Think of today's enterprise cybersecurity defenses as a bank vault with 3-inch-thick steel doors and plywood walls...
-- heavily fortified and terribly vulnerable at the same time.
That's how Stuart Madnick, director of the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity at the MIT Sloan School of Management, describes the state of enterprise security. "The biggest problems aren't being addressed," he said.
Madnick is not alone among cybersecurity experts in taking a dim view of the current state of enterprise security.
"The offense is gaining ground and the defense is definitely losing ground just about everywhere. Things that we thought would have to be secure, that we believed were secure -- that was just optimism and not reality," said George Wrenn, cybersecurity officer and vice president of cybersecurity at Schneider Electric.
Madnick, Wrenn, other cybersecurity professionals and researchers said there's a litany of problems with the approach that most organizations take when it comes to protecting their IT systems and the data they hold. As recent headline-making data breaches have revealed, problems range from insufficient governance to inadequate controls that create environments ripe for exploitation.
"What we learn after all these breaches is just how bad these environments were. A lot of the breaches are a product of a culture that oftentimes favors 'get it out there' or some other priority that is not directly related to safety or security," Wrenn said.
Mismatch between risk and spending
Recent research studies reinforce these views.
The 2015 Black Hat Attendee Survey, which polled 460 top-level cybersecurity experts, exposed significant disparities between what these security professionals view as the biggest threats and how their time and enterprise's security dollars are actually spent.
Some 57% of those polled said sophisticated, targeted attacks are their greatest concerns, followed by social engineering (46%) and accidental leaks by users failing to follow security policies (21%). But they listed their most time-consuming tasks as addressing vulnerabilities introduced by internally developed software (35%) and addressing vulnerabilities introduced by off-the-shelf software (33%).
Although cybersecurity experts said policies, procedures, good governance and training remain essential tools, particularly to guard against employees falling victim to socially engineered attacks (i.e., phishing) or inadvertently exposing sensitive data, they also pointed to new technologies and best practices that can enhance an organization's security profile.
"There are stories every day across the globe today that show that advanced security programs -- intelligence sharing and advanced technologies and tools, and the use of additional levels of controls in your environment -- can reduce the chances of a breach," said Roland Cloutier, vice president and CSO for ADP.
Data coding, micro-virtualization, biometrics
The best approach to cybersecurity continues to focus on two points, according to Cloutier and other cybersecurity experts: the continuous implementation and upgrading of sophisticated security controls as well as the ongoing education of users and company leadership about risks.
"It's a sustained, constant improvement to your security posture, along with education for the people using the technology that will keep you ahead of that threat," he said.
Advanced security practices include developing policies that limit the amount of data organizations keep, thereby lowering their potential exposure in case of a breach, said cybersecurity experts.
Similarly, leading organizations are implementing systems that keep data coded throughout the stack. To do this, Madnick said companies are encrypting data not just when transmitting it but even when stored, with decrypting happening only when an authorized user needs it.
New technologies, such as increasing use of biometrics to authentic users and granting access to authorized users only, are helping prevent employees from inadvertently exposing the business to risk.
Another advanced technology helping companies improve their security posture is micro-virtualization, which takes applications and subprocesses from hardware and runs them in an isolated environment.
"So, all the interaction from the outside world with your machine happens in that mini-machine. And when you're done with that session, it goes away. It creates that segmentation, so as soon as you close your browser, it's like it never happened," Cloutier said, adding that he and his team are "migrating over to that as fast as we can."
Then there's intelligence-led security, which analyzes data to gain insight into a company's IT systems and sends alerts or halts processes when something abnormal is flagged.
"This gives us the ability to pull that needle out of the haystack. We have analytics capability that we never had before, so we can collect lots of information and run purpose-built analytics to see if there's something going wrong in the environment," Cloutier said.
Re-engineering IT systems
These newer tactics, however, come with their own challenges, cybersecurity experts warned.
Take data, to start. Many organizations don't have strong policies and procedures on what data to keep and what to eliminate, Madnick said. Moreover, even organizations that have addressed the data question generally keep more than they should, thinking that all data could have value.
Meanwhile, organizations that want to encrypt data throughout the stack find they have a significant project that generally includes re-engineering their IT systems and business processes -- a project that without any top- or bottom-line impacts becomes hard to sell to executives, Madnick said.
Re-engineering, though, is really what's needed, according to Steve Wilson, vice president and analyst at Constellation Research Inc.
"Of course training and governance and security policy are essential, but I fear that security has become excessively reliant on process," Wilson said, adding that audit remains as the security's dominant weapon against attack. "It's ridiculous. … The underlying problem is our IT systems are so brittle that they break, just weeks (or sooner) after an audit is passed.
"We must instead make our systems less brittle, more resilient, more stable, more reliable," he said.
Wilson, whose research focuses on digital identity and privacy, listed his recommendations:
- Reformed software development practices, more attention to detail, less rush to get apps out the door;
- Rigorous software standards; ban the GoTo statement; teach people structured programming;
- Widespread code inspection and independent testing;
- New test tools as well as more research and development on static analysis and dynamic analysis;
- Simpler operating systems; and
- In a recommendation that will likely surprise many -- a lot less connectivity. "Revisit why things need to be so joined up; reduce our addiction to being on online all the time; take old assets off line," he said.
About the author:
Mary K. Pratt, a freelance writer based in Massachusetts, writes frequently about business management and information technology. She can be reached at firstname.lastname@example.org.
Human error is enemy No. 1 of enterprise security