an industry have to get much better at is helping companies such as FedEx understand what the risks are. They understand weather, they understand geopolitical risk, they understand all these risks that they factor in, but this is not one they factored in. This is an indicator that they don’t see this risk in the same way that they see other significant business impact risks.”
August 2017
There are some positive signs, she feels. “It’s interesting that we are now seeing attacks that are really impacting financial quarters, and maybe we’ll start to look at them differently. That’s where we have to start.” That cyber awareness needs to be more fully integrated into the entire business culture. The issue, however, is that cyber-risks can be much harder to quantify and value compared to, for instance, the weather, whose causes and effects are well understood. “We have to find a way to demystify this conversation and distil it into percentages, risks, that it’s 30% more or less safe, for example,” says Bay. “Those are nascent areas of study that we just haven’t gotten to yet.” This might also help to address the other perceptual problem, which is that security is always seen as pure cost, with no visible return on investment (right up to the point when you’re hacked). “I’m hopeful,” says Bay. “The unfortunate part of being a security practitioner is if nothing happens it’s always proof of a negative. If something didn’t happen is it because you’re really great at what you do, is it because you were really lucky, or is it that you haven’t found it yet? That portion of the conversation really needs to change, to stop people thinking, ‘Well nothing happened, so we don’t need to invest in that anymore’.
Driving change So what will drive this change? Will it be more and more high-profile breaches, with the likes of the mighty FedEx being reduced to breaking out the pencils? Or will it be more regulation? “If we can’t make it relevant to the business then it doesn’t matter,” says Bay. “We have to get so much better
at helping the business understand and integrate this concept into their environment. And it’s important because there’s no being decoupled from it any longer. We are definitely connected and the technology drives business processes. Distributed networking, in terms of speed and processing power, enables us to move faster. It has enabled us to kick the middle man out of most of the transactions. It’s completely changed how we do business and if that’s the case then we need to be able to have the same risk elements applied to it.”
About the author Steve Mansfield-Devine is a freelance journalist specialising in information security. He is the editor of Network Security and its sister publication Computer Fraud & Security. He also blogs and podcasts on information security issues at Contrarisk.com.
References 1. Peterson, Hayley. ‘Walmart is developing a robot that identifies unhappy shoppers’. Business Insider, 19 Jul 2017. Accessed Jul 2017. www. businessinsider.fr/us/walmart-isdeveloping-a-robot-that-identifiesunhappy-shoppers-2017-7/. 2. Ponemon, Larry. ‘2016 Ponemon Institute Cost of a Data Breach Study’. IBM, 15 Jun 2016. Accessed Jul 2017. https://securityintelligence.com/media/2016-cost-databreach-study/. 3. Schlangenstein, Mary. ‘FedEx’s TNT reels from June cyber-attack as damage lingers’. Bloomberg Technology, 17 Jul 2017. Accessed Jul 2017. www.bloomberg.com/ news/articles/2017-07-17/fedexsays-tnt-systems-may-never-fullyrecover-from-cyber-attack.
Network Security
19
tion. In addition, the solution will log rogue numbers identified across the cloud-based network, rapidly creating a database of blacklisted numbers that can be deployed by all organisations to further protect against voicemail hacking attempts.
Conclusion The failure of the hardware SBC is not only compromising the evolution of the IT infrastructure but adding untenable business risk. According to NEC, 84% of UK businesses are considered to be unsafe from hacking, and attacks on VoIP servers represented 67% of all attacks recorded against UK-based services according to Nettitude. Risks such as toll fraud are well known. But how many organisations also realise that the voice network can be compromised to eavesdrop sensitive communications with malicious intent such as harassment or extortion? Or to gain access to private company and customer contacts? While hackers are cashing in on the widespread adoption of VoIP, the vast
majority of SBC vendors are simply failing to respond. They still advise an implement-once model. They fail to update customers on the evolving threat landscape – such as the rise in voicemail hacking. And they cannot support the agile, decoupled infrastructures now required. So just what is the value of a hardware-based SBC?
