Software-defined networks (SDN), software-defined infrastructures (SDI), and cloud adoption have accelerated an already fast-moving trend: the digitizing of modern business. New technologies give businesses tools and abilities they’ve never used before, as many organizations are rushing to digitize.
As companies undergo digital transformation, cybersecurity is becoming a shared responsibility between the CFO, CIO, and CISO in organizations. In early 2018, AT&T interviewed several experts about the new world of security.
Here are some of our favorite pieces of advice:
In the excitement of new technologies and the new opportunities for business applications that come with them, it’s easy for organizations to underestimate the risks that come along with the cloud, according to Theresa Payton, president and CEO of Fortalice Solutions, and Senthil Ramakrishnan, lead principal for Internet of Things (IoT) security at AT&T. Organizations also overestimate their current IT department’s ability to manage these new risks.
Underestimating human vulnerabilities
“What I've seen organizations do is sort of underestimate that migrating to cloud-based infrastructure is such a huge change for the IT security team," Payton says, "Yes, they're going to go to less infrastructure to maintain, but they're going to go to more third-party service level agreements with a different set of risks…Making sure you strike the right balance between risk-versus-reward trade-off and making sure you're bringing the users along on the adoption life cycle are key.
"Security is inherently flawed, because it doesn't account for the user. So as you're doing pilots, if you can do poll surveys of the users, you're going to get a little bit of a feel for what's hard, what's not, what users are concerned about, and where their questions are. If they don't understand [the security process] and they need to get their jobs done, they're actually going to work around security.”
Assuming IT can handle it
“[Organizations] take solutions that they have in place today, and they assume that they will work for new deployments," Ramakrishnan says. "That's a big issue, especially when you're going from IT to Internet of Things (IoT), we see a lot of our enterprise customers making assumptions that their IT solutions will protect them in the IoT space.
"A real-world example is enterprise mobility management. Today, enterprises have a lot of E-lead signaling and M-lead signaling (E&M) to bring your own devices, laptops, tablets, and mobile phones. Those work great in these scenarios, because there's only a certain set of operating systems and hardware that people are bringing in, so it's a controlled environment.
"But a temporary solution is not going to work for IoT, because you can have 20 different types of operating systems that are not supported by the existing E&M solution. So we've had to go out and work with customers to deploy IoT-specific E&M solutions, for example. So trying to move existing solutions and IT into IoT is another big misstep that our customers take.”
According to Kayne McGladrey, director of information security services at Integral Partners and Troy Hunt, author and regional director for Microsoft, a good IT security solution uses the power of a decentralized network to protect itself.
“An organization can deploy false virtual machines inside of their network and then leave a trail of breadcrumbs that will lead a third-party attacker to those falsified machines," McGladrey says. "The idea here is that, if anybody ever connects to that [virtual] machine, that's bad, because it should never be connected to. It's not a real machine. Nobody knows about it.
"The only way you [can see that machine] is if you, say, fire up [a popular password hacking tool]…and go, ‘Hey, this [machine on the network] has an admin password for this host.’ And that host looks exactly like another host inside of that organization."
Once a third-party attacker swallows that breadcrumb, logs onto that [virtual] machine with those falsified, compromised credentials...a security analyst team can start evaluating: How did they compromise the network? What else have they done on the network? And at what point do you want to terminate their connection into the network? And that's really a decision point that these tools allow, because they have a lot of good analytical data around how the attack happened.”
Full network visibility
“The obvious thing is that with greater visibility, you have a much better understanding about not only how your network is structured, but what's flowing between it," Hunt says. "You would hope, particularly in some of these globally distributed organizations, that having one centralized yield of how [you’re] structured and how data is moving should give you a much better overview.
"It may well be that that's the sort of thing that gives you early indicators of odd patterns as well. If you can identify that Bob in marketing in Sydney has suddenly started to pull down quite a lot of data from the sales drive in Singapore — and we can do that because we can look at traffic flow in ways we couldn't before — that may give you important information about that employee.”
In order to get the most out of a new, powerful, protected network, entire organizations need to work together to make better security processes a fact of daily life.
Security doesn’t end with the IT department, because every part of every company has some network connection, according to Bob Gourley, author of The Cyber Threat, Chuck Brooks, Adjunct Faculty, Georgetown University, Graduate Applied Intelligence Program (Risk Management), and McGladrey. Cybersecurity has to become a cultural expectation, or it won’t work.
