The hackers are winning.
Or said more accurately, strong security is losing . . . sometimes to itself.
That seemed to be a general undertone of last weeks’ RSA Conference. No one actually came out and said it in those words, but there is an undeniable degree of humility to many of the messages passing through the halls of the Mascone Center this year. Oh sure, there was still plenty of bravado about features and capabilities pouring off the lips of those working the 1,700 vendor booths that made up two exhibit halls. And a high degree of innovation was also on display, in particular in areas of analytics, deception technologies and automated security controls.
But I couldn’t help notice that there were four or five common tomes of the week that echoed this sense acknowledging a loss of control and confidence of preventing exploit or exfiltration. Here are some of the common themes coming from the many end users I spoke to at the show:
1. “I can’t get control of my users”
If I had to nominate an Acronym of the Year based on its prevalence at RSA, I would have to go with CASB, short for Cloud Access Security Broker. There seems to be a growing hope that this can be the silver bullet to protect organizations (and CIO’s) from catastrophic loss caused by users putting data they shouldn’t into SaaS environments. If you’re not familiar with the CASB space, the basic idea is acting as a middle-man between employees and their use of any external SaaS based applications.
Think security controls on how employees access Saleforce.com even when they access via credentials from their iPad off their home network. Now think of applying this to the myriad SaaS solutions popping up that require little or no IT support to stand up. The two CASB sessions I attended last week had a common message from the end user (enterprise) community . . . there are hundreds if not thousands of apps out there that your users are accessing and likely exposing to sensitive data. The emphasis of value described by these end users tended to lean heavily on the discovery aspects of the problem, likely an indication of the early state of the market.
2. “I don’t control the apps I’m asked to protect”
The emergence of DevOps and ‘Shadow IT’ remained heavy themes and ominous trends at this year’s event. Increasingly, IT and security teams are feeling left out of the process as application developers working within individual business units spawn unknown (and certainly un-scanned) applications out into cloud hosting environments. This situation is creating major challenges for both finding and keeping up with the changes to these apps as they pop up. We’ve been in environments where some applications running on DevOps cycles see as many as 100 changes on a daily basis.
3. “I’m losing the security budget”
Perhaps a next step in this evolution of devaluing of the security team is the actual loss of budget for securing apps popping up in various public clouds. As budgets for optimizing cloud based applications move into non-IT parts of the company (e.g., marketing or ecommerce teams). For example, rolling security controls into a CDN. This is a particular troubling and dangerous trend, and not only because it signals a broader threat to the security team’s influence. This is mainly common in smaller organizations or those that are purely focused on satisfying some basic compliance requirements and are all-too-happy to believe the vendors in this space in terms of the level of protection they provide. Our own experience with these solutions is they severely lack in particular positive security models that ensure protection beyond whatever limited database of known threats they maintain, or what you can get from common open-source tools (e.g., ModSecurity).
4. “I can’t keep up”
Security professionals can be forgiven for having a growing feeling of defeat when it comes to keeping pace with the evolution of the threat landscape. The degree of automation driving fast-morphing tactics and vectors combined with the ease of scaling attacks to new levels of volume are an ominous challenge for even the best of security teams. We believe the solution to the problem of automation is . . . automation, this time applied to the protection side of the coin. In our recent 2016 Global Network & Application Security Report, we highlighted not only the increase in automated attacks, but also the reality that only 20% of respondents to our survey indicate they are using the automation capabilities in their security tools.
5. Back to (the new) basics
The fact is that all of the changes that networks and application environments have undergone haven’t changed the basics of what’s needed for security. They’ve only changed the way those security controls can and should be applied. And it’s time for security professionals to take back the reigns when it comes to assessing and minimizing risk. Security professionals still sit in the ideal seat to assess the likely of being targeted by certain threats, being exposed by certain vulnerabilities, and assessing the they risk.
Based on these conversational themes, here are are some important principles that aren’t new, but might have greater urgency in today’s threat landscape and complex computing environments.
Leverage automation – will help you keep up with the automation we see on the threat landscape side. The availability of technologies like Real-Time Signature development and Automated Policy Generation have matured considerably over the past few years, and it is time for security professionals to put more trust in these tools.
Adapt protections to keep pace with the rapid changing application space – if you think your “application guy” can keep up with all the new applications being born within your organization, much less all the changes that create new potential vulnerabilities, you’re fooling yourself. Investigate solutions like our WAF’s new integration with HP WebInspect that can very granularly identify changes to applications and trigger WebInpsect to scan the file or folder. Any holes can automatically be addressed by a virtual patch implemented as a new policy on the WAF.
Incorporate cloud migration capabilities in assessing points of security control – assume that half or more of the applications in your datacenter today will be out in a cloud hosting environment within 3 years. In conjunction with that, you need to look for solutions that won’t require you to manage different policies through different interfaces across the growing number of environments you’re protecting. The coordinated policy orchestration within our Cloud WAF is a good example of this.
Educate and collaborate with your less security minded peers – regardless of shadow IT or other trends graying the line of security, you’re still accountable for being the leading for security within your team. As business units or ecommerce groups seek to roll IT requirements (availability, security) into broader relationships, you need to be the voice of reason for what those services can really do. That means not only speaking up, but also doing a thorough assessment of security controls.