About the author Paul German is founder & CEO of VoipSec, which specialises in VoIP security. He has over 18 years’ experience in the areas of unified communications, voice and network security, having worked with a broad range of organisations, including Cisco and most recently leading the EMEA business for Sipera Systems.
Reference 1. ‘2013 Global Fraud Loss Survey’. Communications Fraud Control Association. Accessed Jul 2017. http://cfca.org/pdf/survey/ Global%20Fraud_Loss_Survey2013. pdf.
Adapting to the disappearing perimeter Steve Mansfield-Devine, editor, Network Security Security professionals have been warning for years that the traditional network perimeter is vanishing, along with the protections provided by security solutions that once lived there. In this interview, Kirsten Bay, CEO of Cyber adAPT, explains how new technologies such as the Internet of Things (IoT) are forcing us to think more deeply about the kinds of defences we use – and what we’re trying to defend. Inevitably, one of the first questions to ask is why – what are the factors that are causing an organisation’s network to become so porous and amorphous? The immediate answer, says Bay, is one that drives so many developments in IT and in business. “One of the most important elements is cost,” she says. “We’ve been looking at distributed networking for some time in relationship to the cloud. Just look at the movement of things like Office 365 or Dropbox. We’ve been building data-
August 2017
centres and trying to move people to the cloud over a decade or so and now it’s picking up a lot more steam.” Technologies such as software-defined networking and never-ending increases in sheer computing power are opening up new ways in which information is moved and shared, adds Bay. Organisations are embracing distributed networking partly because they can and partly because they increasingly think in global terms. In addition, the need to
Steve MansfieldDevine
process much greater volumes of data is pushing organisations towards the cloud. “If you look at like HANA, for example, from SAP, which came online five or six years ago, the big issue was that they could get the data in but they couldn’t get it out because of the bandwidth issues,” says Bay. “But those challenges are being solved. So we’ve been trying to move that way for some time and I think are finally getting there. But ultimately cost drives it and so naturally we in the security sector get left behind. Now we have to catch up.”
Network Security
15
FEATURE phones and tablets that workers carry with them, far beyond the workplace, remain part of your network traffic and data architecture.
Internet of Things
Kirsten Bay is president and CEO of Cyber adAPT (www.cyberadapt.com), which she founded in 2015. Her experience over the past 25 years includes sitting on a US congressional committee on cyber-security and, through her work with the Centre for North American Studies (CNAS) and the Centre for Strategic and International Studies (CSIS), helping to develop energy policy for the White House. In the UK, she has contributed her insight to a parliamentary subcommittee on recreating trust in the global economy. Cyber adAPT offers a security platform that monitors 100% of traffic inside mobile-enabled enterprise networks as a way of detecting otherwise hidden, malicious threats that make it through perimeter defences.
Changing workforce To these pressures and opportunities you can add changes in the nature and structure of workforces. Remote working is more common now, workforces are often spread over wider geographical areas and technologies such as mobile are having profound effects on the way people work. A combination of all of these is contributing to the dissolution of the network perimeter, says Bay. She points out how the composition of the workforce has altered. Many of the people working in larger organisations are contractors or consultants. They may be brought in to work on a major project, but will then move on, sometimes to a different part of the world. This greatly complicates the picture in terms of the data they need to do their jobs – where it’s stored and how it’s delivered. Also now, of course, many organisations are 24/7 operations, especially if they are web-based or have globally distributed business units, subsidiaries and partners. And, as Bay points out, the 16
Network Security
To complicate matters further, there has been a critical shift in what we perceive as a network node. It’s not just servers, desktops and laptops anymore. The Internet of Things (IoT) has the potential to massively expand the network with devices that are somewhat alien to the traditional network manager’s mindset. “We’ve started to look at some of the schematics of how you break that out,” says Bay, “because by the very definition of it being a thing, it could be anything, right? Organisationally, the physical security side is what’s being the most impacted. Looking at an enterprise, you’re thinking about badge readers, HVAC systems, elevators, surveillance cameras for CCTV. These are elements of technologies in cyber organisations where they’re all connected. You’re even talking about presentation machines, where you have projectors that are now connected to the Internet. So, all of those elements are potential vulnerabilities for institutions.
