If you’re familiar with the film The NeverEnding Story, then you know that the goal of the hero, Atreyu, was to reach the boundaries of Fantasia. He’s disappointed to learn that Fantasia has no boundaries because it’s the land of human fantasy.
In some ways, the land of Fantasia is like network security. Where once there existed a fortress around the perimeter of a land that needed to be protected, those boundaries have expanded, leaving security professionals scratching their heads trying to discern how best to protect the enterprise against invaders.
The idea that time and resources should be invested in either network security or application security is misguided as both are equally as important to securing the enterprise.
Yet, according to a recent Forrester Research report on the state of network security, the largest portion of the security technology spending budget in 2015 was on network security with an expected increase to this budgetary category in the years to come.
“Looking ahead, 41% of decision-makers expect to increase spending on network security at least 5% from 2015 to 2016, with 9% of security decision-makers planning to increase network security spending more than 10%,” the report said.
[ ALSO ON CSO: Application security needs to be shored up now ]
While application security has been around for a while, IT professionals remain entrenched in the traditions that are at the root of network security. The result has often been a budgetary either-or decision when it comes to investing in security tools.
The reality is that just like Fantastia, the network has no boundaries.
While it’s easy to dismiss The NeverEnding Story as a children’s movie, there is much that the adult world and the cybersecurity world can learn from children. In a Jan. 7, 2016 Marketplace Education story on NPR, “Kids start honing their cybersecurity skills early,” one fourth grader, James Estrella offered some sage advice.
“Estrella said he already knows more about computers than his parents. To have good security you need to get rid of bugs in your code, he said. Oh, and to make strong passwords. Otherwise, he pointed out, you could get hacked.”
In reference to the NPR story, Cigital Internal CTO John Steven said that even these young children have realized it’s not about the network.
Over the last two decades people have historically taken an outside-in approach with a focus on perimeter security and firewalls. “There is no perimeter,” Steven said, “We carve holes in our networks to do business.”
“Organizations that think they are going to stay in the legacy environment fail to see that they don’t have limits to their network. The perimeter isn’t there,” Steven said. At home we buy devices to have them talk to each other, and the enterprise environment is no different.
The network is very porous, said Steven, and the IoT will accelerate that trend. “One prime directive is to stop putting fences around things and recognize that communication is the purpose of the devices,” Steven said.
Too often Steven has seen companies very surprised to learn that they have many more attack surfaces than they expected. “If a legacy system encompasses the databases, server, and client, some people believe that they are only dealing with one untrusted connection to the browser.”
The risk for that enterprise is in backups, disaster recovery, incident response and any other outsourced unedited, unencrypted, and unaudited connections.
Paula Musich, research director, NSS Labs said, “Historically, network security has been focused on ports and protocols, and it has relied on the ability to scan network traffic—typically at the perimeter of the enterprise network.”
Included in protecting the network are, “firewalls, intrusion prevention systems (IPS), secure web gateways (SWG), distributed denial-of-service (DDoS) protection, virtual private networks (VPN), and more,” Musich said.
The introduction of context-aware network security, said Musich, “has blurred the lines between network and application security, and the integration of network security appliances and software with endpoint protection has contributed to that blurring. Nevertheless, network security still relies on the ability to scan traffic on the enterprise network.”
Cloud computing and mobile applications have contributed to the crumbling walls of the network perimeter. “Access to cloud-based enterprise applications, and to mobile apps used by workers to collaborate on company business, must still be secured,” Musich said. “Application security, on the other hand, focuses on how the applications operate and looks for anomalies in those operations.”
Application security encompasses web application firewalls, database security, email server security, browser security, and mobile application security, Musich continued. “You could also include static and dynamic testing of application code, although that is more often done on custom enterprise applications before they are released to production,” she said.
Building security into the things we want to protect is critical not only for the future but also for right now. “Connectivity is the value, not a fad,” said Steven, “and the ability to connect and build trust between devices is how they have value.”
Those organizations that continue to focus their resources on network security, though, are not necessarily misguided, said Bill Ledingham, CTO and executive vice president of engineering at Black Duck Software.
“The problem of network security doesn’t go away,” Ledingham said, “other challenges are getting layered on top of that.”
Critical assets outside of the perimeter are vulnerable because of the number of applications and resources exposed during internet access. “You take your laptop on the road, enable them for Internet access, there are other points of vulnerability injected into that overall picture,” Ledingham said.
In order to best defend themselves, security team should first gain visibility into what they have and what needs to be protected. “Putting a process in place that prioritize risks even when they are working with limited resources,” is a good practice, Ledingham said.
The biggest challenge for any security team is dealing with everything that is on their plate. “How do they spend their limited resources? They need to understand new vulnerabilities and be able to quickly analyze and understand the impact of those vulnerabilities,” said Ledingham.
Where security has traditionally been focused on protecting the perimeter, there is a growing shift with more and more information accessible via the Internet and applications exposed on the Internet. “That’s the challenge that companies are struggling with right now,” Ledingham said.
Security is neither a network nor an application problem, it’s a risk management problem. The solution, said Ledingham, is prioritizing based on the sensitivity of data or applications in conjunction with understanding how high of a risk is actually present.
Both applications and networks present risks and have the potential for malicious hackers to gain access to sensitive information inside the network or inside applications that have access to the network. “Take into account what your infrastructure looks like and the applications that are externally exposed,” said Ledingham.
“I don’t think you pick one or the other,” Ledingham said of allocating resources to network security vs application security. “Look at it from a risk perspective and decide where you are going to allocate between the two.”