Vulnerability assessment is an intrinsic component for CISOs and their security posture. But the ‘not-so-fast’ adoption of technology often results in hackers exploiting vulnerabilities - known and unknown across companies. CSO India spoke to Richard Bussiere, Technical Director APAC at Tenable Network Security on current trends like DevOps and containers, IoT, mobile security and why vulnerability assessment is now mandatory for CISOs.
Excerpts from the interview.
How difficult is it for a technical director of a security OEM company to secure end-organizations? What are the recent trends?
There is an increased emphasis towards measuring security infrastructure and analyzing the effectiveness of solutions deployed. Several companies have made significant investments on technologies like APT protection, but whether it has done them any good is questionable. We see that breaches continue to occur at an unprecedented rate, which means that weakness in the security posture still exists.
Another major trend in the past five years has been the dissolution of the network perimeter. And there is an overwhelming push to cloud-based infrastructure, or pushing datacenters to cloud, be it PaaS or SaaS. Tenable has embraced these trends and adjusted business models to solve customers’ IT infrastructure pain points.
I have noticed several companies work on knee-jerk reactions as they continue to buy point solutions. But one needs to analyze every dimension from every perspective, to know whether that investment makes sense.
Point solutions from a single vendor or multiple security vendors barely talk to each other inside a company’s infrastructure.
Multiple vendors will always be the norm. Even companies with complete integrated solutions have acquired different companies, but that integration is inconsistent. Tenable allows multiple vendor solutions to integrate into its technologies in a simplistic and ‘easy to use’ method. We understand that standing all by ourselves will not aid us in executing the job effectively, for example vulnerability threat management. We need to leverage as many data points from the ecosystem as possible.
Tenable allows multiple vendor solutions to integrate into its technologies in a simplistic and ‘easy to use’ method.
Third party solutions need not be from the same vendor, just as long as that vendor has industry’s support integration standards. Our focus is to introduce clearly defined APIs for our technologies and ‘easy-to-use’ SDK to encourage third party integration. It allows us to leverage data to deliver a better perspective of threat and vulnerability overview for the organizations.
With network perimeter getting blurred in the modern world, can CISOs overcome the dilemma of choosing between network security and end point security?
No technology will ever replace another technology completely. We will continue to live in a hybrid world for a very long time. Some workloads and apps are being pushed to cloud. Many organizations across APAC are resistant to embrace cloud completely but that trend will dissolve over time. End point becomes more important in the overall security architecture as the network reference in reality ends on that particular device.
At Tenable, we use different types of SaaS. We are less reliant on our internal datacenter, with some key crown jewels still maintained in-house. We strongly believe that our customers should have the choice as we support both traditional on premise solutions as well as cloud-based solutions. That gives us a big advantage over other companies in that space.
Are security leaders acknowledging the importance of vulnerability assessment as a ‘must have’ for their organization?
The is a wide variation in the adoption of this technology - with Australia as a leader in vulnerability assessment and countries like Singapore at a close second. India is serious about compliance, however, there is still a tendency to do things manually than using an automated process for a better result. The trend to adopt VA is on the rise across most countries. But sensitization of customer towards the benefits of an automated approach than a silo manual one needs more acceleration. Some IT leaders tend to take more risks as they think ‘it does not hurt me till it hits me’ which is not the right approach.
But not being serious about conducting vulnerability assessment might favor the hackers to target those organizations.
That’s true. Vulnerability assessment must be done as a continuous process. But there are lots of gaps because most security executives are not aware of everything that exists in their environment. For example, Operation Tropic Trooper was a series of attacks on Philippines and Taiwan that specifically targeted Microsoft Office 2003 by exploiting vulnerabilities that were three-to-five years old. It’s a classic example of not knowing what lies in your infrastructure and how those vulnerabilities can be exploited.
The customers should have the choice for traditional on premise solutions as well as cloud-based solutions.