“They feel like they’re doing a pretty good job of the normal blocking and tackling that they need to do in the network, but realising that it’s just not enough and they don’t know where their vulnerabilities are” “I was at a large bank a couple of weeks ago and they felt they were doing a pretty good job of the normal blocking and tackling that they need to do in the network, but they realised that it’s just not enough and they don’t know where their vulnerabilities are on the physical side. The physical security aspect of the business is really starting to gain traction.” There has been talk for years about convergence between physical security and data security but it has never really
got off the ground. With the growth in network-connected devices, particularly within the physical security arena, this could be the spur for this convergence to finally happen, believes Bay. “We’re at the beginning of it,” she says, “and there are also the other legs of that stool which is the AI [artificial intelligence] piece. I was just looking at an article that was saying that Walmart is now going to consider facial recognition in its stores, so it can see if people are unhappy and can to do something about the customer having a bad experience.1 All of these elements brought together create a whole different level of complexity in the security model.”
“Ultimately cost drives it and so naturally we in the security sector get left behind. Now we have to catch up” We’re entering a period where many technologies are starting to interconnect, says Bay – with virtual reality being another prime example. And the variety and complexity of the implementations that will arise make it difficult to foresee the potential security implications. “Think about the fact that you can store the facial recognition data of a person, that you can link that to their identity, that you can link that to their accounts,” she says. The current situation, in which someone might be fretting about the security and privacy obligations of storing a social security number or a birth date will seem trivial by comparison.
Where’s the security? The critical question, then, is where security fits into this picture. Back in the old days, it was simple. You might implement anti-malware protections on your mail server and install a firewall between your network and the Internet and that was the job done. With the perimeter all but gone, where do you place your security software and hardware? “It’s interesting to think about the endpoint,” says Bay. “One of the things that we’ve started to look at is whether we embed it in to the chipset. How much processing speed do you need in the chip-
August 2017
FEATURE set? It goes back to this concept of distributed networking and we may well go back to the dumb terminal concept, where our devices are all being run through the cloud and not onsite. That could be one way that we start to solve this but it really has to be a built-in model.” Bay harks back 12 years to when she was carrying out econometric studies looking at built-in security and the value we placed on data. Today, we’re faced with maintaining the pace of innovation and development in technology and its applications while also having to address these ever-more pressing issues of security. “Part of it is security awareness, part of it is built-in security, and part of it is creating layers that we have to pass through along the way, where we do behaviour analysis, traffic analysis,” she says. Preventing a device from talking to the network at all is one option, but it’s hardly ideal and certainly doesn’t represent any kind of a solution. A better approach, she believes, is to “converge traffic into certain locations to be inspected and then pass it on, like a tollbooth.”
Close to the data Given that it’s the data we’re trying to protect, is there a case of putting the security solution as close as possible to the data itself?
“One thing I really try to emphasise to our customers is, before you go buy more tools, let’s really evaluate what it is that you’re trying to protect” “That’s a possibility,” says Bay. “The problem is we’re really not very good at the asset quantification and qualification. It’s interesting when we talk about the technology elements of what we have to do. One thing I really try to emphasise to our customers is, before you go buy more tools, let’s really evaluate what it is that you’re trying to protect.” A common experience for Bay occurs when a customer uses a tool to locate payment card data and other personally identifiable information (PII) residing on devices. “Inevitably you
August 2017
Time taken to identify and contain attacks. Source: Ponemon Institute/IBM.
get someone who says, well I didn’t realise that data was over there, why is that over there? So part of the problem is getting to the prioritisation piece where we can start to get data in the right places, that we understand what data it is that we’re trying to protect. People feel completely overwhelmed trying to get to that data-level protection. It’s incumbent on us to achieve better asset qualification and then start to look at how we can protect those assets and put them in places where we can guard them more readily.”
“It’s important to do it through the lens of the motivation and intent of the adversary and really think about how you block certain elements of that kill chain – look at where those vulnerabilities are, and how individuals are now the primary vectors. That’s the big key” That sounds like a far more proactive approach than simply plugging in a firewall and that’s no accident. Bay feels that the security function in an organisation needs to become more proactive by adopting, for example, activities such as intelligence sharing and threat hunting.
