Why is the IT industry beginning to look at next-generation enterprise security architecture? According to Johna Till Johnson, CEO at Nemertes Research, the number -- and nature -- of threats is changing with each passing hour. And as threats become more complex and multifaceted, consequences for not protecting the business rise. This reality keeps many CIOs up at night.
In part one of this webcast on enterprise security architecture, Johnson touches on the imminent threat of cyberwarfare and how attacks are becoming more personalized. She explains that attackers aren't only paying attention to an organization's vulnerabilities, they are using their cyber-weaponry to study companies and hit where it really hurts.
Some of Johnson's reasons to rethink security:
- Major consequences: Failure to protect the organization against security threats has major consequences for the IT department and IT leadership within.
- Threat sophistication: The attack ecosystem is becoming very specialized, and with specialization comes scalability.
- Perimeterless environment: The days of a self-contained environment that you can draw a line around are over. There are "bad guys" both inside and outside of the organization.
Are you able to protect your organization against the worst threats? If not, are you prepared for the consequences? Watch part one of this webcast and read the full transcript below.
Johna Till Johnson: A lot of people are asking, "Why are we looking at next-generation security now?" And, "What is next-generation about as opposed to last generation? When does a generation start, and begin? Why is it time for one now?"
So first off, the universe of threats and the regulatory responses [are] changing. I don't think I have to tell anyone that's watching this that threats have gotten more multifaceted, many more threat vectors, and also much more serious. If you look at the teal line,
we've moved from a model where there was hacking for fun and fame to literal cyberwarfare.
In fact, I was just at a conference ... where we were talking about cyber-weaponries. So the warfare image is not fake, and in fact, one of the predictions that was made at this conference -- and I take very seriously -- is we're going to start to see our first deaths from cyberwarfare starting next year. I devoutly hope that prediction is incorrect, but I fear that it is actually correct because it's possible to kill somebody once you start targeting things like Internet of Things that control things like heart monitors and cars and medical equipment and all sorts of other critical networks.
We've moved from playing around to war. The threats have changed from denial of service to botnet armies, from viruses to polymorphic attacks and advanced persistent threats (APT). And above and beyond all of this, one of the things that's really happening is personalization.
Targets are not just [saying], "Hey, look, here's a company that has some vulnerabilities. Let me run in and see what damage I can do." The attackers will decide who they're going to target, focus on targeting that organization, and then put effort and insight into going after that particular organization in a very personalized way, and that's actually going to matter as we talk about some of the next-generation architectures.
At the same time, the consequences for not doing a good job, for failing to protect your organization, have gone up and up and up. And in fact, one of the most recent PCI shifts has been that now, if there's a PCI attack in a point-of-sale transaction, the least secure and least compliant piece of that chain is now most liable. So if you happen to be the kiosk, if you happen to be the credit card company, or if you happen to be the retailer, whoever's the least compliant is most liable. So there's positive pressure to be compliant financially.
Screwing up is starting to have more and more consequences. And, I wouldn't even call it screwing up because it's not the fault of the person getting attacked (that's like blaming someone for getting mugged), but failing to take adequate protection has increasing consequences. So that's one reason why it's time to rethink how you're doing security. But there are other reasons.
Another reason is that the attack ecosystem has gotten very, very specialized. As most of us who have studied economics know, specialization is a key piece of making any economy highly scalable. Essentially what's going on is there are multiple steps and components in any attack. There's creating the attack and the exploit, uncovering the vulnerability, launching the botnet (if that's part of it), infiltrating and exfiltrating the data, capturing that information and monetizing it, and then laundering that money so it looks clean.
What's interesting is there's almost an inverse correlation of those steps between genius required to do them and criminality of the steps. What we mean by that is it is not illegal to create an attack, create an exploit or discover a vulnerability. If it were, there would be entire universes of white hat attackers and cyber researchers who would no longer exist. That's their job. They're supposed to go around and look for vulnerabilities and see how they respond under attacks. It just happens to be a very hard thing to do, which is why the genius requirement is so high.
Johna Till JohnsonCEO, Nemertes Research
The other end of this ecosystem, laundering money, is clearly illegal, regardless of whether it's cyber money or real money or anywhere in between. And monetizing that information -- selling things like Social Security numbers -- is obviously pretty illegal as well.
But what's interesting here is you've split the criminals and the geniuses, and you've also built almost a paint-by-numbers way to attack. People can literally say, "I want to attack Company X and locate for hire everyone in this entire ecosystem, and then hire these folks to do what they do best, put together that attack and mastermind the attack," and have no particular expertise in any of these steps [themselves]. And this is, for example, what countries are starting to do when they're targeting assets of other countries. It is a very serious situation, and the nature of the attackers has really changed a lot.
So what does this mean from a technology perspective? I'm sure everybody listening to this has heard this a zillion times, but the perimeter is over. The idea of a perimeter is actually an interesting one. It's an old-school military model that says the perimeter is the juxtaposition of the territory that I control and the territory that the enemy controls. The bad guys are on the other side, the good guys are on my side.
As soon as I express it like that, you realize what the problem is because we're operating in a world in which not only may the bad guys be on the inside of the so-called perimeter, but they may have infiltrated the perimeter so that, to stick with the metaphor, the very trees and rocks are now enemy attackers from inside the perimeter. So that model really doesn't work.
It also doesn't really describe the typical architecture today, which looks a lot more like this:
The typical architecture is very limited in terms of how much is actually on a private network or a private environment. Companies are increasingly using public clouds, software as a service, infrastructure as a service, platform as a service. Resources often live there. They still have their private clouds and private data centers, and then they are increasingly moving to a hybrid WAN, which is a mix of public Internet and private WAN technologies like MPLS.
And then their users are distributed among branch sites and also remote sites, and can be literally anywhere in the world. So the idea of a nice, self-contained environment that you can draw a line around and say, "This is the perimeter; inside equals good, outside equals bad," is obsolete. I think most people are aware of that, but it is still worth thinking about.