Security, like most aspects of IT infrastructure, has historically been a siloed function. Focused on protecting data, applications, network connections, and with the advent of BYOD (bring your own device) policies, network endpoints, it is a practice that, for most companies, evolved in a reactive fashion – new technology acquired and implemented based on a specific need.
It is not uncommon for a medium-to-large company to have 50 or more different security technologies in place. While fiscally inefficient, this approach has been somewhat effective up to this point in dealing with the types of attacks launched against it.
The threat landscape is currently changing more rapidly than ever, forcing businesses to shift to a more forward-thinking security model. The need to effectively address attackers who constantly evolve focus, attack approaches, and targets has never been greater. The need calls for a proactive approach and an overarching security plan.
Cybercriminals, buoyed by jurisdictional issues and anonymity, today have greater expertise and more resources at their disposal than ever before. The internet brings everyone one mouse click closer to these bad actors with some commenting that they seem to be bolder and more aggressive than ever before. As a result, we are seeing an uptick not only in the number of threats, but also in the complexity of attacks and the severity of the damage they inflict.
Fortunately, companies are noticing this change in the security landscape, and are taking steps to address it. A recent study conducted by IDG Research Services and commissioned by IT services and solutions company Datalink, polled more than 100 IT executives at large U.S. companies and found that when asked for their companies’ top five considerations on where to invest IT dollars, respondents most frequently mentioned improvement of IT security. The vast majority of them (75%) also indicated that security is a more important issue than it was two years ago.
Clearly companies that don’t want to fall victim to cyberattacks need to craft and implement a comprehensive IT security strategy that ensures the confidentiality, integrity, and availability of their data. However, the dozens of legacy security technologies they must contend with make this a significant challenge. Adding to the difficulty is a worldwide cybersecurity workforce shortage estimated by Cybersecurity Ventures to reach 1.5 million by 2019. Mirroring this staffing shortage but on a micro level, IT security is becoming a specialization for many organizations, and the members of this typically small group are asked to shoulder a major burden with limited resources.
A paradigm shift: the new security perimeter
Of course, creating a security perimeter around the data center is more easily said than done. The “perimeter” that may have been easy to identify five years ago becomes ever more nebulous with each new advance in network technology and morphology. Technology changes such as cloud computing, hybrid cloud, elastic networks… they all make it much more difficult to determine where your company ends and the rest of cyberspace begins. These changes become even more complex when considering the increase in complexity of business relationships, including partners, vendors, and service providers. When all things are considered, it is a significant challenge, but it can be done.
Rethinking data center design
If there is one thing that is clear about the surge in cybercrime in recent years, it is that combatting it will require changes at the foundational level. Visibility into the transactions taking place across the network is the key to better security. Unfortunately, the current approach to segmenting the infrastructure makes tracking system requests and the ultimate destination of the data returned very difficult.
In rethinking the way their data center operates, organizations must consider a number of critical questions:
Where will monitoring take place? Where information is gathered is important, as addresses change along the path. If you are only looking at ingress and egress points, you will miss the east/west interactions between applications that reside on the server infrastructure.
What devices and events should be monitored for maximum effect? Application level? System level? User level? All of these? None of these? The “right” answer depends on the business and sensitivity of the data flowing through the “veins” of the infrastructure.
What security capabilities are required from the technology? Does the organization need log information, packet capture, and external threat intelligence? Does it have the ability to collect, store, process, and correlate the information?
How are alerts processed? Everyone must be on the same page about how issues are triaged, escalated, and remediated.
The answers are different for every organization. A “one size fits all” approach definitely does not work for cybersecurity. Instead, a company’s strategy must be tailored around its business objectives, its risk tolerance, and its capabilities. That’s why organizations should consider getting assistance in crafting a comprehensive plan.
Replacing outdated perceptions
There was a time when in order for security technology to do its job, it had to slow network traffic to a crawl. Consequently, companies had to choose between being well defended and being productive. Since productivity pays the bills, it often won out. The perception that security functionality will put a stranglehold on data flow and application performance persists today.
In order to get buy-in on security initiatives, IT must make it clear to the business that new technology is powerful, fast, and accurate. It can quickly inspect incoming traffic, detect and deal with suspicious queries, and allow the rest of it to pass freely.
Another misperception is that disparate security technologies cannot be brought together into a cohesive plan. The best systems today have open APIs (application program interfaces) that simplify integration with other technology.
It’s clear that the next generation data center must have the security of information architected into the design and not treated as an afterthought. But in order for data security to be truly effective, a company’s strategy must address people, processes, and technology.
People are and will remain the weakest link going forward. When implementing new technology, companies must ensure personnel tasked with supporting it are properly trained and comfortable with their responsibilities. Similarly, processes must be reviewed and augmented to properly utilize new capabilities and functionality. So often customers acquire and deploy the latest technology only to not utilize the capabilities to their fullest. This is akin to buying a premium automobile loaded with options, then not bothering to learn how the options function. Defining and measuring success with metrics is critical.
Engaging business stakeholders early and often during appropriate security technology evaluation and selection processes is important in helping build support and acceptance for the technology. Assurance that appropriate policy is in place is also crucial. Executive leadership must know how their security directives are being translated into protective action. Cross-linking the technology solutions back to organizational policy and standards is imperative.
Extending security to the perimeter, taking a new approach to data center design, training personnel, and updating processes to account for new security technology – all significant challenges – are just the beginning, however. Staying ahead of cybercriminals requires a collaboration among IT security experts to share their experience and their expertise with their peers. The more quickly information, both on trends and specific types of threats, can be collected, digested and shared, the faster measures to deal with them can be implemented and the more effective IT will be in preventing any negative impact on the business.
Mike Sprunger is the Senior Manager of Security Services at Datalink where he helps mid and large-size organizations define security strategies, processes, and technologies to protect systems, infrastructure, and data assets. His experience spans security program development, as well as management of incidents spanning security operations, executive security, and ITIL.