“That’s why network traffic analysis, as an example, has become really important in the overall security stack,” she says, “because it enables you – especially from an end device perspective – to stop attacks from happening more easily. “That’s where I think the machine learning components are going to be important. You can look at large user bases and how they’re targeted to develop predictive analysis. That enables you to do more proactive policy set-ups in your organisations. It’s important to do it through the lens of the motivation and intent of the adversary and really think about how you block certain elements of that kill chain – look at where those vulnerabilities are, and how individuals are now the primary vectors. That’s the big key – how we look at the motivation and intent of the adversary and how they’re leveraging individuals, recognising that the perimeter around an enterprise organisation is much more difficult to crack now, but the individual is still easy to compromise. There are millions of ways to compromise individuals.”
Speed of response The trick is knowing about the attack. Too many organisations discover that they’ve been breached when their databases are published on Pastebin. Studies, such as the Ponemon ‘Cost of a data
Network Security
17
FEATURE breach’, have shown that it’s common for attackers to be able to roam a target’s networks for days – often months – before being detected.2 Stopping an attack early in the kill chain can prevent much of the damage. Bay thinks we need systems that give us the ability to detect and react much earlier. “The threat hunting concept for me is still challenging,” she says. “It almost feels like needles in a haystack of needles. But there are things that we learn in the process and the information-sharing component is really important.” Because we’re talking about distributed networking, there’s going to have to be distributed security, says Bay. She foresees ‘security tollbooths’ through which traffic is passed in order to be analysed – much like what happens now with firewalls but in a more distributed topology. These tollbooths would also be able to gather intelligence about this data and any threats that are discovered which can then be fed back into security systems. If this sounds rather more complex than the networking and security architectures we’re used to, it’s because it is. And it’s also going to require a higher level of skills and capabilities than most organisations are used to having, says Bay “We’re already short on staff capabilities,” she says. “People are now moving towards managed service providers who are much more sophisticated. What’s interesting is that we don’t really have a technology problem, we have an incident response problem. So how do we help smooth out the incident response solution to become more efficient, faster and more intelligent in the sense that you actually have context and learning in what you’re doing from the incident response perspective and that learning gets pushed into the play books?”
Someone else’s computer As with so many things, security is made all the more complex when your data is being stored on someone else’s 18
Network Security
The cloud access security broker model.
computer – which is to say, in the cloud. Cloud service providers (CSPs) will work with their customers up to a point, but issues such as security audits can become a sticking point. You may also be limited in terms of the access controls you can put around your data. This can raise tricky questions about who owns the data, who controls it and who’s responsible for ensuring its integrity and confidentiality.
“It’s about looking at cyber-security as risk management, not risk mitigation and that is part of business process. It’s a very unsexy statement but it’s something I’ve been talking about for years” One step in addressing these issues is the cloud access security broker (CASB) – a system that takes care of the link between devices and the cloud services they’re accessing. The CASB will enforce policies, monitor activity, issue alerts and take actions – for example, to prevent malware infection. “For example, we look at people who just want to have a secure connection between a device and Office 365, Dropbox or AWS,” says Bay. “You can develop solutions where you have certificates that are associated with those services, so you have the capability to own the certificates all around
those connection points, ensuring it’s always secure every time those connections happen. Many companies now are looking at whether to take that approach versus trying to have full-on VPNs where people are always connected and securely connected and then they monitor just those specific connections that matter to them in the more distributed networking world.”
