Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11/15/2017
03:10 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Should Security Silos Still Stand?

DevSecOps would tear down every functional silo in security. Is that a good thing, or do corporate silos still serve a valuable purpose?

DevSecOps needs a big shake-up. Given IT security's rich heritage, the "security as code" movement is fairly freshly minted. Yet already it is simply not working as well as it should in practice.

The main issue stems from the way that operations, security and development work together. Recent history has taught us that security has taken a fairly tight rein in the three-way group, operating at one end of the DevSecOps continuum. At the other end, development has been frustrated and feels like its wings have been clipped. There needs to be a happy medium in this dynamic.

That's according to PJ Kirner, founder and CTO at Illumio -- considered a unicorn company -- a firm that segments data centers in order to adaptively try and stop security threats. [Editor's Note: A "unicorn company" is a startup company valued at $1 billion or more.] "The DevSecOps shift of control from Ministry of Security, aka 'the department of no,' to the model where the developer can do anything and everything, was an overcorrection," he said. "Next year, we will realize that that this should not be a democratizing movement (where) everyone gets a vote, but rather more of a republic model."

His view is that collaboration and productivity is undermined if security has too heavy a hand, but that the act of de-siloing to encourage constant software development should be done from a safer place.

"What I think is a challenge is that some people really take that to an extreme, and say, 'all these resources and all of these people are completely fungible'," Kirner told SecurityNow. "The level of expertise needed and the respect for the expertise has kind of gotten lost within the organization in the desire to break down the silos."

Organizations are apparently struggling to define exactly when de-siloing makes sense, and where expertise is critical to making projects successful. No one person is a subject matter expert in development, security and operations, so the real skill is being able to make good judgment calls, and not relying on a set-in-stone playbook or a rigid team structure.

It seems like next year will be a busy one for security. Alongside fixes for DevSecOps, Kirner foresees major changes in Personal Identifiable Information (PII) security. Few would disagree this has been an annus horribilis for widespread PII theft that has generated a black cloud on the horizon as people hunker down and hope their details have not gone missing.

There's a good case for reasoning that, in total, the majority of US citizens will have been affected by a combination of big attacks such as Equifax, Deloitte and Sonic Drive-In. It seems inevitable that this black cloud will soon burst, washing away countless identities.

"Our Identity is no longer ours. PII is no longer valid, since so much of it has been exposed in breaches over recent years," he said. He expects that the data stolen to date will be repurposed into another phase of attacks. For example, it could be weaponized to use in attacks on major institutions in the government, healthcare or financial verticals. The main danger here is that, because of the richer identity picture that hackers have been able to build over time, phishing and social engineering attacks -- already remarkably successful -- will become even more difficult to distinguish from the real thing.

"The scary part is that so much data has been lost -- huge pieces of people's lives," said Kirner. "Organizations needs to start taking securing their customers' data much more seriously. We need more agile and adaptive security controls that move at the real pace of the business."

One area of improvement, given that cyber-attacks are rampant, is to move into a damage control mode before an attack happens. Illumio specializes in micro-segmentation of data centers, essentially enabling businesses to containerize and thereby limit or totally isolate an attack before it spreads.

"If someone's building a submarine, and there's only one compartment, there's a breach, the ship sinks, and everyone is killed. But say you build a set of redundant compartments. Then if there's a breach, you close off the affected compartment and corral everyone to the mess hall. Everyone lives."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.