With over two decades of experience working in the world information security risk and data protect, Tenable Network Security Co-Founder and Chairman of the Board Ron Gula has seen it all.
During his keynote at their year’s AISA annual conference, attended by over 1000 infosec professionals, Gula said the security industry has done a poor job of answering a fundamental question – are we secure?
In seeking an answer to that question, Gula says he has spoken to more senior IT execs over the last tow years than in the preceding years of his career. What he’s seen is the emergence of three key issues. These are the rebirth of network forensics and detection, a focus on risk management and the new wave of resilient, secure design patterns – something he sees as the “future of cybersecurity”.
With the establishment of commercial and open source sandboxing tools, Gula says their popularity was fueled by their ability to detect malware that had bypassed other defensive measures.
“But it’s impossible to ascertain and detect all the bad traffic and put it in one spot,” says Gula.
This lead to posture many organisations took by assuming they had already been breached.
Gula says he like the idea of being able to capture all the network traffic and put it in one spot. But on massive networks that can be very difficult, particularly if much of the business is operating on SaaS platforms.
At another recent conference, Gula noted many of the attendees, who were network engineers with a deep understanding of tools such as Net Flow, didn't know they could receive telemetry on the data moving to and from larger SaaS providers such as Salesforce or Office 365.
Complexity is a significant issue says Gula. As we add more tools and processes around security we make things much harder for ourselves. But he says there’s been a “rebirth in simple types of analysis”.
The new tools he’s seeing are very similar to existing SIEM and monitoring tools but have a focus on the users rather than the masses of data. These employ User Behaviour Anomaly (UBA) detection
“They’re trying to simplify how to look at all of their users and look for that insider threat and detection”.
Risk management and compliance frameworks are important says Gula. However, they do have a negative reputation, particularly as they are perceived to stifle innovation.
Security is a journey and no one is 100% perfect says Gula. The risk of being ‘compliant’ is that this is seen as an end-point.
"There's continuous improvement. A framework gives them a common language to talk about security".
When it comes to designing for security, Gula says most people are not going to get to the point when they're secure. What we want is to create secure and resilient systems by design.
An example of how this is already being done in through containerised builds. For example, many cloud services are delivered without a traditional operating system.
In the past, when an application was deployed it needed a web server, operating system and some custom code. If the application was important there might be a second installation for redundancy. Then there’s monitoring and other support services.
Gula says that if you were building that same application today you would take a difference approach.
Online providers, such as Amazon, make this much simpler.
“Let’s look at Uber,” says Gula. “Uber only wrote about 5% of the code they’re running. All the rest of that code was done by Amazon and technology that was already out there. That technology is not only very robust - it’s something that’s tested over an over again by many, many people”.
Those pieces of code Uber and others use are relatively small. They execute without an operating system or hypervisor. By running on far less code, the software is easier to manage and, as it’s simpler, has fewer vulnerabilities he says.
For example, a web server that communicates over ports 80 and 443 doesn't need a lot of other supporting code. And with so many people using the same code, the odds of it being vulnerable are low as it has been heavily battle tested.
This allows system designers to focus on building functionality rather than all of the other supporting components needed to make an application work.
“Taking away the operating system to run your unique code is brilliant,” says Gula.