No matter which IT conference I attend, I always look forward to hearing Cisco Systems Senior Vice President Chris Young speak on security, if he happens to be on the agenda. I’ve heard the former RSA VP and VMware exec speak at past Cisco Live! and RSA conferences and have never been disappointed. Cisco Live! 2013 in Orlando was no different.
Young started off by sharing what he’s heard time and time again from Cisco customers across the globe. From mobility to BYOD to cloud, most businesses are struggling with diverse IT issues. But how to maintain security and compliance as the IT landscape is constantly changing comes up most. He said staying ahead of the IT security threat landscape – or at least trying to keep up with it is essential. The key is to also handle all the complexities created when we try to manage the combination of those two things.
“We need to manage or reduce the level of complexity and fragmentation in our environment,” Young said. “Complexity leads to cost. Complexity leads to fragmentation, and that’s not good for us from a security model perspective.”
Our complex and fragmented security models can lead to inconsistent enforcement, he said. “It can lead to different types of management, lots of different vendors, isolated threat intelligence. So this is a problem that most of us face.”
How did we get here? It’s due in part to the way network security has evolved over the years. “It’s evolved with the notion that you had a perimeter, and if you are inside the perimeter, you’re trusted. And if you’re outside the perimeter, you’re untrusted,” Young said.
But because more and more people are outside the network now, this perimeter model does not work today.
“In many organizations, you can be on almost any device, accessing any application that can be running in any cloud,” Young said. “That cloud can be your data center, it can be a public cloud, it can be a cloud space that you’re renting from a third party.”
Young called this an end-to-end problem that involves any user on any device anywhere accessing any application. “That’s only going to get more challenging, and one of the themes we’re talking about at this conference this year is the ‘Internet of everything’ because no longer are we just focused on users on a specific device connecting to a set of applications,” he said. “We’re looking at device-to-device communication.”
Modern Day Threats by Savvy Attackers
Young reminisced back to 2003 when IT security pros were focused on very basic attacks like Blaster and Slammer. “It was only ten years back when we were getting phishing emails from guys in Nigeria saying, ‘If you give me $100 today, I’ll give you back $1,000 in two weeks.’ And they were poorly worded, and we could spot those things,” he said. “Think about how far we’ve come where now you’ve got attackers going on LinkedIn, studying your organization and sending very targeted emails to get people to click on a malicious link.”
But for good or bad, we’ve added a lot of different security technologies to the mix, which contributes to the fragmentation dilemma Young mentioned.
“You know, they’re planning, right? They’re out there. They are studying who they want to go after. They’re studying how to go after a user or organization, finding the right way in. Then they watch and exploit,” Young said. “If you read one of the latest data breach reports, you’ll see the various ways in which these guys are finding their way in, whether it’s through targeted e-mail, or getting to users when they’re not behind a certain type of gateway, or behind the firewall.”
Young said once attackers get in and are able to exploit, the malware embeds itself on the right set of hosts, communicates out through a command and control server, downloads more malware, then they move into a section phase. They can spread laterally across your infrastructure, looking for different repositories of information.
“Depending upon what business you’re in, they may attempt to steal information. If you’re a bank, they might be trying to steal money. If you’re a governmental institution, maybe they’re just looking to disrupt,” he said. “It doesn’t matter what their end goal is. The point here is there’s a very sophisticated life cycle with which a lot of our attackers execute a combination of malware and process steps to ultimately achieve their goal.”
Young stressed that this is bad for those of us trying to defend against these attacks because they’re incredibly sophisticated. Luckily they have an attack lifecycle that we know about, and we can use that lifecycle against them in our defense mechanisms.
Defend. Discover. Remediate.
According to Young, it’s important to consider the implications of the security steps we go through.
“If you think about what a lot of us do every day in the security world, we’re kind of doing one of three things, and we could be doing all three things at the same time, but we’re defending, we’re discovering, and, you know, we’re trying to find things that have gotten into our infrastructure, and then we’re remediating,” he said. “Those of us who do it well are doing it fast because you’re quickly able to stop a lot of traffic. You’re able to quickly find things in the infrastructure and quickly remediate against those types of attacks.”
Young said the reality in the marketplace is that most of our dollars and our efforts are traditionally spent on defense but that advanced malware and other types of attacks have moved the industry to more of a discovery-type approach to infrastructure security where we have to do different types of content inspection.
“We have to do more behavioral anomaly detection, advanced forensics types of analysis, so that we’re better able to find attackers that are getting in or are really leveraging the fact that in many cases, the notion of perimeter no longer exists,” he said. “Our assets are distributed, our assets can be anywhere, and so we have to be good at discovery. We can’t just focus on defense because defense isn’t going to be enough to deal with the kinds of attacks that we’re facing.”