Risk
11/20/2013
09:06 AM
Ed Amoroso
Ed Amoroso
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

The New Security Architecture

Recent high profile attacks reflect a new reality in which perimeter-based security models are increasingly less effective in protecting key corporate assets and information.

Over the past 18 months, many corporations have been forcefully introduced to a new era of highly visible security events, from large scale Distributed Denial of Service (DDoS) attacks to social media account takeovers. To those outside the security community, this may feel like a sudden assault on the world’s organizations, but these attacks are merely the tip of an iceberg that has been growing inside enterprise networks for more than two decades.

What lies beneath
Since businesses first opened up their networks with Internet gateways in the early 1990s, we’ve seen security administration become increasingly distributed, enterprise perimeters become less effective, and frantic protections impede user experience. For organizations realistic enough to accept that their perimeter no longer protects key assets and intellectual property, there is a new model for enterprise security that brings together mobile devices, identity and access management, virtual private networks, and cloud infrastructure.  

However, this new model requires security teams to rethink their reliance on traditional firewalls and adopt a new paradigm better suited to protecting against ever more sophisticated and stealthy threats such as Advanced Persistent Threats (APTs). Audits and certifications will also have to be redesigned and businesses will need to prioritize their protection decisions.

Management priorities 
Understanding where to reduce, maintain, or increase security investments will be critical to mounting an effective defense against the next evolution of threats. Reducing investments in legacy systems, including perimeter-based firewalls, untethers essential resources that support the trajectory of today’s business transformations into mobile and the cloud. Maintaining existing protections while transitioning to advanced architectures is important, but adding more sandbags to traditional perimeter strategies will provide limited return.  

The challenge, then, for senior management and audit teams, is to focus protection efforts on the most critical resources. But this strategy will require a major change in thinking since the most basic tenet of today’s corporate audit involves testing controls to ensure 100 percent compliance with corporate policy. This mentality needs to change so businesses can prioritize investments on protections that will yield the best possible security posture. Forward-thinking security teams are already heavily invested in network-based protection, and are increasing investments in virtual security operations. 

Securing mobile business
For now, the most pressing security needs for most businesses include the rise of BYOD, mobile threats, and the cloud.  Other threats include the ever-increasing sophistication of DDoS attacks and APTs. Network-based protections, also known as cloud-based protections, are minimal defenses against all of these threats because of the network visibility required to detect and mitigate them.  

With the network as the foundation, security teams can then create security “zones” to provide customized levels and types of protection for each asset based on its individual risk profile. For example, access to an asset categorized as high risk could require device level controls, multi-factor identity authentication, VPN/secure tunnels, and API verification. Access to a low-risk asset could be managed with fewer controls.

Look up to the cloud
The future of cybersecurity will be virtualized, moving management and threat detection to the cloud. When deployed properly, the cloud provides several critical security advantages over perimeter-based models including greater automation, self-tailoring, and self-healing characteristics of virtualized security. In this new architecture, identify and access management should be viewed as primary controls enabling the cloud to become the platform for enterprise security. This approach allows security teams to decouple security software from hardware and deliver on-demand protection rapidly and flexibly via APIs. 

