10-17-13 | Blog Post
Online Tech is exhibiting secure and compliant hosting solutions at Detroit SecureWorld 2013, held yesterday and today. Online Tech’s Senior Product Architect Steve Aiello spoke on a panel about network security:
Network Security Industry Panel Discussion
Panelists: Steven Aiello, Shane Harsch, Paul Giorgi, Don Gray, and Carl Herberger Moderator: Cathy Luders
Where do you see the holes in modern day security programs?
CH: I think large holes that are obvious: BYOD. I think the mobile problem is being omnipresent. I think the problem isn’t BYOD; it’s being able to connect from many devices. The other two are major trends: the virtualization of the network and software defined networking. Every carrier is forced into the conversation because of Google. It’s extremely difficult and doesn’t have native security. The other is ideology attacks. It makes people that you used to be able to trust less so. The group anon suggests that they don’t have to hack, they just have to ask.
DG: On the subject of BYOD, by making a more porous zone of control, you need to acknowledge that you’re leaking your own data. There are people that don’t have a good idea of the security foundations they have in place with their own companies.
SH: Visibility is key. You’re looking at a changing threat landscape that poses a different type of challenge to ops teams. We all have firewalls, antivirus…static controls, which are now just ante to play the game. 9 out of 10 times, it’s not going to be a usual attack.
SA: There’s a certain level of maturity in different sized organizations. If you have the money to get visibility into your threat landscape then great, but a company needs to understand the risks vs rewards, which can help boost the levels of awareness into what’s important.
How does infrastructure design play a role in security?
SA: What we see, is that security seems like an afterthought. You buy a commercial package, and you find vulnerability, and then find a web app. Things bolted on are going to fail. We need a better discipline to say what is our last line of defense? Are we patched, are our systems hardened? Do we want to spend the time hardening from the inside out, or being soft on the inside and working on that hard candy shell on the outside?
CH: A lot of security folks are network-oriented. We don’t understand the silos within institutions. We’re outsourcing. Your business is given cogs to the cloud, and if your business isn’t able to handle that, then you’ll be attacked. Another problem is that we don’t view our cloud sources as a part of our infrastructure.
SH: Our infrastructure isn’t fully patched either. We have to think about things smarter. Where’s the important stuff? Who owns that data? How important is it to the business?
Are risk assessments really working, and how do they account for DDOS at commercial banks?
PG: It’s interesting to see people doing risk assessments (RAs) just to do them, and they don’t do anything about it. I never count the high-level count anymore because some people don’t do anything about it. I think there’s still a place for them, and lots of drivers that need them, but we aren’t acting on it.
CH: I think we have lots of evidence that the way we do RAs should be reexamined. Whether that’s true in every org, that’s in the eye of the beholder. They can be a risk themselves, as they have a problem finding some risks that are there. You can’t scan for a lot of DDOS issues. For base threats it’s lacking.
SA: The place I think RAs fall down, it’s that as IT people we don’t seem to go back to the balance sheet to get information. I don’t see business owners and financial analysts associated in the risk assessments. I agree that a faulty RA can be dangerous. IT people can’t get their head around the finance sheet.
DG: I think part of the reason they aren’t getting it is that we aren’t making it real for them. I can give them very specific intelligence to give them, but the IT group doesn’t know why it’s as critical as other vulnerabilities. We have to translate the security risk into something the rest of the org is going to be able to digest.
SH: They have value in that they help you where you want to focus. The big important driver is what you want your RA to accomplish. This is impactful to the livelihood of the business. We have to be smarter about how we plan/budget for that. It’s a business enablement center. If you look at it any other way you’re going to pay a significant price.
How can people make infrastructure solutions ‘out of the box’?
SH: You’re going to make decisions with zero visibility. You have to talk about how it’s all going to come together, because it’s all commodity. You can make smarter decisions based on business objectives, but you have to decide how to protect it operationally, and how that’s going to translate into the tech.
PG: Networks, and subsequent security is all out of the box for each group. The way we’re going to hybrid clouds and virtualization; that is too unique for a streamline. Address each scenario as something unique.
SA: I think there are opportunities when you look at things in our power for a while. Web facing apps: there’s a lot of tech that allows WFAs to keep things in a static manner. If you have good visibility with FIM (file integrity monitoring) and log monitoring, if you’re doing things (load balancing) there are things we take for granted and don’t apply. Nobody likes patching, and no one likes backups. But they’re the most important thing that people can do, the things that give us the biggest value.
CH: If you have the model in your head of doing things as you’ve always done them…consider revising that. Yesterday’s model is going to go away. It’s going to break down. Our new model is going to be like the Netflix CISO…everything is outsourced. Everything is in the cloud. You have to make disruptive techs resilient. And that’s the definition going forward.
DG: When I think of building resilient model, I think the inside the box thinking is, “I’m going to get this tech, implement it, and it’ll fix the trouble.” There is an incredible amount of security in the tools out today, and people today don’t utilize it the way they should. If you don’t have some expertise, bring in an outside resource to help you tighten down that area. Figure out how to be more aggressive with the tech you have already. You have to really take advantage.
Can you give us insight into encryption?
SH: Don’t use the default settings. Encryption is fundamental to security, but you have to think about HOW it’s being used. That doesn’t solve the issue necessarily. Gone are the days when someone’s going to get into your DCs, and steal your servers. It comes down to smarten the infrastructure. Are you watching that traffic? Is there a normal behavior pattern that is now changed? What’s the role of encryption, and how are you going to use it as a tool?
PG: It’s essential. The issue is securing everything, but then not being able to see anything.
SA: There’s no safe haven. I think that there’s some really awesome work we can do here. How are criminals monetizing data. How long do you need to keep encrypted data for. Do you have the maturity for key management? Do you have the budget to bring in an outsourced provider? What’s the risk of losing data if you CAN’T manage properly. It goes back to data classification. If you know there’s data that is org crashing if lost, just encrypt that.
CH: Encryption is tasking on an infrastructure. That’s a rife environment for DOS. In addition, the inspection problem is a big problem. Encapsulation is also a rife environment.
DG: I would look at algorithms. Boundary between where it’s encrypted and decrypted to be used. To me that’s the more opportunity to get benefit of encryption. Controlling how much has to be decrypted.
How do you bridge gaps between business, security, and IT?
DG: Doughnuts! It comes down to personal relationships. The better you can do at that, the more heads-up emails you’re going to get. To me, developers, infrastructure guys…they all like doughnuts.
SH: Honestly, leadership and purpose. Until we see a fundamental shift in a leadership perspective with how businesses were run, we’re going to have trouble. That comes from a leadership perspective. If seniorship doesn’t buy into security, there are no amount of doughnuts that are going to change that.
SH: Speed of business won’t allow thorough security checks with traditional tools.