Security Leaders Must Change Their Mindset on How to Think About Policy, Detection and Enforcement
Security practitioners have a problem. In the face of a seemingly endless barrage of cyberattacks, organizations have been faced with mounting pressure to combat threats by any means possible. In the interest of deepening defenses, too many organizations have taken a “buy it all” approach, hoping that by adding more and more security layers to their network, they will be able to keep up with the malicious threats trying to bring it down.
This has created an unmanageable system of products that all claim to make us more secure, when in reality they have taken “defense and depth” model to an extreme that is counterproductive. Too much time and money is spent keeping a litany of network security devices up to date, while not enough time is spent with an actually secure network. Instead of creating greater certainty, it’s creating agonizing complexity.
Case in point: At RSA last month, I was bombarded by an interminable amount of new appliances promising to protect my network from any number of highly specific threats. But, if with every new threat we added a new security layer, we wouldn’t be any more secure – instead, we would have endless silos of applications that are disconnected and ultimately inadequate.
The fact is, there needs to be a fundamental change in mindset of the way we view security. We need to reset our thinking and priorities and move the focus away from improving network security and towards creating secure networks. While it’s important to have multiple layers of defense, more emphasis needs to be placed on how companies integrate, update and manage their security.
At their core, secure networks should focus on automation and management. This includes expanding enforcement beyond the firewall to determine what other points in the network can help stop threats. They should focus on how to more effectively integrate threat intelligence from multiple sources and then automate the analysis of that information. Finally, they need to find ways to more centrally manage and adapt policy rules that can be enforced as broadly across a company’s infrastructure as possible.
We need to change our mindset on how we think about policy, detection and enforcement. There are several steps that companies can take to move towards creating secure networks and away from improving network security.
1) Open Standard, Intent-Based Policy Engine: The industry has been talking about universal policy and universal policy engines for decades. Translating policies and zones between different policy engines has grown exceedingly difficult as CISOs and CIOs are now inheriting at least three generations of devices that have little documentation on security coverage in their networks. We need to automate and federate a policy engine that will allow exchange of policies with open standards. The community should embrace open source efforts in cybersecurity information sharing specifications like TAXII™, STIX™, and CybOX™. A great overview of these specifications can be found on the US-CERT government website.
Of the three, STIX™ is the most focused on the exchange of cyber threat information. This also can lead to a change in mindset around cyber threat and bad actor detection.
2) Embrace Ability to Detect Anywhere: We should be able to leverage the latest technology to identify the bad guys faster. First, as mentioned with STIX™, we want to be able to utilize all good intelligence to have real time information capabilities in identifying threats and bad actors. With the ability to have open standards-based threat intelligence exchange, every organization should have information to block known threats. Even with some of the best firewalls and perimeter security policies defined, threats and bad actors have been detected within local area networks. Unfortunately, these threats and hackers are typically found manually and usually reactively after a security incident response team notifies the public in some form. Instead of a scramble to sift through the network, we should be able to utilize the network itself to detect any threats or bad actors and immediately quarantine or stop proliferation within the network.
3) Enforce Everywhere: If you can detect threats anywhere in your network, why not also stop them there? Our industry approach to security has always been to enforce only at the edges of the network. With mobility, BYOD and IoT, the perimeter is now nowhere – or, as another way to look at it, the perimeter is now everywhere. It’s neither economically feasible nor operationally manageable to deploy yet another layer of security at every point of the network. Why not use the network itself? Many CISOs have budgets that range from 10 percent to 25 percent of the company’s overall IT budget. Why only use 25 percent of the budget to try to keep up with and protect the other 75 percent of the network? Why not use 100 percent to protect 100 percent of the network? Utilizing the network is the most cost effective and efficient method operationally for detection and enforcement. The security landscape is changing. We absolutely have to forego thinking about network security the traditional way.
The security industry needs to undergo a fundamental change in mindset that leverages every aspect of the network as a key point of security detection and enforcement. Only with this type of software-defined approach will we be able to attain a truly secure network.