Cybersecurity belongs to everyone
“A lot of the mistakes being made are assuming that cybersecurity is just the role of the IT department, when increasingly it's a digital risk matter where business leaders need to understand they play a very important role in mitigating digital risk and improving cybersecurity," Gourley says. "It's about business operations these days, so a big mistake is to think ‘I have a CISO, and that CISO takes care of my cybersecurity for me.’”
Security comes from policy as much as technology
“Every element of company operations has a cyber aspect," Brooks says. "It's not just the technical. It's the policies....So it's really important to have that working relationship across the organization, and that'd be the recommendation I'd make to any C-suite. If you don't have your CSO and CIO and CTO involved directly with the leadership of the company — or agency if you're in government — then you're going to run into issues.”
Cultural problems transcend environments
“Administrative passwords — they're sort of interesting," McGladrey says. "If you can get an application’s password, that's what got us to the Panama Papers a few years ago, where the third-party attacker was able to compromise the WordPress password, which, because of poor password storage technologies, happened to be the same as their database password.
"All of a sudden we got — three terabytes or something like that; it was something absurd — of ex-filtrated client data. The prime minister of Iceland got in a little bit of trouble about that, as well as people like Jackie Chan, all because the organization didn't have a good mentality around rotating the passwords that were associated with apps. That problem transitions. It's not a technology problem. It's a cultural problem. And it transitions, regardless of environment.”
Management may have a hard time adapting to the new realities that social media and globalized networks bring to everyone, large and small.
Once you understand the dangers you face, you can start to deal with the problem, says Greg Hill, assistant vice president for emerging security solutions at AT&T, and Kevin L. Jackson, CEO and founder of GovCloud Network.
Everyone is a target
“The common thing that we hear is ‘Why would I be a target? I'm nobody. I'm a small company in any given state,’" Hill says. "What we have to inform them about is, no, you're not a target, but the nature of today's threats actually can traverse the internet, looking for open doors where there's no security in place. They're not looking for you in particular, they just might be a self-perpetuating worm who may eventually get to you. When your door is open, cyberattacks can walk right in.”
It’s not your cloud
“You need to have security baked into your applications," Jackson says. "But what's more important is that you have to understand the target environment the application's going to run in. Because you don't own the infrastructure anymore.
"You're using a cloud infrastructure or a commodity infrastructure; they're a shared security model. Some of the security controls are the responsibility of the infrastructure provider, while others are the responsibility of the enterprise, the organization. And the shared security model is also misunderstood and mismanaged when organizations are leveraging these new technologies.”
Managing it all
Just like any new challenge facing an organization, success in cybersecurity reforms demand caution and engagement from the highest levels. Gathering data isn’t enough, say Steve G. Roderick, director of technology security at AT&T, and Tom Aufiero, vice president of e-business solutions at AT&T, but also try not to do too much at once.
Test and verify
“Penetration testing within an organization helps to identify vulnerabilities," Roderick says. "AT&T does a really good job with regards to penetration testing.
"The methodology is the determination of the scope, testing objectives, targeted information, gathering and reconnaissance, identification, and exploitation of weaknesses to gain and escalate access. Then, demonstrate completion of the testing objective, and clean up and report. Why undergo a security test? The primary goal of the vulnerability assessment is to identify those vulnerabilities that may be present within an environment.
"The intent is to remediate the identified issues to an acceptable risk level. The expected outcomes from a vulnerability assessment should include a technical report highlighting discovered vulnerabilities, assigned risk ratings, recommended remediation activities, and the report should also be accompanied by an executive summary to translate the results of the test into business-focused objectives.”
Stick with it
“I think there is a problem with trying to transform too much," Aufiero says. "Pick a region, and pick a set of applications. Really understand the performance benefits and the cost benefits.
"Sometimes customers analyze so much on a global basis that they never move quickly enough to begin to see all the automation benefits, and ROI benefits, that an SDN has to offer. They try to bite off more than they can handle. Pick an application, pick a region, pick a set of customers, and deploy it, and really begin to realize the benefits.”
To read more from these experts and others about how to manage cyber risk as you transform your business, read the latest AT&T cybersecurity report: Cybersecurity for today’s digital world.