Complexity is the Real VulnerabilityOctober 11, 2015
Security is a unique IT discipline. It overlays and supports all other disciplines: compute, networks, storage, apps, data. As IT evolves so does IT security, often with a considerable lag. The introduction of personal computing gave rise to endpoint protection suites and AV capabilities. Networks drove the introduction of the firewall. Applications spawned multiple security disciplines from two-factor authentication to secure app development, vulnerability scanning and web application firewalls. Databases introduced encryption and activity monitoring – and to manage all these capabilities we now have Security Information Event Management (SIEM) platforms.
Security thought leadership attempts to provide best practices for IT security, including defense in depth, secure development life cycle, penetration testing, separation of duties and more. These fails to address the need of security to move at business speed. When a new capability appears, with a big promise of huge returns through cost savings, employee productivity and business velocity – security teams are expected to respond, quickly. Yet, existing technologies, built for past challenges, are often inflexible and unable to adapt. But, unlike other disciplines, IT security technologies tend to stay in place while layer upon layer of new defenses are built over antiquated ones to address the new requirements. This “hodgepodge” situation not only is a burden to IT stuff but also creates real exposure to the business.
A great example of this problem is the dissolving perimeter. Over the past few years, IT security had been helplessly watching the enterprise network perimeter, an essential pillar of network security, being torn to shreds. Branch offices, users, applications and data that were once contained within a well-defined network perimeter are now spread across the globe and in the Cloud requiring any-to-any access – anytime and anywhere.
How did the security industry respond? Point solutions popped up, aiming to patch and stretch the network perimeter so new data access paths can be secured. Cloud-based single sign-on extended traditional enterprise single-sign on to public Cloud applications. Mobile device management extended PC-centric endpoint management systems. So, past attempts to create and enforce universal policies fell apart as IT security was yet again looking at multiple policies supporting multiple products.
The increased complexity of network security is hitting us at a particularly bad period when attacks velocity and sophistication are at all time high. These has two key implications.
One, IT security teams are juggling too many balls: attempting to manage what they own while responding to new and emerging threats. This means they are spending more time running the infrastructure itself than thinking about the threat landscape and how to adapt to it.
Second, Complexity expands our attack surface. Hackers target unpatched software vulnerabilities, outdated defenses and product mis-configurations to breach enterprise networks. The more tools we deploy to counter this tidal wave of threats the bigger is the opportunity to identify weak links and slip through the cracks. At the end of the day, our tools are as effective as the people who run them and set the security policies – and these dedicated people are simply asked to do too much with too few resources.
How can we tighten our defenses and make our business a hard target?
We have to make our network security simpler and more agile.
Simplifying network security is a real challenge because our assets are just spread all over the place. Network security vendors are constantly looking for ways to improve agility. Yet, keeping appliances everywhere, in both virtual and physical form, still requires a concerted effort to make sure software is up to date, patches are applied and the right configuration is in place – for every location and every solution. With all these challenges, simplicity is strategic goals for all enterprises. We should strive for reduced workload on our critical IT resources, fewer policies and configurations to maintain to reduce attack surface, faster automated adaptability to seamlessly keep up with new threats – and more cycles to focus on business-specific security issues.
Cato Networks believes we can make our networks simpler, more agile and better secured. It will take a bold move – rethinking network security from the ground up. We should look for answer within the same forces that had given rise to the complexity that now dominates our networks: Cloud, Virtualization and Software. But instead of using them to replicate what we already know to exist into a different form factor, we have to break the mold. If we can realign our network security with the new shape of our business, now powered by boundless Cloud and Mobile technologies, we have the opportunity of making network security simple – again.
Cato Network is ushering network security into a new era. If you want to learn more about our beta program, drop us a note.