Catching up Aside from chipping away at the conventional model of the network with its definable perimeter, technologies such as cloud and IoT have introduced security issues simply because they have been adopted very rapidly with little time to consider security implications, let alone come up with solutions. Alas, the developers of innovative technologies still rarely build security into their systems – it’s usually an afterthought, if it’s thought about at all. And with the accelerating pace of progress, can security keep up? “We keep hoping so, right?” says Bay. “It’s something we’ve been talking about for a long time. I think we’re getting better. Security people were always considered the business prevention unit, so there’s still that.” The age-old problem of organisations feeling they need to get their new products and services to market in the shortest possible time, with security being seen as an impediment to that,
August 2017
FEATURE remains a serious issue. Bay says she’s worked with a number of computer science programmes – including many well-respected courses – that still don’t require any security component. “I scratch my head because if we’re not starting there, we’re not going to get anywhere,” she says. Given that new computing paradigms such as cloud computing and IoT are significantly altering the very shape of information technology, we need a corresponding shift in security, says Bay. “And as uninteresting as this sounds,” she says, “it’s about looking at cybersecurity as risk management, not risk mitigation and that is part of business process. It’s a very unsexy statement but it’s something I’ve been talking about for years.”
“It’s interesting that we are now seeing attacks that are really impacting financial quarters and maybe we’ll start to look at them differently. That’s where we have to start” Bay points to the June attack on FedEx, which left many of the company’s facilities resorting to pencil and paper to carry out transactions.3 “They didn’t have cyber insurance,” says Bay. “I was stunned when I read that. What we as an industry have to get much better at is helping companies such as FedEx understand what the risks are. They understand weather, they understand geopolitical risk, they understand all these risks that they factor in, but this is not one they factored in. This is an indicator that they don’t see this risk in the same way that they see other significant business impact risks.”
August 2017
There are some positive signs, she feels. “It’s interesting that we are now seeing attacks that are really impacting financial quarters, and maybe we’ll start to look at them differently. That’s where we have to start.” That cyber awareness needs to be more fully integrated into the entire business culture. The issue, however, is that cyber-risks can be much harder to quantify and value compared to, for instance, the weather, whose causes and effects are well understood. “We have to find a way to demystify this conversation and distil it into percentages, risks, that it’s 30% more or less safe, for example,” says Bay. “Those are nascent areas of study that we just haven’t gotten to yet.” This might also help to address the other perceptual problem, which is that security is always seen as pure cost, with no visible return on investment (right up to the point when you’re hacked). “I’m hopeful,” says Bay. “The unfortunate part of being a security practitioner is if nothing happens it’s always proof of a negative. If something didn’t happen is it because you’re really great at what you do, is it because you were really lucky, or is it that you haven’t found it yet? That portion of the conversation really needs to change, to stop people thinking, ‘Well nothing happened, so we don’t need to invest in that anymore’.
Driving change So what will drive this change? Will it be more and more high-profile breaches, with the likes of the mighty FedEx being reduced to breaking out the pencils? Or will it be more regulation? “If we can’t make it relevant to the business then it doesn’t matter,” says Bay. “We have to get so much better
at helping the business understand and integrate this concept into their environment. And it’s important because there’s no being decoupled from it any longer. We are definitely connected and the technology drives business processes. Distributed networking, in terms of speed and processing power, enables us to move faster. It has enabled us to kick the middle man out of most of the transactions. It’s completely changed how we do business and if that’s the case then we need to be able to have the same risk elements applied to it.”
About the author Steve Mansfield-Devine is a freelance journalist specialising in information security. He is the editor of Network Security and its sister publication Computer Fraud & Security. He also blogs and podcasts on information security issues at Contrarisk.com.
References 1. Peterson, Hayley. ‘Walmart is developing a robot that identifies unhappy shoppers’. Business Insider, 19 Jul 2017. Accessed Jul 2017. www. businessinsider.fr/us/walmart-isdeveloping-a-robot-that-identifiesunhappy-shoppers-2017-7/. 2. Ponemon, Larry. ‘2016 Ponemon Institute Cost of a Data Breach Study’. IBM, 15 Jun 2016. Accessed Jul 2017. https://securityintelligence.com/media/2016-cost-databreach-study/. 3. Schlangenstein, Mary. ‘FedEx’s TNT reels from June cyber-attack as damage lingers’. Bloomberg Technology, 17 Jul 2017. Accessed Jul 2017. www.bloomberg.com/ news/articles/2017-07-17/fedexsays-tnt-systems-may-never-fullyrecover-from-cyber-attack.
Network Security
19