Today’s attackers are not going after perimeter but after end points. Suspicious email or communication laden with vulnerability gets clicked by an unaware user, which then passes across the company’s security perimeter. Mobile devices are another big problem as they are no longer guaranteed to stay within the safety zone and they can be infected outside the company’s perimeter. Hence, the end point becomes the focal point of security.
What are the best practices for companies and their CISOs to future-proof their security architecture?
CISOs should treat vulnerability assessment primarily as a foundational technology. They need to execute it as a continuous process, as the days of vulnerability assessment or compliance done quarterly are over. Today’s IT infra is a living breathing space with the addition of technologies like DevOps, agile software development. This increases the probability of misconfiguration or introducing a vulnerability to almost hundred percent.
They should embrace the introduction of DevOps technologies, particularly containerization. Containers has serious security implications but many organizations are not aware of the existence of these technologies which is a very scary situation.
Another trend Tenable is embracing is the fact that customers need to measure and analyze these technologies. It changes the model of not performing vulnerability assessment on running machine containers but on the image because container life cycle is short-lived and not constant.
Does compliance and regulation in some verticals boost the acceptance of vulnerability assessment tools? What about dangers of IoT in the future?
Compliance and vulnerability assessment are intimately entwined. You can have no vulnerabilities and not be complaint but be very much at risk. Conversely, you can be very compliant, have millions of vulnerabilities and of course be still at risk. They are like peanut butter and jelly that co-exist.
The primary verticals for Tenable are BFSI, manufacturing, healthcare. Industrial control systems is another critical area and we are providing tools to understand the vulnerable index of customer’s ICS. Issuing commands in ICS like turn off substation, heat the furnace becomes quite serious because it affects human life.
Companies should be able to discover IoT devices in any environment – inside and outside. Franky, the commitment to these devices is weak. This is because several IoT manufacturers don’t have long term plans and ability to issue regular patches like a robust OS provided by Oracle, Microsoft, Apple, among others. Security executives often wake up at night in the fear of IoT based attacks and privacy issues that might affect their IT infra due to these devices. IoT attacks (Mirai Malware) in October 2016 were executed through the connected cameras’ default passwords. Tenable identifies these kinds of threats and even passively looks for them in the network by analyzing the traffic flow.
What would be the key priorities for Tenable Network Security in 2017?
One of the fundamental priorities will be to embrace cloud and to provide the customers tools to assess risk that cloud environment brings - be it SaaS, IaaS or PaaS. There will be more focus on understanding threat position not only from the vulnerability perspective, but also analyzing threats that might exist within the network. There will be more emphasis on identifying early vulnerabilities in misconfiguration along with identifying systems that have been breached.
Tenable is enabling CISOs to proactively analyze the vulnerabilities and to mitigate the risks exposed in their infra and also the active devices blocking it. The proliferation of end points means that they have to be properly configured and you can only do that with technologies like Tenable.
What are the pitfalls CISOs need to avoid on their security blueprint and why?
Do not be complacent that your company cannot get breached. Ensure that the vulnerability assessment process is taking place continuously and invest in an automation process.
Importantly, CISOs should not make security investments foolishly. The ability to make intelligent decisions to spend on security rests on the amount of intelligence available in the company’s environment. Understand the risks your environment is exposed to and effectively spend the dollars on security solutions to mitigate the real risk and not perceived risks. In order to have sensible investments in additional security technologies, as opposed to knee-jerk reaction, the companies need a good tool set and an awful lot of data that Tenable can provide on a continuous basis.
Bussiere’s 7 Mantras for CISOs
1. Treat vulnerability assessment as the foundational technology.
2. Embrace the introduction of DevOps particularly containerization.
3. Discover IoT devices and its related privacy issues for your IT infra.
4. Reap benefits of an automated approach than a silo manual one.
5. Sync the company’s departments especially security with DevOps team.
6. Configure the end points properly as they become focal point of attacks.
7. Spend on security solutions to mitigate the real risks and not perceived ones.