- Security needs to shift to a third phase; needs to be baked into IT disciplines
- Processes should come first, then the tools, says network security executive
SECURING the network today is harder, with the cloud and mobility trends leading to the decentralisation of the network and taking it beyond on-premises.
Cybersecurity can be broken down into six domains, all of which are necessary to secure todays’ networks, according to Matt Alderman (pic above), vice president of global strategy at Tenable Network Security.
Maryland, US-based Tenable Network Security, founded in 2002, specialises in network security. It has additional offices in Singapore and the United Kingdom,
The first domain is ‘discover.’ “We have to understand where the critical data and assets are in our network, and it’s one thing we struggle with more than anything else in this industry to this day,” says Alderman.
The second domain, assessment, is important in understanding the state of security in the network – from the devices on the network to vulnerabilities, misconfigurations, malicious files and processes.
This goes beyond the usual security information and event management (SIEM) technology used in securing networks, says Alderman, speaking to Digital News Asia (DNA) on the sidelines of the recent RSA Conference Asia Pacific and Japan (RSAC APJ).
“I need to understand what’s going on in my network – we mainly think of it as SIEM, but it’s much more than SIEM.
“It’s log management at the device and network level, it’s also network packet inspection – actionable threat intelligence feeds that help me better understand what activities are going on in the network,” he adds.
The third domain, analytics, is more than just crunching data, but is also about integrating contextual information.
Analytics are often related to monitoring, but it has to also bring in the assessment and discovery components as well, “as I have to understand context,” Alderman says.
Context is in fact the fourth domain, which is necessary to understand malicious activities or anomalous behaviour on the network. Contextual information would allow for proper responses to contain and mitigate specific attacks.
The fifth domain, response is the only human element in the process, with people requiring the mechanisms and tools to mitigate and remediate threats.
The human factor is also seen by the fact that users remain the biggest threat to network security, according to Alderman.
“What we’ve seen is that [cybercriminals] are getting in through the end-user via phishing and social engineering attacks.
“When you think about what our biggest danger is, it’s we as humans,” he says.
In a 2015 data breach investigation report by Verizon, it was found that 23% of users open phishing emails, and 11% click on them. A test showed that 50% of users open and click on phishing links within the first hour.
Finally, the sixth domain is ‘protect,’ which is the machine factor of the security equation – the automation in installing patches, changing configurations, and shutting down a port or service.
This is the domain Alderman feels organisations are struggling with.
“I think we do a pretty good job here and there with all the other domains, but we are not tying all those pieces together in a holistic way,” he says.
“Protect is something that I think is nirvana for all of us in the industry, but it’s going to require us to build a lot of trust in our security systems to actually automate a lot of those activities,” he adds.
Processes first, then tools
These six core domains, when done well, will build a robust security posture. However, one must first address the processes before building the security tools – a problem that plagues the security industry, according to Alderman.
“The problem is we security practitioners think about the tools first, the process last,” he says.
“What I’m trying to do today is say, ‘No, this is the process – let’s understand what’s important to us, then acquire the appropriate tools to make that work’,” he adds.
Building higher walls do not necessarily keep out attackers either, says Alderman.
“People are still buying perimeter defences, but what people have to understand is, are those perimeter defences working the way they expect them to work?
“The answer is definitely ‘no.’ I don’t know if everybody is there yet, but the perimeter is shrinking, therefore the perimeter defences are not going to work,” he adds.
Even endpoints, often thought of as the weakest link in security, now go beyond just the desktop and mobile, with the Internet of Things (IoT) emerging. Addressing IoT security is going to be a challenge that traditional solutions can’t handle, according to Alderman.
“How are we going to address these new devices that are going to be put into our cars and our homes, or on us as wearables?
“You’re not going to use traditional endpoint technologies on those solutions, it’s just not going to work,” he adds.
Need for Cybersecurity 3.0 thinking
Security requires holistic solutions and not just point-focused solutions being slapped together, Alderman argues.
“There’s been debate whether security should eventually be absorbed into the other IT divisions – do you really need a separate team for security?
“One thought in the industry is that security gets embedded into all these IT disciplines, and security might become baked in,” he adds. “I don’t think we’re there yet.”
Security needs to become a critical component of the business in order to get the visibility it needs, and Alderman believes the security industry has to undergo two more transformations before that happens.
“I think what needs to happen for security is an evolution. 2.0 is moving towards holistic solutions, but I think there is a third phase of security we have to do, one that helps us make security a critical component of the business,” he says.
“But we as industry have at least another two more transformations to go through to get there,” he adds.
Communicating how security can affect the business, from profitability to reputation, is important in convincing enterprises to consider the holistic approach, he says.
But the IT (information technology) department can be a stumbling block.
“IT’s not there, they’re fighting to keep control of the IT environment while the cloud is ripping it away, so I don’t think they’re focused on security when they’re trying to maintain their domain,” Alderman argues.
“If you’re a brand new company, do you need an IT department? You can get almost everything you need from the cloud, and if you do, maybe IT is not the answer … maybe security across all the platforms is key.
“This tug of war between IT and security will continue, and the security industry needs to be aware of it,” he adds.
Security industry needs to abandon fear and trepidation: RSA chief
Basic security products don't cut it anymore: IDC
Security is a process
Trial by fire: Adopting the resilience mindset
Security chiefs call for investments in ‘transformative’ technologies
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.