Re-thinking IT Security
“This is why high walls and deep moats do not guarantee security, while strong armor and effective weapons do not guarantee strength. If opponents want to hold firm, attack where they are unprepared; if opponents want to establish a battlefront, appear where they do not expect you.” – Sun Tzu
Recently I was invited to speak to a group of Chief Information Security Officers (CISOs) regarding how to work with their Boards of Directors on addressing security. Now, those of you that know me know that I’m not a security expert, so I spent a fair amount of time reviewing a lot of the current thinking about how to address the growing security conundrum. What I came away with from my research is that a lot of the conventional wisdom seems to not be able to address the increasing challenges that are associated with the growing dynamism and scale associated with today’s complex IT environments.
It’s an Asymmetric Problem
The asymmetry with regards to security has two primary contexts, an economic one related to costs and a technology orientation related to the breadth of the potential attack surface. With regards to the economics, one estimate that I came across was that the cost to US-based defenders (in terms of losses plus costs associated with technology security) was around $400 billion per year while the costs to the attacker summed to a little over a billion for a ratio of approximately 400:1 (see https://www.netswitch.net/attacker-defender-dynamics-asymmetrical-economics/). Even if these figures are wildly off base, however, I think that few would disagree that the attacker certainly has the economic cost advantage in the security realm given that the knowledge as well as the source code to create malware is easily available on the web.
With respect to the attack surface, enterprise defenders have to potentially protect hundreds if not thousands of infrastructure and application ingress (and egress) points. And somewhat like the case with national missile defense, the defender has to be “perfect” while the attacker just needs to get “lucky.” While thankfully there isn’t a generic mode of malware that can attack all of these locations concurrently, again, the sheer number of places where potentially some form of security point of presence should be installed continues to increase especially as enterprises move to microservices and serverless-based application architectures. Beyond just a scale problem, however, these newer application environments also are increasingly ephemeral making the potential implementation of security even that much harder. Thus, an attacker often has an advantage in that they can continue to inexpensively probe an environment seeking the one infrastructure or application component that may have been overlooked in terms of add-on security protection.
Speed is Your Friend
The Sun Tzu quotation above is I think an appropriate reminder that even 2500 years ago there were known limitations with the building of static defenses. Instead of castles and moats, however, in the security industry we have the concept of layered security systems (see Gartner’s Market Guide for Cloud Workload Protection Platforms). And while this approach does have merit (if for no other reason it meets many audit requirements), it assumes that among all of the potential ingress and egress points that we can predict where an attack will occur – the same problem that befell the architects of the French Maginot Line. What is needed is an approach to security that is flexible yet can become “hard” very quickly somewhat akin to what occurs with non-Newtonian fluids.
I’m not going to be disingenuous and suggest to you that there is only one way to solve the security problem, but I do believe that speed is certainly one “tool” to use to our, i.e., the enterprise’s, advantage. What do I mean by this? I suggest that we emphasize:
- Mean time to detect
- Mean time to deploy (repair)
Using products such as VMware’s Wavefront or vRealize Log Insight, enterprises increasingly have the ability to identify potential threats. Wavefront by VMware presents an interesting opportunity to enterprise clients as it has not historically been used in a security context, but as its highly scalable data processing model is independent of the data source, it can be used to quickly spot anomalous trends that may be indicative of an attack.
Detection though is only one part of the security process. Once you’ve detected a threat, what do you then do? Here’s where a software-defined data center (SDDC) approach becomes critical. Because an SDDC represents infrastructure-as-code, enterprises can quickly react to a threat by recovering to a known state either on-premise or in the cloud. With respect to the latter, this demo shows the complete deployment of an SDDC (including NSX) on AWS within a little over 90 minutes (note: uploading of data and applications will of course require additional time).
Figure 1. VMware IaaS template.
VMware’s ability to quickly respond to an event doesn’t end though at the SDDC boundary. Capabilities found within, for example, our newly announced AppDefense technology (as well as NSX) enable programmable/automated updates to provide quick responses to potentially malicious activities that have been detected.
Finally, as the saying goes, practice makes perfect. I strongly encourage enterprise security and operations teams to adopt a “Chaos Monkey” approach to security. In other words, practice responding to threats daily so that the organizational response becomes something akin to “muscle memory.” While I have not personally used the technology, “Infection Monkey” by a company called Guardicore would seem to be an example of a controlled failure injection approach oriented towards security.
From Speed to Scope
At first glance, the security problem seems unsolvable given the multitude of threats. However, this assumes that we buy into the conventional wisdom with regards to how to address these threats. At VMware, we are challenging the status quo by looking at the scope of the problem within 2 contexts, i.e., the technology scope as well as the problem scope.
Scope from a technology perspective is focused on dealing with the potential attack surface area. If we can dynamically change the pathways or access mechanisms through which to communicate to a VM or application, then we can reduce the potential attack vectors. Best of all, of course, is that this can be done dynamically via AppDefence and NSX. With respect to NSX, microsegmentation is the means by which we can assert least privilege from a network perspective. I liken this to those “road zippers” that you might observe on a freeway who can shift the barriers to either expand or constrict traffic lanes on a roadway.
The problem scope is focused on changing what to look for. What I mean is that many products – especially those in the antivirus category look for “bad,” i.e., they seek to identify those signatures indicating a hostile threat. Unfortunately given the number of threats, this can be a compute intensive process (like looking for a needle in the proverbial haystack) and if this is the first manifestation of the threat, there is no known fingerprint and thus how to best respond is unclear.
Figure 2. AppDefense scope detection.
Knowing the intended state can be difficult, however, at VMware we help to lessen the ordeal through several mechanisms including the leveraging of configuration-related directives from companies such as Puppet.
Epistemology (thanks to @wickett for his leading me to this term) is the study of how knowledge and belief systems are developed. Much of the current security realm of best practices were not designed to deal with the explosion of hostile threats to the health of an enterprise. While focusing on preventative activities and the deployment of hierarchical security systems were helpful in an earlier era, they may be less effect given today’s businesses needing speed and agility. This means that we can’t slow down the business just to protect it because being late to market can have the same economic effect as that of a malicious exploit. Hence IT organizations need to place at least as much emphasis on detecting and responding to threats – and practicing this on a daily basis.