Steps to a brighter, safer, and more secure digital world
By Benjamin Cher July 28, 2016
- Security has to be addressed from the business perspective
- It is about processes and policy, not technology
DATA breaches and cyber-attacks seem to have become the new normal in today’s increasingly digital world, but it’s not all gloom-and-doom – there are steps you can take to protect your organisation.
One way to do so is to adopt a ‘business-driven’ security model that is based on risk, according to Mike Brown, vice president and general manager of the Global Public Sector business at cybersecurity firm RSA.
“One of the things I see happening are government and private sectors changing their policies and strategies to align with the business-driven security model,” he says, speaking to Digital News Asia (DNA) in Singapore recently.
“This means they have to understand what their mission or business is, then identify the risks associated with that.
“When that happens, it allows the board or the C-suite – since they already understand business risk – to have the appropriate level of conversation with the security department,” he adds.
This would help defenders move from looking at individual products that can solve one part of the problem, and towards strategic thinking and the right level of decision making.
“With the business-driven security model, you now have a common way to communicate, from the boardroom to the junior analyst – or as I would say in the navy, from the bridge to the mess decks,” says Brown (pic), a former US Navy officer as well.
“You all have to be on the same page to understand what’s going on – if there are gaps, then that’s where you can start to address the risks,” he adds.
This is especially important because technologies change, so you cannot build your security policies around them. By adopting a business-driven security model, you would have the necessary processes in place to prevent policy from lagging behind technology.
“It is important to address this from the business or mission perspective because technology by itself will not solve the problem,” says Brown.
One example is the recently-enacted Information Sharing Act, where US Congress wanted to mandate the standards rather than the processes.
“I was up there saying it was a bad idea … because the situation changes, the combination of the threat and technology constantly changes, and you are going to have to change your standards,” says Brown, who also served with the US Department of Homeland Security.
“If you go back to the policies and come back with a strategy where you are addressing risk, then it doesn’t matter if the threat or technology changes.
“If you understand what the risk is, you now have the ability to adapt for the future,” he adds.
Compliance is not security
Security has to be more than just about checking the compliance check box, and needs to become a business driver, according to Demetris Booth (pic), head of product management and solutions marketing of Cisco System’s Cyber Security Solutions, Asia Pacific, Japan & China unit.
“If you asked me that question 10 to 15 years ago, it would be that we got to do it, but today I think more organisations get that it is part of their business,” he says.
“They realise the way business today is not going to look the same two years from now, so they look at it as a business driver and a growth engine,” he adds.
Security is taking a bigger role in the wake of large-scale breaches where companies were already compliant, warns Jason Rolleston, vice president of corporate products at Intel Security.
“Compliance is what you need to do when you’re afraid of being hit by the government; security is what you need to do to make sure your business is not crushed,” he quips.
Matt Alderman, vice president of Global Strategy at Tenable Network Security, goes one step further, saying that until the cybersecurity meets its black swan event and sees a company wind up due to a breach, it will remain at the status quo.
“I see this trend in the United States and I worry about how Asia approaches this – take any of the breaches at US public-listed companies: Their stock takes a hit, they throw a bunch of money at it, and their stock recovers.
“There’s no long-term impact on the organisation, because we have allowed them to offset those costs in other ways,” he argues.
“If the actual penalties were stiffer for actual breaches and have an actual financial impact, organisations would do a better job at securing the data … there is an inverse to regulation that could drive a better approach to security, but I just don’t think anyone’s tried it.
“A company going out of business because of a data breach – that would really change the way people think about security, but that hasn’t really happened because we provide these ‘get out of jail free’ cards for certain industries,” he adds.
Steps to building better security
Alderman recommends the following steps to move from defence-in-depth to comprehensive security.
First, start with the ‘visibility component,’ which is to take an inventory of all your assets. “We can’t protect what we don’t know is there,” he says.
Then, assess device vulnerabilities – many companies are already doing this, but not to the depth and breadth they need to, Alderman argues.
“We’re doing traditional IT infrastructure visibility – looking at hosts, networks and a little bit of the perimeter, but we’re not looking at applications or cloud services to the depth we need to.
“It’s not that we are not doing these things, but we need to expand because we’ll be in a hybrid world for a while, and if we are only focused on the data centre, there’s a ton of attack vectors we are not taking care of,” he adds.
Then there is application visibility, an area everyone seems to be lagging behind, even though it is the future of computing, declares Alderman.
“With what’s coming down the road with docker and micro services, with the way some of these technologies work, we have no idea what they are doing, we have no visibility into them.
“That’s one area we definitely have to dig in more,” he adds.
The next step is to expand your scope beyond host and network logging, and to monitor and analyse all logs.
“For perimeter traffic versus internal traffic that’s more of an expansion of scope, but the one around user accounts and access to me are the foundations of what corporations can control in the future, and are areas to focus more resources on,” says Alderman.
“The only thing corporations will be able to control in the future is the application – who has access to that application and what data is exposed to the application.
“That triad is what we need, to understand and control better,” he adds.
The last step is automating remediation during an incident, something that boils down to the fact that human resources are scarce.
“If I can’t prioritise my incidents to concentrate on the most critical, I’m toast,” says Alderman.
“ I do believe that the industry wants some level of automated remediation – I was talking to a customer from [Singapore], and he said, ‘Can’t you just put a button in your product where you push it and it automatically patches the machine?’
“Customers want it, we’re just not there yet from a trust perspective. Technically we can get there, but I’m not sure if we can get there operationally yet.
“There is still enough of a divide that IT does not want security to step over the bounds – but more and more customers want us to do it, and this will help bridge the skills gap because having a human there to patch or remediate the system is not going to scale in the future,” he adds.
The promise of the API
Another weapon to defend is the humble old Application Programming Interface (API), where access to data is governed by parameters written into the software.
“For example, you have data residing in a data centre – you can open it up via a conduit called an application, and when you open it up – just like when you travel – you need an identity called a passport which will tell the other person who are and where you came from,” says Vic Mankotia (pic above), vice president of Security and API Management at CA Technologies Asia Pacific & Japan.
“But that is not enough to validate it with a provider, so the application says okay and establishes identity, but the boarding pass gives you the address, or where to go.
“You then go through an authentication process, which is increasingly being replaced by biometrics – which is very important in a world of giving the right access to the right information to the right people,” he adds.
While open APIs increase the attack surface area and can be vulnerable, utilising best practices in the management of the API layer can mitigate that.
“You can’t build a house without a blueprint, in the application software world … API management cannot be bolted on,” says Mankotia.
API management offers a way to satisfy both the business functions’ need for access and the IT department’s need for security – and this makes security a business enabler, rather than a blocker, he argues.
Previous Instalments:
Most APAC organisations breached, the rest don’t know they’ve been hit!
Cybersecurity: Here’s how NOT to defend yourself
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.