Addressing tomorrow’s cyber security threats by simply replicating yesterday’s flawed technology approach is an unreliable strategy, says John Suffolk

Putting a strong lock on a weak door is unlikely to deter thieves, particularly when there are valuables inside. Yet all too often in the battle against cyber attacks, businesses do just that: they attach advanced digital security systems to inherently insecure corporate network infrastructures. The net result is enterprise IT capabilities that keep those tasked with maintaining risk registers and ensuring data security awake at night, and frustration for those who want to embrace next generation mobility and cloud technologies to generate efficiencies and competitive advantage.

The attraction of cyber criminals to a company rises as the intrinsic value of companies’ digital platforms grows. While the commercial benefits of a company’s digital platforms far exceed the cost of cyber attacks, evidence remains that some CIOs in Fortune 500 companies view cyber security as a barrier to incorporating new technologies such as ‘Bring Your Own Device’, social networking and public cloud technologies. This is not entirely surprising; most cyber security strategies today are based more on a defensive or reactive approach, rather than an offensive methodology.

“Business is all about balance,” said one CIO who asked to remain anonymous when interviewed for this article. “We have long worried about the stolen laptop, the files left on trains or the misplaced memory stick carrying sensitive customer records. But now, faced with systematically putting our business into the cloud while ensuring all employees have useful and appropriate access is a much more daunting prospect.” Such a view is not uncommon across many industry sectors today.

Whilst CIOs and defenders of technology infrastructure ponder the right approach to balancing security with agility and innovation, cyber criminals are becoming increasingly sophisticated operators deploying next generation tools and techniques to infiltrate enterprise-wide networks. For the defenders all is not lost. Next generation networking technology based on software-defined networking, or SDN, can offer enterprises a step change, a new generation defensive arsenal for the CIO, but only when the SDN is engineered from the outset to be inherently secure.

The challenge with today’s traditional, legacy networks is they are based on TCP/IP, an inherently insecure architecture developed in the days when ‘hackers’ referred primarily to high handicap golfers. TCP/IP is the enterprise network’s weak door. Even with increasingly stronger digital locks attached, the overall architecture remains vulnerable. This offers encouragement rather than a deterrent to cyber-criminals.

Software defended networks

Today’s SDN-based networks can be developed with security integrated into the design rather than as an overlay or afterthought. Because of this, SDN represent a cyber security game changer for the industry. The key change is they can allow the enterprise to actively protect against what security teams call advanced persistent threats (APTs), distributed denial of service attacks, unknown malware and zero day attacks.

Active SDNs can de designed to continuously monitor for and block vulnerabilities by default, across all networks elements, from simple access devices to a range of network elements to the data centre. The key difference is that in an SDN design, the capability can be fully virtualized and embedded. With an SDN, security policies can be created to match the type of service they are designed to protect, CIOs can, for the first time, go on the offensive and secure devices, applications, network elements. Employee access can be actively controlled by time of day, location, time zone and other factors that can be configured into the network through centralized management and control tools. The CIO’s priority, for the first time, can now be on ensuring useful access rather than restrictive characteristics of a strategy based on reactive responses and restrictive policies.

However, just because the capability exists doesn't mean that all SDNs are being developed with an equal focus on security. Also, there is a significant cyber security industry that depends on the spread of fear, uncertainty and doubt. If the SDN-based architecture doesn’t combine security reputation, big data, sandboxing, as well as other technologies to prevent unknown threats, it’s essentially replacing an old weak door with a new weak door, despite the stronger locks being fitted.

Cyber security is a technical challenge but it is also a human challenge. Every CIO and network security engineer knows only too well about the continuous battle to improve the behavior of employees to underpin existing security procedures. While this challenge remains, SDNs, for the first time, have the ability to materially transform the technical defenses and provide added security capability to protect against human weaknesses.

Less well recognized, perhaps, is the continued risk of ‘the illusion of security’. The time to ask a vendor searching questions about the integrity and security of an SDN is before purchase. Any SDN architecture or roadmap that promises ‘security measures to follow’ is effectively replicating the flaws, the weak doors with strong locks of the past.

John Suffolk is Huawei’s chief security officer and a former CIO and chief information security officer with the UK Government.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attackscyber criminalsvirtualizednetwork infrastructuresCyber riskTCP/IPSNDFortune 500 companiessoftwareData CentreCIOCSO Australia

More about Huawei

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Suffolk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts