The way businesses and IT teams are executing today has dramatically changed and will only continue to do so. More and more organizations are embracing DevOps, Infrastructure as a Service (IaaS) and application-centric practices. The goal of these changes is to enable IT teams to dramatically accelerate and more effectively adapt and respond to their organization’s business needs.
For security practitioners, the real question is, as these changes have been adopted are you prepared to also change your approach to security to keep up with the way your organization’s business and IT teams are evolving? Hopefully you are, however if you are like most organizations you are still heavily focused on the traditional, legacy approach to security. Now is the time to rethink that strategy and look at shifting your focus to where the business is going.
First, let’s look at that traditional approach to security, why it evolved the way it did and one major gap that we never managed to address. Then we’ll look at the ongoing shift that’s taking place and how security teams should be seizing this opportunity to align our security approach with the changes that are taking place before it’s too late.
The Traditional Approach
As IT and information security practices first came to be, as security practitioners, we were tasked with the responsibility of securing an existing infrastructure built by network engineers, system administrators and application developers. Since the systems were already deployed, the applications developed and the networks designed and implemented, our natural reaction was the path of least resistance. We set out and built security around the infrastructure that we were handed. We created a defined perimeter with the systems, applications and data securely placed in the center of that design. This perimeter approach mimics our own human innate traditional approach to protecting anything – protect it from the outside first. Next, we saw an inherent risk in the way users interacted with our networks and systems so we turned our focus to securing our endpoints.
As time went on, we noticed that attacks were getting more sophisticated and those perimeter and endpoint security solutions were ineffective, so we invested in the Next-Gen versions of everything that was already not working because the Next-Gen version was bound to solve our problems. Then, while still questioning the security of our Next-Gen solutions, suddenly users became mobile and attacks became even more complex. Some call this portion of the evolution of the enterprise infrastructure as having become “borderless”. This forced us to implement even more security technologies. With so many disparate systems reporting in – we were left with major “alert fatigue.”
Now, not only have we become overwhelmed with the number of alerts but we do not have enough people to analyze them. Sound familiar yet? I realize this is an oversimplification of the evolution of our security approach and we didn’t account for compliance, politics and budgets, but I think we can all agree that this is approach we’ve taken as an industry and it’s gotten us to where we are today.
What We Missed Along the Way
If we look back at the one area that we didn’t focus on during our traditional approach, which most organizations still rely on today, we’ll notice an obvious gap. While we were so busy building the hardened exterior with perimeter tools and mitigating the risks posed by our endpoints with a bevy of point solutions, we forgot to address the core of the environment where the data resides, the data center.
Think about it, according to Gartner, organizations will spend close to $87 billion on information security in 2017. That’s a lot of money invested in security technologies that have not only failed us, but have also failed to address a core part of our environment. When we think about that number, doesn’t it sound absurd that we invested billions of dollars and never really invested in tools that gave us any visibility, security or control over what was going on inside the data center, the part of the environment where the most sensitive systems and data resides.
We’re being presented with a unique opportunity to change the way we approach security.
When I think about that lack of investment inside the data center and then think about the recent Ponemon Institute report stating the average dwell time before we identify a breach is 191 days, it all starts to make sense. The reason that we can’t detect an attacker when they’re inside the network is once they’ve gotten past the perimeter tools and the endpoint solutions and have made their way into the core of the environment we’ve officially lost their scent and now they have a whole data center full of servers and applications that they can access without triggering an alert.
Well, let’s not live in the past and let’s focus on what’s going on right now because we’re being presented with a unique opportunity to change the way we approach security.
The way businesses execute is changing, becoming more agile and distributed in an effort to bring better innovations to their customers. These changes include embracing Infrastructure-as-a-Service (IaaS) solutions, which now require supporting a hybrid enterprise environment comprised of bare metal, virtualized and cloud-based servers and workloads. Infrastructure teams are now tasked with supporting a hybrid infrastructure, which means security teams need to adjust to their approaches to securing that infrastructure. Now our systems, applications, workloads and data no longer just reside inside the network, but are also distributed throughout various public cloud solutions.
The other major change is the shift to a DevOps model built around collaboration and speed. Systems are spun up at record speeds and new code is released multiple times a day, which means keeping track of servers and workloads in the environment has become even more critical in our approach to securing them. When new servers and workloads come online, security teams have a limited window to ensure the system is secure before it ends up in production. Traditionally, security practices have not been nimble enough to support this type of pace. Our change management, patching, and testing processes have resulted in DevOps teams circumventing our practices in order to keep up with the demands of the businesses.
What Can We Do About It?
As businesses are evolving and embracing IaaS and DevOps as the backbone and catalyst to their new and improved infrastructure, now’s the time to work closely with our IT departments so that we really understand the needs of the business and the way our IT counterparts are supporting those needs. Then, we use strategies and tools that scale to meet those requirements, providing us with visibility into the hybrid infrastructure and the flexibility keep pace with the DevOps approach.
It’s time to begin implementing security technologies that give us visibility, security and control over this new hybrid enterprise environment that’s even more complex than the on-premise environments we were trying to previously protect. If we don’t start this now, we lose our chance to build security into these hybrid enterprise environments and we’ll be forced to try and continue with our traditional approach.
So, what types of security strategies and tools should you be looking for to keep pace with your business as it continues to evolve? I’ll cover what to look for in those strategies and tools in part two of this blog series, so keep an eye out by following GuardiCore on Twitter and LinkedIn.