Infosecurity Europe Reflections: Cloud, Compliance and Changing Threats
By Hugh Njemanze, Chief Technology Officer and Executive Vice President of Research and Development
As the dust settles on the Infosecurity show, three topics, compliance, cloud, and the changing threat landscape, dominated discussions.
Starting with compliance, always a key topic at events like this, the discussions ranged from reducing the compliance overhead through better automation to putting that automation to wider use. Compliance can be expensive and resource intensive and is often a point in time exercise.
The two key attractions of increased automation are far lower on-going operational costs and the continuous visibility of compliance exposure, both real business benefits.
The technology involved, often referred to as Security Information & Event Management (SIEM) is now a well-defined and mature category of software and it always surprises me how many organisations still haven’t implemented it.
For those who have, they are starting to realise that in addition to security and compliance, these tools have intrinsic value for other parts of the organisation. For example, the network logs we consolidate and analyse could be extremely useful to network managers in determining root cause analysis of network problems.
Today there is often little sharing of tools and information between security operations and IT operations to the detriment of both.
Cloud was another popular discussion topic as it is everywhere I go these days. It’s not so much about the need to secure the cloud but about how securing it differs, commercially as well as architecturally, from securing in-house datacentres.
We are now beginning to see some large organisations move key parts of their IT operations into an external cloud and an even higher uptake of third party cloud services. One area to consider with the former is that cloud platform vendors charge to move data into and out of the cloud and in the case of SIEM there are potentially large volumes of log data coming across the cloud boundary for processing. In this environment it makes far more sense to deploy the SIEM solution in the cloud alongside of the application so that monitoring and analysis can be performed without transporting raw log data back and forth across the cloud boundary.
In hosting cloud applications, many SaaS providers use (SIEM) tools to monitor and protect their service but typically this information is not directly accessible to the users of that service.
There is a strong argument to allow customers to have access to their slice of monitoring data, perhaps for a fee, so they can assure themselves that their service “container” is adequately monitored and protected.
They may also want to combine this information with the event information coming from their IT infrastructure and external cloud platforms for 360 compliance and threat monitoring. This is certainly an area where we need to raise awareness of what is possible and to encourage more joined up thinking from all parties involved.
And finally let’s move to the threat landscape. While the people I talked to are no strangers to cybercrime, I got the feeling that this is an area where the US may be ahead in terms of thought leadership.
I found myself introducing people to a three letter acronym that has taken hold over here; APT or Advanced Persistent Threat. APT attacks differ from earlier generations of cyber attacks in three ways. Instead of being a broad based attack, ATP attacks are often focused at individual companies or government departments.
The people behind these attacks are intelligent, motivated, well organised and well funded, either by nation states or by organised crime.
Most importantly they are both persistent and patient, and once inside the organisation’s perimeter defences they bide their time, making sure they stay below the radar to avoid detection. The theft of confidential information can happen over many months and can be extremely difficult to detect. While this sounds like the stuff of a good espionage novel, it is becoming all too real and requires a rethink in the way we currently do security. It’s not that what we are doing today is wrong, it's just no longer adequate.
Unless you have a second line of defence that is able to correlate and analyse the digital fingerprints left behind across all the devices on the network and across a large span of time, APT attacks will go unnoticed until it is too late.
This second line of defence needs to constantly adapt to new threat patterns as they emerge and requires not only sophisticated technology but an experienced and well disciplined team of security analysts to do the forensic analysis and remediation. This is also an area where we need to do a better job in sharing advanced threat information between organisations but I’m afraid that is a topic for another blog.
Hugh Njemanze is Chief Technology Officer and Executive Vice President of Research and Development at ArcSight