Tenable Network Security

Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. . Learn more

Cloud Shift Requires Perceptual change Around the Role, Nature of Security

Historically reactive security cannot meet the needs of changing cloud environments

A persistent failure to capitalise on the benefits of integration has left security practitioners playing catchup as security best-practice shifts away from networks and towards the application and data running on them, one expert has warned as he reinforced the urgency of changing thinking around security away from conventional 'defence in depth' strategies.

Driven by competition between security players, years of industry focus on best-of-breed security point solutions had driven incomplete integration practices that fostered gaps that were now being exploited by cybercriminals, Tenable Network Security vice president of strategy Matt Alderman told CSO Australia in the wake of his recent keynote presentation at the RSA Conference 2016 Asia Pacific & Japan in Singapore.

“There were promises in the past that certain technologies could have integrated all of this security data together and presented it in a way that would have made sense,” Alderman said. “But it never happened. By not connecting these point solutions, all we have done is create gaps – and the gaps are where we are getting attacked.”

Recent years had seen the addition of mobile devices, cloud applications and other modalities that had so complicated security infrastructure that many organisations would benefit from simply starting over on their security environments – as some companies were doing by progressively moving their core computing environments into highly scalable cloud environments.

Such migrations had often, however, exposed complex nests of interdependencies that had been established to meet compliance requirements – and which were not easily dissembled and rebuilt into an equally-compliant environment that also incorporated cloud offerings.

Meeting these requirements had forced organisations to look for ways of building an integrated security environment that would extend equally across on-premises and cloud-based components of enterprise architectures. However, with the security industry still focused on preventative, reactive strategies the modernisation of security had for many organisations come to be associated with compromises to crucial governance, risk and compliance demands.

“At the end of the day our fundamental problem in this industry is that we react to technology,” Alderman said. “We are not proactive with security at all, and never have been. Security has always been this afterthought of layering controls around our IT infrastructure, so we have always been playing catchup from a security perspective.”

Effectively moving to a comprehensive security model would require concrete steps in nine key areas, Alderman said. These included asset inventories – “the most fundamental thing, and we ignore it,” he noted” – as well as finding a way to identify and remediate device vulnerabilities; locking down endpoints as part of the shift from a network to an application focus; and improving the analysis of code to rapidly identify insecure elements.

“If you're not addressing device vulnerabilities it doesn't matter what else is on the network,” Alderman said. “You're giving attackers the front door through simple phishing attacks. And we are way behind in understanding how to assess applications for vulnerabilities; we need to understand that or it will burn us.”

Other key areas of focus included improvement of monitoring logs from network, application and cloud infrastructure; examination of user accounts; the use of behaviour analysis to baseline normal activity; establishing means to identify and follow lateral movement as attackers utilise credentials to move throughout the network; and automation to help facilitate these processes.

“Security only gets harder when you do it in the cloud,” he said. “There is compartmentalisation of infrastructure and you've got to understand what is going on in every layer. You need to prioritise where you respond to incidents, what is critical to the environment and where to focus your resources. And while there are tools, they have to be integrated together to allow customers to manage those different elements in a much more centralised way.”

Alderman's warnings echo the findings of a recent Ponemon Institute study in which 70 percent of Australian IT-security practitioners said the security constructs of cloud environments made it harder to manage privacy and data regulations than on on-premises networks, and 58 percent said cloud services made it more difficult to protect confidential or sensitive information.

Providing these protections required a reinvention of security models that offers organisations the possibility of redesigning their security around an application-centric, Alderman said, rather than a network-perspective, paradigm that better suits cloud-based operational modes since “that's where our sensitive data is.”

“We really have to think differently, and to move away from thinking that it's all about protecting the IT infrastructure,” he explained, “to knowing that it's all about protecting the application. That's the biggest shift, that people aren't ready for yet.”

Despite years of progress, vendors were still only part of the way towards facilitating that shift: security specialists often struggled to link technologies with business requirements and overall risk profiles, meaning that users that rely too heavily on vendor solutions risk leaving vulnerable gaps unaddressed over time.

“At some point you have to bring the business and security sides together to understand how to truly manage risk,” Alderman said, noting that “there has to be alignment of risk and reward at some time. It's the only way you're going to be able to execute on a security plan.”

Better alignment between security and business practitioners would help revitalise discussions around security as an increasing proportion of the business moves to the cloud – a trend that has previously predicted would see 30 percent of companies moving the majority of their enterprise applications to the cloud by 2018.

The ongoing 'cloud shift', the firm has more recently predicted, would see more than $US1 trillion worth of IT spending moved to cloud-based alternatives by 2020, according to Gartner. By then, 43 percent of business process outsourcing, 37 percent of application software, 17 percent of system infrastructure and 10 percent of all applications infrastructure software deployments will have shifted to the cloud.

“These major trends and technologies will drive a radical shift in the way we approach security,” Alderman said. “The stakes are only getting higher as more and more stuff is stored outside corporate data centres. And if we just take this reactionary approach, we are going to be way behind.“

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGartnerRSATenableTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by IDG staff

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place