Ron Gula, BridgeTower Media Newswires
I've been lucky enough to have a very exciting career in cybersecurity. I've worked for the military, started two successful cybersecurity companies and worked with a variety of government, industry and academic institutions and security experts. I'd like to share some thoughts with you on why things are not getting better and what you can do about it.
There are really two different stories going on in security today.
The first story is what you see in the headlines, where advanced attackers steal information from an organization and they respond by hiring their own incident response teams. These stories are very exciting, but they are very old and very repetitive. In each of the cases, the target network did not do enough to ensure they were protected from data theft.
What does it mean to do enough to secure your network? This is a very difficult question and often we resort to saying things like "we are compliant," "we increased our budget 50 percent" or "we have upgraded our firewalls."
Each of those things helps, but isn't the same as "we did enough."
Many organizations view this as the single biggest failure of the security industry in that, after 30 years of R&D, there isn't a program, application or appliance I can plug into the network to make it secure.
Resilient networks
Which brings us to the second story that we aren't seeing actual secure and resilient networks. Over the past few years there has indeed been tremendous progress in truly secure applications and network security. I will describe two different stories here cloud applications and container-based websites.
If you compare the simplicity, scalability and security you get with email services such as Office365 with a typical on-premise configuration made up of email storage, fail over, spam reduction, anti-virus, email storage, making it available over a VPN, etc., the complexity of on-premise environments is so complex, it works against you. Each of the components of an on-premise solution are often from different vendors, with different administrators, budget cycles, deployment options and so on. The story here is that when organizations switch to the cloud equivalent of their internal applications, they have better security and a generally better time focusing on their business.
Modern websites are another example where complexity works against you. When you purchase tickets online, you are most likely dealing with a network of operating systems, load balancers, databases, web application firewalls, custom code from the website developers, code from a marketing team to track web site usage and a layer of media partners to make sure your web site is fast. Each of these components is not designed to work together and takes different types of expertise to run.
Many organizations are looking to make a switch to a new technology called "containers." A container runs a small section of code, and that is all it does. Complex websites are being re-written to make use of different building blocks, each running a single small function. When deployed on elastic hosting frameworks such as Amazon or Rackspace, websites based on container architectures are very robust and are easier to manage than the complexity of running many different types of web security and web application technologies.
Organizational change
Both of these stories -- moving to cloud applications and running containerized web applications -- require the organization to dramatically change how it is doing IT. The requirement to completely change a technology is often seen as a dramatic change. Organizations might want to change, but could be limited in budget, manpower or resources. Any delay extends the usage of more complex and insecure legacy applications. This in turn creates demand for more traditional cybersecurity solutions such as malware, incident response, log analysis and firewalls.
So what can you do about this? It is really simple, but requires a mindset change. If you are in a position to select defensive cybersecurity solutions, consider simplifying the application you are trying to defend with new techniques before adding another layer of security complexity. Once you get into that frame of mind, you will realize that the majority of technologies that run on complex operating systems, such as laptops and servers, will never be 100 percent secure, and you should focus on applications designed from the ground up to be secure.
-----
Ron Gula founded Tenable Network Security. He advises cybersecurity companies and works closely with a variety of banks, government agencies and organizations training the next generation of cyber experts.
Published: Mon, Dec 05, 2016