Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11/15/2017
03:10 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Should Security Silos Still Stand?

DevSecOps would tear down every functional silo in security. Is that a good thing, or do corporate silos still serve a valuable purpose?

DevSecOps needs a big shake-up. Given IT security's rich heritage, the "security as code" movement is fairly freshly minted. Yet already it is simply not working as well as it should in practice.

The main issue stems from the way that operations, security and development work together. Recent history has taught us that security has taken a fairly tight rein in the three-way group, operating at one end of the DevSecOps continuum. At the other end, development has been frustrated and feels like its wings have been clipped. There needs to be a happy medium in this dynamic.

That's according to PJ Kirner, founder and CTO at Illumio -- considered a unicorn company -- a firm that segments data centers in order to adaptively try and stop security threats. [Editor's Note: A "unicorn company" is a startup company valued at $1 billion or more.] "The DevSecOps shift of control from Ministry of Security, aka 'the department of no,' to the model where the developer can do anything and everything, was an overcorrection," he said. "Next year, we will realize that that this should not be a democratizing movement (where) everyone gets a vote, but rather more of a republic model."

His view is that collaboration and productivity is undermined if security has too heavy a hand, but that the act of de-siloing to encourage constant software development should be done from a safer place.

"What I think is a challenge is that some people really take that to an extreme, and say, 'all these resources and all of these people are completely fungible'," Kirner told SecurityNow. "The level of expertise needed and the respect for the expertise has kind of gotten lost within the organization in the desire to break down the silos."

Organizations are apparently struggling to define exactly when de-siloing makes sense, and where expertise is critical to making projects successful. No one person is a subject matter expert in development, security and operations, so the real skill is being able to make good judgment calls, and not relying on a set-in-stone playbook or a rigid team structure.

It seems like next year will be a busy one for security. Alongside fixes for DevSecOps, Kirner foresees major changes in Personal Identifiable Information (PII) security. Few would disagree this has been an annus horribilis for widespread PII theft that has generated a black cloud on the horizon as people hunker down and hope their details have not gone missing.

There's a good case for reasoning that, in total, the majority of US citizens will have been affected by a combination of big attacks such as Equifax, Deloitte and Sonic Drive-In. It seems inevitable that this black cloud will soon burst, washing away countless identities.

"Our Identity is no longer ours. PII is no longer valid, since so much of it has been exposed in breaches over recent years," he said. He expects that the data stolen to date will be repurposed into another phase of attacks. For example, it could be weaponized to use in attacks on major institutions in the government, healthcare or financial verticals. The main danger here is that, because of the richer identity picture that hackers have been able to build over time, phishing and social engineering attacks -- already remarkably successful -- will become even more difficult to distinguish from the real thing.

"The scary part is that so much data has been lost -- huge pieces of people's lives," said Kirner. "Organizations needs to start taking securing their customers' data much more seriously. We need more agile and adaptive security controls that move at the real pace of the business."

One area of improvement, given that cyber-attacks are rampant, is to move into a damage control mode before an attack happens. Illumio specializes in micro-segmentation of data centers, essentially enabling businesses to containerize and thereby limit or totally isolate an attack before it spreads.

"If someone's building a submarine, and there's only one compartment, there's a breach, the ship sinks, and everyone is killed. But say you build a set of redundant compartments. Then if there's a breach, you close off the affected compartment and corral everyone to the mess hall. Everyone lives."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41393
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
CVE-2021-41394
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
CVE-2021-41395
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.
CVE-2021-3806
PUBLISHED: 2021-09-18
A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
CVE-2021-41392
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.