Do you see the demise of traditional perimeter-based security in your organization any time soon? Let’s chat about what that will mean in the comments. 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
11/21/2013 | 5:21:27 PM
Re: Compliance vs. security
Ed, thanks so much for your response. I'm aware that the carriers are constantly monitoring their networks for developing threats. I guess I am surprised that we haven't seen as that much uptake in managed security services by enterprises so that they can take advantage of that. There seems like a lot of potential that could really be leveraged.
Ed Amoroso
50%
50%
Ed Amoroso,
User Rank: Apprentice
11/21/2013 | 1:09:17 PM
Re: Compliance Testing Doesn't Go Away
Jerry, we actually agree on the first point, but perhaps it wasn't clear before. I was not suggesting that compliance and control testing should go away, but that these tactics alone are not a perfect reflection of your security posture and can distract a security team from critical priorities. For example, you can have the appropriate controls in place and functioning properly, but if an employee is caught by a phishing email and adversaries gain access to your network, they can work around all your controls. This is one reason why network visibility is so important. You need to understand what is going in and out of your network at all times because today's adversaries can adjust their tactics in real-time, so businesses need to have the ability to recognize those tactics and react quickly.
Ed Amoroso
50%
50%
Ed Amoroso,
User Rank: Apprentice
11/21/2013 | 1:08:44 PM
Re: Compliance vs. security
Susan, for AT&T customers, our network is their first line of defense. In fact, we track hundreds of millions of security events every day to protect our network and our customers from malicious threats. The challenge for businesses is that Internet traffic comes into their corporate networks from a variety of sources, so it's important to have visibility into your organization's specific network. This level of visibility is also critical for detecting unauthorized access to your corporate assets.
Ed Amoroso
50%
50%
Ed Amoroso,
User Rank: Apprentice
11/21/2013 | 1:07:39 PM
Re: Compliance vs. security
David, compliance is not going away and it's become part of the job for those of us responsible for protecting corporate networks. However, as Jerry points out below, controls are not 100% foolproof and are inadequate when it comes to dealing with a live adversary. Consequently, a business that passes all of its audits can still be extremely vulnerable to attack. I believe effective programs give high priority to security innovation and to developing a team that can mitigate threats in real-time.
Ed Amoroso
50%
50%
Ed Amoroso,
User Rank: Apprentice
11/21/2013 | 1:04:12 PM
Re: Investment priorites
Marilyn, I think an important first step for senior management is ensuring that CSOs are bringing a solid foundation of networking and cybersecurity expertise to audit discussions. In the future, I expect we'll see more highly technical security professionals sporting PhDs and a deep understanding of networks, infrastructure, and devices. These technical experts know the importance of adopting threat detection and mitigation practices, rather than putting all the organization's time and energy into compliance.
BillatDellSoftware
50%
50%
BillatDellSoftware,
User Rank: Apprentice
11/21/2013 | 10:29:35 AM
Re: Determining risk calue
Marilyn, Thanks for the tip on the Dave K article.  I really like the last line: "Over the longer term, the only alternative to risk management is crisis management, and crisis management is much more embarrassing, expensive and time consuming." 

We are providing Dave a review of our IAM business in a few weeks.  I'll be sure to bring this one up.  Thanks!

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/21/2013 | 10:15:11 AM
Re: Determining risk calue
These are all great questions about prioritizing assets and determining risk, Bill. Let's throw them out to the security community to see what risk management strategies and tactics are working and not working in their respective organizations.

Also want to point you to Dave Kearns' column: Understanding IT Risk Management In 4 Steps X 3, which outlines a risk management matrix that combines the probability of harm and the severity of harm. 
BillatDellSoftware
50%
50%
BillatDellSoftware,
User Rank: Apprentice
11/21/2013 | 8:25:04 AM
Determining risk calue
Ed, this is an excellent article insofar as it looks at the changing IT landscape and how that impacts security in the enterprise both today and in the future.  I work for Dell Software and spend a good deal of time speaking with customers who are experiencing very similar challenges.  One of the topics I would like to hear more about from you is how you go about prioritizing assets.  You mention in the article that you need to invest more to protect "high value" assets than you do for "lower value" assets.  How do you go about determining those risk values?  Do you allow the business to classify apps and content?  Do you have an automated tool that strives to check each document and assign risk to it?
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
11/20/2013 | 6:04:42 PM
Re: Compliance Testing Doesn't Go Away
Jerry, I like your analysis. The problem comes when companies equate compliance with security and think if they are complaint, then everything will be fine. But there are a lot of other protections that may be needed. A risk assessment should point those out.
JerryJ
50%
50%
JerryJ,
User Rank: Apprentice
11/20/2013 | 1:21:33 PM
Compliance Testing Doesn't Go Away
Ed, you wrote "...most basic tenet of today's corporate audit involves testing controls to ensure 100 percent compliance with corporate policy. This mentality needs to change..." It may be semantics, but I respectfully disagree. You always need to test controls. Too often, in my experience, an adversary has take advantage of a failed control that was thought to be in place. That said, you need to be certain you've selected and implemented the correct controls to begin with, recognizing that the technologies we deploy and the motives, skills and modus operandi of the adversary are ever evolving.

You finished your thought with "...so businesses can prioritize investments on protections that will yield the best possible security posture." This I agree with 100%. I was once on a panel speaking on risk management and was asked, "so does risk management eliminate the need for the compliance checklist?" My reply was, "No. Risk management is a way to prioritize the compliance checklist." I would also add that risk management is a way to evolve the compliance checklist.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.