The Security of Business vs. Business of Security

The security industry has spent a lot of time over the past 30 years thinking of imaginative ways to put lipstick on today’s cybersecurity pig.

It’s like a one hit wonder band who never adapted, playing the same song and putting on the same show over and over, even though their fans, the industry and the zeitgeist as a whole have evolved and transitioned.

We are more distributed and mobile than ever. Yet the security industry remains unevolved, putting on the same show – playing their all-time favorites like “On-Device Security” and their mega-hit “Gateway Security”. Gateway security is an especially nuanced piece with broad range. There’s the firewall, intrusion prevention, VPN gateway, the proxy, url and content filters, and the component that binds them – SIEM. And that’s the consolidated version of a lengthier and more complicated original score.

Compute has changed and continues to change dramatically in front of our eyes. Clouds, SaaS, Mobile devices and the big daddy of them all – IoT – are contorting traditional security models and tools in ways never intended – until something breaks. And today, everything is breaking since security as we know it dates back to the medieval ages.

Let’s Get Medieval On Security.

The king builds a castle (the network), puts a moat and draw-bridge around it (gateway security) and posts sentries at the gate with special instructions (security policy).

Need to operate outside the castle? If you have the strength (compute resources) and are wealthy enough to afford it (budget), you can put on custom armor (on-device security) and head out as a knight (remote user). Being a knight is exhausting though. Yes, you are well protected, but it burns a lot of energy (security team resources).

However, commoners have to assume risk and live in a state of constant vulnerability. Clouds and IoT have driven the vast majority of our functions and users to operate “outside the castle”. In fact, the business of the king’s court is now distributed. Commoners live and work remote, never needing to step foot in the castle.

There are even scenarios where some commoners operate and service other kingdoms near and far. When the court subjects are remote and distributed, the king has two options – insist on keeping the castle, moat and drawbridge or adapt. So far the security industry has bitterly resisted adapting. Why — Tradition? Lack of alternatives? It’s what they know? Or a combination of these.

Gateway security still has its uses, however, the gateway security model is long in the tooth and its use-cases diminishing by the week. And on-device security has been an expensive, ineffective and unsustainable failure. How can you package up an entire data center’s worth of security functions in a $5 sensor with the compute resources of a Timex watch.

What the cloud started, IoTs have finished. In the past compute was network-centric, now it is distributed all over and even mobile. And we like it. Initially CISOs tried to control users by saying no to cloud and SaaS. Users wouldn’t have it. They shrugged, walked away, and did it anyway. There was no putting that toothpaste back in the tube once they got a taste of cloud and SaaS.

Compute and technology has been democratized, however the way we secure is still medieval.

We have offered hackers the overwhelming advantage all the while spending billions and billions on security. Vendors continue to monetize on medieval security tools ill-suited to the new dominant compute model. How does this make sense?

There are a few reasons:

First, it’s what people know and have bought into. There are 30 plus years of approaches and methods, tools and technologies, processes and performance indicators that have been developed around medieval security. It has become muscle memory for many who spent years honing their skills around these approaches.

Just imagine if suddenly, through magical circumstances, the rule of thumb became NOT to apply pressure to bleeding wounds. The countless developed methods, processes, tools, and even tangential functions like billing would be impacted. The result would be chaos! Arguably security is experiencing a mild form of chaos now.

Second, there are a lot of vendor-centric security professionals that know and understand security through the prism of a particular vendor. This is not meant to be derogatory since these professionals are the backbone of the security industry. However many are not security operators, they are security product managers.

In most instances, along with functional and integration capabilities, security is but one of multiple features that security tools sport. Many security professionals are really, really good at keeping the lights on and packets flowing – and rely on the product do its security stuff.

Some vendors are so big and influential that more security professionals than we like to admit are exclusively committed to their tools. These professionals have done the economic calculus and have built their careers around a single brand, strictly based on market opportunity. Many evolve when vendors say it’s time to evolve for job prospect purposes. And the evolution of certain security professionals is curiously bound to the vendor’s business strategy. An arrangement that benefits the vendor and the professional – just not security.

This brings me to the third point: the security of business.

It takes many years for new and emerging approaches or technologies to become mainstream. Large influential vendors are focused on squeezing every last bit of economic value from their existing technology investments, while small innovative companies just don’t have the market megaphone. And pay-to-play analyst firms confuse matters further by offering tilted and skewed recommendations.

Now, let’s talk about the Cyber Hare vs. the Security Turtle.

Hackers are cutting-edge. They are imaginative. They formulate crazy ideas meant to break the rules. The security industry counters with security professionals who are compelled to be conservative – to a fault.

Hackers don’t care about function and performance, whereas organizations prioritize both over security. Hackers can experiment and fail countless times, forging their own path along the way, while organizations identify gaps by virtue of emerging product categories. Often it takes anywhere between three to five years, depending on the organization, to implement new product categories for an emerging threat type. At that point the threat is not so emerging anymore!

Moreover, organizations befuddle themselves by implementing a process, a very organized one at that, developed to assure failure. This includes assessing requirements, assigning budget, talking to Gartner to see who paid them most, evaluating several brands, selecting a technology, negotiating legal, purchasing, implementation, integration, administration, management, monitoring and troubleshooting. Where is the agility?!

Aside from the security functions the product offers, nothing in the process above even comes close to security operations.

What does this mean? It means that hackers have a significant upper hand. This upper hand is so overwhelmingly one-sided that it has evolved from having the ability to impact business, to the ability to devastate economies and undermine democracies.

Cyber – The Longest War.

