Americas

  • United States

Asia

Oceania

philipquade
Contributor

The future: it ain’t what it used to be

Opinion
Feb 06, 20186 mins
CybercrimeData and Information SecurityData Breach

The problem with the future—as baseball legend Yogi Berra, the founders of the internet and any CISO or CTO can assure you—is that, increasingly, it ain’t what it used to be.

businessman looking through binoculars future vision prediction
Credit: Thinkstock

For those of us in the field of cybersecurity, where the utopian dreams of the early internet collide with the realities of increasingly serious levels of crime and threat, the future can at times look especially treacherous. As public and private organizations alike scramble to remain ahead of those who would compromise their information, one thing is certain: You can’t prevent tomorrow’s attacks with yesterday’s security strategy and technologies.

It seems common sense, but in the increasingly complex labyrinth of connectivity that is intensified by wireless, mobility and multi-cloud networks, it is easy to get spun in different directions. This is no indictment of cybersecurity decision makers, either. You only have to be a little bit slow to quickly fall behind.

Regardless of intent, organizations that are using dated security practices are at risk of becoming “trophy compromises” by criminals and nation-states every day. At the same time, more and more security leaders have come to accept a specific reality to being connected to the internet: No matter what you do, chances are, you will be compromised.

There is a silver lining, though. Those four simple words—you will be compromised—have a powerful way of inspiring a strategic pivot to a security strategy much more in line with today’s demands. If we begin with some degree of compromise as a given, it forces us to stop over-optimizing time, resources and efforts on the impossibility of perfection—at great cost and much less security. Instead, we intuitively begin asking the key question to effective security strategy.

If our systems are bound to be breached, how can we design them to limit the breadth, depth, severity and scope of the damage?

If we ignore this critical question and build strategy around its sound answer, we fall into two painful traps: the fool’s errand of trying to prevent all compromise or a state of denial that deludes many into thinking that it won’t happen to them.

Business leaders can abandon these mindsets of their own accord now, or they can wait for an attack to force them to discard them. Both, though, are nimbly avoided with the kind of consequence-based engineering that designs systems and networks with inherent protections and fail-safes that limit the potential severity of an attack. This approach also makes an organization a much less desirable target for threat actors and creates the greater levels of network dexterity that can drive significant business opportunities.

There are two key best practices that reflect and reap the benefits of this approach to cybersecurity: segmentation and access control.

Segmentation flows from the simple understanding that the network boundary, as we’ve known it for the internet’s first 40 years, is on its deathbed. The strategy of as recently as a decade ago—to build a really high wall around our digital infrastructures and defend it like Monty Python’s belligerent French knights—was quickly decimated by the proliferation of mobile devices (remember all those BYOD op-eds we used to read?), and more so by use of the cloud and the intricacies of the Internet of Things.

The solution is segmentation: Rather than one wall around everything, segmentation allows separate but aligned macro- and micro-segments throughout the network. It is a far more effective security strategy that assumes inevitable attack while making great strides in minimizing access to sensitive, proprietary and mission-critical data when the attack occurs. Even if an organization’s first line of defense is breached, there are limitations to the volume/value to snatch once inside.

And segmentation now has an offshoot—agile segmentation—that may allow security professionals to finally achieve the nirvana we have sought for so long. Namely, security valued as a business enabler, allowing an organization to do things, such as form a business-to-business data sharing coalition, that they would never have dreamed feasible without agile micro- and micro-segmentation techniques.

With a cybersecurity strategy that focuses on network segments rather than perimeters, organizations are then able to add another powerful best practice: access control.  Unfortunately, the complexities of granular access control make it a practice that is often poorly implemented.

Without access control, managers and C-suite leaders historically had little choice when someone needed access to data. The answer was either no or yes—which granted them access not only to the information they needed for their task at hand but also to some of the most sensitive and important information in an organization’s network.

Segmentation and access control can now be aligned and deployed to not only protect this information but also drive much greater teamwork. Mobile users or remote employees can be allowed to use some datasets but not others, or at certain times and not others. But across the network, managers can also designate internal teams with different points of access to come together to leverage their knowledge and expertise of this data to create stronger business results through collaboration.

When a project or initiative is complete, the permissions can be changed. If a breach occurs, it is much easier to protect a smaller data footprint and to then limit the areas and scope of the investigation, minimizing suspicion and wasted resources. All of which protects innocent employees while also improving security.

Like all effective strategy, the principles of segmentation and access control augment and work in alignment with today’s technology rather than fight against it.  Importantly, smart use of the cloud is critically dependent on state-of-the-art firewall techniques for exactly this type of activity—for users to pop up a data set and take it down just as easily.

This means that even organizations that have been lagging behind on security best practices can quickly harness the flow of today’s best technologies. Rather than fighting against them—or worse, allowing innovations to make them less secure rather than more—they stand to benefit from them, often in more ways than just significantly improved cybersecurity.

In my experience, agile micro- and micro-segmentation are hallmarks of sound security solutions; they create a halo of opportunity across the business by savvy deployment of data and data protection alike. With a slight pivot in perspective and strategy, organizations will not have to live with nearly the usual high levels of stress of knowing that, at any moment, they will be forced to fight to defend their most valuable resources. Because they will have accounted for tomorrow’s attack long before it occurs—and will have already engineered out the worst consequences with savvy and effective network segmentation.

philipquade
Contributor

Phil Quade serves as Fortinet’s Chief Information Security Officer and brings more than three decades of cybersecurity and networking experience working across foreign, government and commercial industry sectors at the National Security Agency (NSA) and U.S. Senate. Phil has responsibility for Fortinet's information security, leads strategy and expansion of Fortinet's Federal and Critical Infrastructure business, and serves as a strategic consultant to Fortinet's C-Level enterprise customers.

Prior to Fortinet, Phil was the NSA Director's Special Assistant for Cyber and Chief of the NSA Cyber Task Force, with responsibility for the White House relationship in Cyber. Previously, Phil also served as the Chief Operating Officer of the Information Assurance Directorate at the NSA, managing day-to-day operations, strategy, and relationships in cybersecurity.

The opinions expressed in this blog are those of Phil Quade and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author