‘I’m increasingly convinced that people are spending their information security budgets in the wrong places’, said our Sales Director Paul O’Sullivan when I spoke with him earlier this week.
We sat down together to discuss the current state of the security marketplace and why it might be time for IT professionals to reconsider where they are spending their budget.
Gartner reports that global enterprise security spending rose by 8% in 2017 to a total of £67.5 billion. Yet new findings by the Breach Level Index reveal that 2.6 billion records were stolen, lost or exposed worldwide in 2017, an 88% increase on the previous year.
‘On one hand, the huge rise in information security budgets is great. It indicates that the problem is being taken more seriously at board level, which is always a good thing’, said Paul. ‘However, this increased firepower doesn’t seem to be translating into improved security, as the number of breaches reported has also gone up in line with the spending.’
Making the right business decisions in regards to your information security budget
Paul has worked in the infosec sector for over two decades, with market-leading companies including ClearSwift, Proofpoint, Integralis and MessageLabs Group. Prior to that, he cut his teeth specialising in programming and networking for ten years, and is incredibly passionate about securely enabling business transformation.
‘Traditional attack vectors are disappearing fast. These days, modern operating systems are getting increasingly difficult to penetrate. You’ve got Windows 10, OS X, and iOs which are pretty solid operating systems. Linux is robust too, as long as it’s configured properly. Android—depending on iteration and version—is reasonably secure. So that leaves the majority of the attacks to be perpetrated by social engineering or a variety of other things that usually come under the label of insider threats.’
Read the full interview:
If traditional approaches to perimeter security aren’t dealing with insider threats very well, what does work?
Well, there’s the million-dollar question. The thing is, if you embrace the idea that the perimeter is dead, you should also accept that at least some intruders are going to access your network. That’s not that radical, it’s just the reality of the times we live in. It’s then down to you to define a level of acceptable risk and put systems in place in order to try and keep your risk at your defined levels. What those systems look like is also down to you, but fundamentally you’re looking at transitioning to a zero-trust model. As a business case, it’s not unlike having multiple checkpoints across an army base, rather than just having a few guys at the front gate.
We’ve just partnered with Aruba, a leading provider of UEBA security technology, and their analytics platform can automate the detection of attacks through clever machine learning on top of your security systems. UEBA—or user and entity behaviour analytics—learns a baseline level of what ‘normal’ looks like in your everyday environment, watching the way users, network devices and endpoints interact with each other, and then isolates any anomalous behaviour as a potential threat. It means that you can deploy BYOD, use secure file access for remote working, setup VPNs and all sorts of other things that enable modern businesses to function, and still have high confidence in your security posture.
What about the cloud? Everyone’s busy migrating, no?
I’d contend that on the whole, modern cloud services have been designed with security in mind. Take Dropbox, for example. In their early days, Dropbox built on Amazon’s S3 servers. It gave them the ability to scale at speed, but they were very wary of trusting a public cloud platform with their customers’ data.
They designed their architecture in such a way that a customer’s data is encrypted between clients, and data blocks are scattered across their servers, with the accompanying metadata stored separately. When it comes to retrieving a file, the data blocks are pieced back together and decrypted by the client endpoint device. This means that if they’re breached, the contents of the server would be unreadable anyway.
That’s proper security-by-design, and it all came about because they didn’t trust Amazon S3. And rightly so—there’ve been plenty of cases where organisations running their service offering in AWS have been breached, and it’ll only keep on happening as cloud migration accelerates with new cloud offerings.
All that said, it’s worth highlighting that organisations need to understand what is meant by secure and insecure e.g. in Dropbox’s case, confusing access control with the security of the data, in terms of encryption. Organisations need to take the time to understand the service and how they might need to use a different approach to securing them, which invariably come back to access control. In other words, a zero-trust approach to the authorised users too.
And what kind of impact does zero-trust have on a business?
Essentially, you’re constantly trying to challenge a user to prove their authenticity. If you go too far, the user experience is affected. There’s no reason to make it this difficult, though. These days, you can have company-issued certificates that reside on the endpoint device, and couple those with a fingerprint swipe on a laptop with an embedded biometric reader for a really fast but secure solution. Look what TouchID did for Apple—what seemed like a gimmick actually managed to combine strong user authentication with ease of use. You can steal credentials—it’s a bit trickier to virtually cut off digits….
Building from this, you can then begin to add detailed network access control policies that are dependent on things like individual device, traffic pattern, device health, location or files or application requested. You can start to model typical behaviour' and only block access when their behaviour falls outside the normal parameters. This is our mantra—that security shouldn’t impede your organisation’s operations—it should enable them. You want to be secure without holding back your user base.
So to summarise, you’re saying we should be allocating more budget towards zero-trust models and technology?
In short, yes. Insider threats are often described as the most costly to fix as well as the most damaging, but unfortunately, the industry’s stalwart cybersecurity products—firewalls, intrusion detection and the like—just aren’t working.
Perimeter security and defence in depth do little to stop determined attackers. And in a world where you have a whole array of cloud services integrated into a typical modern corporate environment, they are arguably becoming irrelevant anyway. Today’s security professionals need to be making smarter business decisions regarding information security budgets if they want to keep their data and their business safe.