A CIO recently captured the current security scenario quite aptly. He said, “ I will not be promoted for doing security right and spending money on it, but I can be fired if things go wrong. The other challenge with security is that the stack has become very complex and I do not know when it’s enough, given the very large number of tools and vendors.”
The cloud security tools landscape has seen a tremendous change in the last few years. However, the core security issues faced by customers are unchanged. Over 15 years ago, these were the industry’s main security issues (SANS2001):
- Poor password management
- Leaving your computer on, unattended
- Opening e-mail attachments from strangers
- Not installing or updating your anti-virus software
- Laptops on the loose
- Plug and Play without protection
- Not reporting security violations
- Always behind the times (OS, application patches)
- Keeping an eye out inside the organization
Each of these issues is a security challenge even today. Cloud, IOT, BYOD, Social Media, and Mobile are now part of the mix, each of which has its own security challenges. These challenges have resulted in making the current security stack quite complex as there is a separate tool for every aspect of security for the perimeter.
Even though there are thousands of companies focused on cybersecurity for different aspects of IT, everyone is trying to solve just a handful of fundamental problems:
- Detection Time: The time it takes to detect breaches still remains long as highlighted by recent security breach reports. It takes months, if not longer, to discover security breaches and, most of the time, the organization learns about the problem from an external party.
- Alert Quality: This is still an unsolved problem. No security vendor wants to admit that their tool missed an attack. As a result, vendors design their systems to inundate customers with endless alerts. Customers get alert fatigue and then gloss over them, which leads to even poorer security. Niemen Marcus faced this exact issue.
“These 60,000 entries, which occurred over a three-and-a-half-month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day,” A spokesperson from Niemen Marcus said.
Alerts that may need prompt attention tend to get buried in this alert avalanche, further exacerbating this problem.
- Investigation Time: This too remains a big challenge as logs were designed to monitor system operations, not to monitor for security. Log collection and correlation is a tedious process, which is further complicated by missing and incomplete logs. Finding the blast surface of any breach is quite challenging. Not only do you want to know what got affected, but you also want to what is still safe.
- Resolution Time: Once you are able to identify a breach it is critical to resolve the issue and make all the changes necessary to fix the vulnerabilities that enabled the breach. The customer needs to be sure that the incident is over and the targeted systems are safe.
- Audit and Compliance: This is a necessary evil of doing business. These logs are critical in making sure everyone has a base security posture even though a lot of the rules do not provide any real security.
- Preventative Measures: Firewalls, IDS/IPS, anti-malware, authentication, and other proactive security measures are surely a necessary component of any organization’s protection plane. But repeatedly it has been proven that no amount of protection will stop every possible breach.
- Time to Value: Security tools have become a nightmare to manage. They need constant tuning of rules and policies as applications, users, and endpoints frequently change. The time it takes a tool to be effective and remain effective in light of these changes is key in today’s software-defined and dynamic world.
The issues continue to linger heavily in the air and customers are looking for comprehensive workload security solutions that can tackle most, if not all of these issues. What’s your perspective on these security challenges?