Submission By: Tom Gilheany
IT security managers should be asking three questions over and over. Is my security team complete? Can it handle today’s threats, risks, and requirements? And more profoundly, can it handle the threats of tomorrow?
What worked for security yesterday isn’t right for today and certainly not for tomorrow. Today’s threats are different because they arise out of a vastly different system.
The factors affecting security have evolved and grown. The IT architecture supporting our organizations is no longer just three components as it was two decades ago—client, network, and server.
Complexity is one of the biggest changes. The more complex the system, the greater the attack surface (in general). It is much easier now to hide multiprong attacks at different layers and parts of the IT infrastructure. Small, obscure vulnerabilities hiding in different layers can add up to a large, critical vulnerability.
Traditional protection measures, like a perimeter defense approach, are not effective in today’s dynamic virtual systems. In many virtual environments, you cannot easily use traditional security techniques, such as relying on topology, or tapping physical lines.
Indeed, many of the assumptions in traditional security, such as fixed locations, permanence of machines, fixed network architectures, stationary single-device users, and services existing on permanent servers locked in compute centers, are not valid in today’s world of wireless connectivity, software-defined networks, virtual machines, and dynamic resources on demand (some of which are located in a public cloud). As a result, the importance and impact of digitalization technologies on security are more profound than ever.
Digital systems are dynamic. In today’s XaaS environments, it can be tough to track security events. In the old world, if someone were installing a new machine in your computer room, you would see and ask the person who they are and what they are doing. Today’s world may have thousands of virtual machines, moving constantly between cloud data centers, and appearing and disappearing on demand. It can be almost impossible to notice one extra virtual machine that doesn’t belong, and only exists for a few minutes at a time.
Ironically, some systems offer too much visibility. That makes it hard to spot the needle in the haystack, allowing security personnel to distinguish between the merely unusual activity and the truly threatening security events.
New Threats, New Adversaries
Automation also brings up additional security risks. Automatic controls now have the same permission levels as a system administrator, and these automated controls operate at far faster speeds than a human administrator. The integrity of those controls is vital.
In this post-desktop era, employees use their own laptops, cell phones, and tablets. Everything from a doorbell to a camera to an automobile has an embedded system. This greatly expands targets and attack surfaces. Patching and plugging holes across a huge variety of devices, and checking to make sure each type of device (many low-powered) is not being compromised, or even used as a pivot point in an attack, lead to late-night worries for you.
Connectivity is another big security issue. In today’s world, everything is always linked via high-speed networks. Every device has an intelligent system embedded in it, many times served by dynamic, on-demand services with ever-changing topologies. You have your work cut out for you when it comes to managing the security risks associated with mobile, always connected people, machines, and devices.
Then there are the external factors impacting your security team needs. One is your adversaries. You no longer face lone attackers working from one location. Many of today’s cyberthieves are loosely organized, dispersed individuals forming brief associations. These groups work together to exploit security holes and monetize the information assets that they steal.
There are also professional cybercriminals, specialists for hire. Some are sponsored by deep-pocketed nation-states, or large organized crime syndicates and paid in hard-to-trace digital currencies, changing the economics of cybercrime. The sharp rise in the underworld market value of information and technology assets is the second external factor.
There is a nonstop arms race between attackers and defenders. To meet changing security needs, the U.S. federal government is moving to a new National Cybersecurity Workforce Framework (NCWF) published by the U.S. Department of Homeland Security. This standard is also being adopted by the NIST National Initiative for Cybersecurity Education (NICE), and the Department of Defense Directive 8140. It establishes seven activity categories and 31 specialty areas within these categories.
The NCWF is best suited for large organizations that can support security departments numbering in the hundreds. It can be overwhelming for smaller businesses or organizations, especially when you remember that many of the job roles must be staffed 24/7. This means you will need more than one person to fill them.
In the second part of this blog series, we explore a simplified security team framework that can help smaller organizations identify which security professionals they need in what roles.
If you have questions or feedback, please join the conversation in the comments below.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.