When the Equifax breach was announced on September 7th, I was not surprised. When I heard the magnitude of the damage: 143 million US consumers and 44 million British consumers – which equate to roughly 57% and 97% respectively of both country’s populations, age 18 years of age and older – I, again, was not surprised. Why?
The Hybrid Cloud Data Center Paradigm Shift That Leaves Security Behind
Four years ago, I began seeing breaches occur in my customer’s data centers, both on premises and in the cloud and utilizing my customer’s own application workflows to hide their activity as they progressed. Attackers dwelled undetected for long periods of time, spreading laterally with ease. Tools at our disposal for cyberattacks were purpose built for yesterday’s cyber battles occurring outside of data centers. Not only were these attacks in places we weren’t, they also behaved unexpectedly. It was as if we were firefighters battling an internal factory fire while being forced to stand outside the building’s thick concrete walls.
The IT world had shifted dramatically, and, in its transformation, cybersecurity had been left behind. IT, had moved valuable resources to hybrid cloud data centers but cybersecurity solutions and practices had not kept pace with the transformation. Cybercriminals had already seen the shift and adjusted to maximize the larger attack surface, and reaped accordingly.
Equifax provides a great example of a breach that took advantage of this IT paradigm shift. The cybercriminals attacked Equifax’s data centers directly. Focusing on the vulnerability however is like missing the forest through the trees. Equifax’s vulnerability, Apache Struts, was merely the entry point. To steal roughly half the US population’s information and almost all of Great Britain’s so quickly tells us the attackers became well established within the application housing targeted data. They overcame the front-end querying capability to syphon off massive amounts of data while avoiding encrypted data at rest on the backend.
If the IT paradigm shift has changed, as seen with the Equifax attack, how can we bridge that gap? Taking perimeter solutions and endpoints into the hybrid cloud data center environments won’t work. Customization to legacy, traditional cybersecurity solutions to transform them from north-south solutions that bring them into east-west environments is not possible. No matter what retrofitting is done, they are poorly suited for their new working environment.
When looking at new security solutions that can help you avoid being the next Equifax, here are five attributes you should consider for security applications and data in hybrid clouds:
Cybersecurity solutions must be native to the hybrid cloud data center environments in which they live. They must be built from the ground up work seamlessly across the entire heterogeneous space which includes everything from hypervisors, containers, images, various cloud topologies to legacy bare metal and even those old mainframes.
Cybersecurity solutions must work in a converged fashion, providing a single solution that is flexible and works across the entire heterogeneous environment. In the hybrid cloud data center these solutions must work across everything from hypervisors, containers, images, various cloud topologies to legacy bare metal and even old mainframes. Converged solutions provide solid gains while reducing complexity. A great example is microsegmentation within the data center workloads. There are many point solutions out there which only solve segmentation within a particular portion of the environment and do it poorly. Each cloud provider provides Layer 4 segmentation but these are only specific to their particular cloud and provide zero process level visibility. The same can be said by a few vendors who do the same for on premise workloads. In order to truly do microsegmentation you need a converged solution that works across all of your environments seamlessly, provides visibility to allow you to accurately create policies and which reside at the Layer 7 process level.
Working within the Hybrid Cloud Data Center you must have multiple options for deployments from low touch to high touch. This enables deployment across the entire spectrum and provides room to grow. Flexibility also refers to fitting any provisioning and management model used by the DevOps teams. For example, when dealing within these environments you may or may not be able to deploy agents, therefore, your solution should offer both agent-based and agentless options. When dealing with agents, ones which are truly lightweight, easily provisioned by any provisioning mechanism deployed by DevOps staff (Chef, Puppet, Ansible, etc.) and requires zero reboots, are considered preferable and DevOp friendly.
By far the most important thing you need is visibility within the data center. Visibility must be at process level and into the application workflows, supplemented with rich contextual data from the various platforms, and orchestrations from which they came. With this rich visibility, you have enough context to create global, macro and micro segmentation policies easily and quickly, and have the ability to find compliance issues. Most importantly, when it comes to attackers, you can see their movements and even redirect them dynamically into secure spaces where you can securely remove them from the real environment and reveal their tools, techniques and exploits, capturing every packet, keystroke and screenshot in the process.
5. DEVOPS RELEVENT:
If a solution provided does the above, then the priceless data and protection will be readily useful, adoptable and valuable to the DevOp personnel themselves which is key for success. The Hybrid Cloud Data Center is their environment and when you become relevant to them you become their partners and allies.
If you are a CISO or cybersecurity professional, by evaluating new security solutions based on these five attributes, you will bring cybersecurity back into relevance and take a big step to avoid becoming the next Equifax in the process.
Note: This article also appeared in the Cyber Defense eMagazine in October, 2017.