Today, everyone talks about the war in Afghanistan as our longest running conflict. In the near future this distinction will easily be awarded to the global cyber-war. Every day, much like other security professionals, I see this war from our operations center. I see Russia, China, North Korea, Iran and even some allies wage war against our infrastructure. If not by Name (IP Address), then by reputation (APT).

If we have learned anything from the Afghani and Iraqi conflicts it’s that success does not always require a standing army. Special Operations have radically shifted the methods of war. Not only is this cheaper and faster, but also more effective to achieve many missions around the world. Today the SpecOps model is being employed in the Syrian conflict.

Maybe we should learn from the military and apply seismic shifts to our security approach. Here’s how:

First, let’s eliminate products from the equation. Building one-off security using tools that are ill-fitted to address the emerging distributed and mobile compute model is security suicide. Products are always out-of-date and security teams burn valuable resources performing technology refreshes, managing and troubleshooting products rather than operating security.

Security as a utility is a much more effective approach. It is simpler and much faster to sign up and turn on, than to buy and build out! Make implementation easy and let the development, upgrades, updates and keeping the lights on be someone else’s problem. The time your team is not spending on babysitting products can be put to better use operating security.

Second, fight hackers with (ethical) hackers. Build or train security teams of operators – not product administrators. Make your team critical thinkers who focus on “how to break things” rather than the mundane keeping the lights on tasks. Not all hackers are foul tempered, tattoo laced, twenty-something rock stars with an ego. There are many agreeable, thoughtful and reliable ethical hackers that can serve in foundational roles on your team. Most importantly, empower them and involve them from the beginning at the application design, development and roll out phases.

The traditional medieval security model is not failing, it has already failed spectacularly. Arguably, it was never successful in achieving any of the objectives for which organizations have paid billions of dollars. The product management approach to security is like trying to change the wheels while the car is doing a 100 mph. You won’t be able to do it and you WILL get hurt along the way.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.

An IoT Security Use-case: Part 1 – The Challenge

How Out-of-the-Box Thinking on Security Enabled Business Agility and Growth

Managing budgets is a significant part of any organization’s security efforts. The most immediate and natural reaction to any security effort today is – more money. More money is needed for more security tools, more consultants and more operators. But does more money, more security tools and more people really buy you better security? Let’s dive into this real-life IoT security use-case.

So, what’s involved in protecting a single IoT application platform with today’s security technologies? For example – a bank ATM network. To do this we will first identify the various functions, tools and processes that need to make up the entire IoT security system.

For the next couple of weeks we will be using this ATM network as a use-case for our discussion. Interestingly enough, this is a real-life use-case problem that Acreto has addressed. So bear in mind that the elements, factors and challenges defined here are not hypothetical. They are very real challenges that a financial organization faced as part of their business expansion efforts.

The IoT Security Use-Case

The organization’s traditional branch model was expensive, complex and created many ownership and agility challenges. The lack of agility posed the greatest obstacle for the organization. Their traditional growth strategy involved acquiring real-estate with very specific attributes in very specific locations. This required either a long-term lease or outright purchase of the building. This process took time – and if after much effort, the right building, with the right attributes, was not available in the right location, they had to make some tough decisions. Depending on the importance and priority of the area they either moved on to the next area or went through a resource and time consuming build out.

The organization’s chief strategy officer had a plan to address the burdens of their current slow and tedious approach to business and IoTs factored heavily into it. They would use a combination of ATMs and Interactive Teller Machines (ITM) as well as mobile banks to augment their web site and branch portfolio.

Bank Security Strategy

Their strategy was to continue the personal experience using ITMs that are capable of interactive video conferencing with a 24×7 centralized teller community. The teller community is able to support a very broad, geographically distributed network of ITMs that each function as a mini-bank. Customers can also receive live personalized service by tellers in the mobile banking units.

This approach meant that they could expand at a significantly more rapid pace while still supporting their entire product line. They were able to deploy their ATMs and ITMs in a matter of a few weeks rather than many months. They could also accomplish this at a much lower cost, avoiding construction, legal, compliance and security costs, as well as long-term lease commitments or acquisition costs.

Moreover, with their mobile banks, the organization would be able to go to their customers to provide services rather than be inconvenienced by having them come to a branch. On weekday mornings the mobile bank could be situated at major commercial and industrial areas. On weekend mornings, the mobile banks will be at the beach. Weekend afternoons servicing patrons at sporting events or the park and on Saturday night, concert and nightlife hot spots.

There are many benefits to this approach that include agility, coverage and adaptability to customer demands at a much lower cost. However there was one major obstacle – SECURITY!

These units would be located in a variety of locations including office buildings, airports, train stations, stadiums, hotels, courtyards and even operate curbside. The ATMs, ITMs, Mobile Banks and web site all used untrusted networks. Mobile network LTE and Satellite connections for roaming units as well as WiFi, and Ethernet networks provided by the building facilities for the others. In many instances they use some combination of connections for redundancy and availability.

Though it may seem common sense that ATM and ITMs have hardened cyber-security protection baked in as part of a larger bank security strategy, the actuality is shockingly the opposite. These units are purpose-built IoTs designed to serve a very specific purpose and many do not have much by way of cyber-security protections. It was both surprising and concerning to everyone!

This concern was borne out when the Acreto team was able to remotely access a test ATM via the Internet and successfully issue commands to it. This was a show-stopper for the organization.

In this series we will break down this IoT security use-case and discuss the security fundamentals necessary to protect platform of this type. As well we will breakdown the components of the platform, that range from clouds, SaaS, external vendors and IoTs. Finally, we outline how the Acreto platform was used to deliver simple, uniform and consistent protection for the entire ecosystem.

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.