So, your company has fully internalized the message that businesses need to be more agile. You’ve made the most of cloud-based computing, an agile workforce and have gotten your employees to think like disruptors. You’re on the road to enabling enterprise Digital Transformation.
There’s just one issue: Security.
It turns out that hackers have already become agile. The attackers have spent the last decade developing an agile business model using an online market place that enables them to develop and launch attacks rapidly. A 2016 report from Symantec found that detection of unique malware jumped 36% in 2015 versus the year before. Attacks are becoming more frequent, protection and detection costs are rising, and compliance requirements are growing. There are more products to help, and some even use the same technology that the hackers are using, like cloud and AI. You quickly realize that it’s hard to keep up with these growing threats, which is sapping your internal security team’s resources. What’s your next move?
Step 1: Cloud security
Cyberesliency is the idea that security should mirror the approach of digitally transformed companies. “Businesses want digital transformation to go further,” said Chris Moyer, DXC Technology’s VP and security CTO. “They like cloud business models, they like variable, pay-as-you-go models to trial and bring new innovation in. They want the same from security.” Moyer said a cyberesilient approach means extending existing systems and perimeter-based models in favor of a model that can scale to address cloud use and uses the same consumption-based business model for security services.
Unfortunately, many businesses in 2017 find that their complexity and scale is increasing, their digital transformation demands are also rising but their security design is locked in the old world of a primarily perimeter-based approach.
Enterprises are using cloud environments for multiple business solutions. Some use them for core infrastructure or even just a specific function like cloud storage. Other enterprises have adopted more comprehensive cloud based business services for flexibility and rapid change. Such companies might use SaaS for finance and HR, so why not security as well?
These environments need added systems management and security control to avoid key data leaking outside the organization. Cloud environments also increase the threat surface area that enterprises need to protect. There are multiple solutions to address identity, data loss prevention and compliance reporting, but many companies do not have the in-house experience to address these needs.
At the same time, securing the enterprise costs more and staff shortages remain a constant issue limiting the ability to deliver cyberesilience to the business.
One solution is to abandon the idea of only an on-premise security team and instead use security-as-a-service. A study from Forrester Research claimed that companies that switch to security as a service would save $1.36 million over a three-year period by switching to an as-a-service approach. The biggest cost savings came from not having to hire a full-time security staff plus savings from hardware and software licenses. That calculation is prompting a boom in the category; the global cloud security market is expected to hit $12 billion by 2022, up from $4.5 billion in 2014, according to Transparency Market Research.
As the number of threats continue to grow and hackers become more sophisticated, Moyer said there’s no other choice. “The collaboration and exchanges between the bad guys is up,” Moyer said. “They’re connected. They’re using cloud technology and artificial intelligence, so we have to use those technologies and our collective expertise to keep up.”
Step 2: Use a pay-as-you-consume model
Most on-premise and cloud-based security systems are sold on the assumption that your system works 24/7. In reality, your system may only be experiencing large workloads some of the time. A pay-as-you-consume model addresses this disparity. In this case, if a cloud workload only runs three days a week, then you only pay for those three days.
Many companies now realize that consumption-based pricing is a more intelligent approach than flat pricing. Most cloud-based services are priced by GB/month or computing by CPU/hour, for instance. Consumption-based pricing lets companies experiment and scale fast. “Every other technology I’ve seen you’re getting a license and you’re paying for it,” said Alain Espinosa, a Dallas-based security analyst. “It doesn’t matter whether you use it or not, you’re paying for it.” Espinosa noted that in large corporations thousands of devices don’t get used every day and are sitting dormant.
A consumption-based model is a fairly new idea for the security market, but it is widely used elsewhere.
There are other benefits. “It’s very easy to set up,” said Fernando Montenegro, senior analyst for information security for 451 Research, “because you’re not developing the expertise yourself. You’re relying on a vendor that’s able to bring their expertise to you immediately.” Using the cloud and security services, Montenegro said, companies can get access to experts who deal in nothing but a specific domain, like email security. “If you’re talking about threat detection, you’re talking to someone who has access to thousands of potential customers, so you get impact immediately avoiding the learning curve needed for in house delivery,” he said.
Step 3: Lightweight agents
We use lightweight agents all the time. The firmware on your PC is a lightweight agent. So is the software that your carrier puts on your smartphone. The antivirus software on your PC is a lightweight agent that uses a “white list” and throws out anything that’s not on an approved list of activities.
Typically, companies secure cloud workloads by extending traditional security controls into the cloud. Those controls – including anti-malware, vulnerability scanning, host-based firewalls, host-based intrusion prevention systems (HIPS), configuration compliance, monitoring, file integrity and other approaches – are expensive and require manual labor. That’s the case even though they can be purchased directly from cloud providers via a shopping cart system. But they all require self-management.
Lightweight agents add to the intelligence of typical solutions. By incorporating the very granular information from lightweight agents at the edge of the enterprise, event correlation and incident recognition will improve, protecting digital activities in an enterprise. Such lightweight agents can be deployed on every server instance whether in a public, private or hybrid cloud or in a virtualized data center.
Be careful about the agents you select; it is important to evaluate the agent for features and systems impact via testing. “The idea of the agents is to not clog up the network with a lot of equipment that’s going to make things run slower and consume more power and all of that equals cost,” said Espinosa. “Be careful of what you install and test them for the impact on your machine.”
The agents inform users of important security events and discover vulnerabilities and configuration issues and inform you if any workloads have been tampered with. Today the resolution of these incidents still requires manual intervention. But the security industry is automating more and technology companies are making programmable infrastructure readily available to allow increased automation.
Step 4: Simulated attacks
In addition to automated agents, security organizations should also ensure the staff can recognize and respond to attacks quickly. Attack simulations enable security teams to become stronger every time they encounter an issue, according to Dave Aron, global research director at DXC’s Leading Edge Forum.
Aron noted that attacking yourself from the inside is a powerful way to build antifragility into your defenses: “We are creating new attack surfaces and the bad guys are finding new attack vectors all the time. For example, there is a smartwatch hack that can guess what you are typing from your wrist movements.”
Attack simulations are taking many forms including white hat hacking, red/blue team competitions and automated disruption software like Netflix’s Chaos Monkey, a general purpose tool that randomly turns off servers and containers. According to Aron, if the good guys are finding holes in your security, that increases your resiliency. You also have the opportunity to validate response and recovery scenarios that help businesses put resiliency into operating processes.
The combination of highly focused teams, security-as-a-service, consumption pricing, super-lightweight agents and simulation allow for a new approach to security that lets companies fully realize the benefits of moving to the cloud and digitizing their enterprise without exposing themselves to unnecessary risk. For businesses, cyberesilient security is an intelligent option in a dynamic environment in which the threats keep multiplying. To get the most innovation from digital transformation, businesses should look at transforming their security as part of the overall process.