Can security practices be playing into the hands of Attackers

img

More than 80 percent of 650 cybersecurity and IT professionals surveyed by Check Point Software Technologies in July said their traditional security solutions either do not work at all, or only provide limited functions in the cloud.

This indicates that organizations' cloud migrations and deployments are racing ahead of their security teams' abilities to defend against attacks and breaches, according to TJ Gonen, head of the company's cloud product line.

"Their existing security solutions only provide limited protections against cloud threats, and teams often lack the expertise needed to improve security and compliance processes," said Gonen.

Security and Efficiency Lagging

However, the problem is not a lack of tools. Gartner forecasts global spending on cloud security tools for 2020 will be $585 million, 33 percent more than in 2019.

"We are in a cyber arms race that has precipitated a security tool race with adversaries' evolving attacks forcing us to spend more to try to defend ourselves," said Jim Reavis, co-founder and CEO of the Cloud Security Alliance (CSA), which promotes the use of best cybersecurity practices in cloud computing.

"Our default response is to adopt new tools to try to keep up, but we are losing this race as adversaries continue to outpace defenders," Reavis stated. "We are increasing operations and personnel costs, but somehow decreasing security and efficiency. Our complex and costly operations are, in fact, increasing the probability of adversaries' success."

The CSA identified what it considers a critical gap to be the lack of capability to easily leverage and fuse output from security tools with threat intelligence deployed.

Five issues prevent the development of this capability:

 

  • The fast pace of change in both security technologies and adversaries;
  • Vendors focus on a "single pane of glass," or dashboard that visually represents event data. The problem here is that the wealth and diversity of event data and the pace of malicious activity are not easily represented on one dashboard. Therefore, buyers are reluctant to commit to a single pane because they invested in training on the various security products they use.
  • There is no readily implementable exchange protocol and data-labeling ontology.
  • Integrating and processing disparate data sets from different security tools and intelligence sources is difficult due to different formats and protocols, managing duplicates and redactions, and the importance of understanding context; and
  • The shift from using software and products to secure systems, to focusing on the data generated by the data systems.

 

The CSA's comments are "valid in general but shouldn't' be taken as a blanket statement," Saru Nayyar, CEO of global security and fraud analytics company Gurucul, told TechNewsWorld.

"Conceptually, a single pane of glass can put all the important information directly in view," she contended. "It lets analysts focus on what's most important to their job. Properly configured, a single pane presents the relevant information in a single location based on each user's role, and allows the user to drill down into specific events, risks, threats, et cetera, as needed -- without losing context or needing to swap tools."

 

New Approach to Cloud Security

IT needs to "break the cycle set twenty years ago and place a new cornerstone for cyber defense: cloud-based, data-centric defense," the CSA stated last month.

Using data-centric defense, integration, and automation of tools and overall architecture requires revising what intelligence means in the context of cybersecurity, building cyber memory, and building and maintaining secure, intelligent ecosystems, the paper states.

Intelligence "must be defined as an organization's capacity to normalize, transform, and automatically extract actionable insight and context from internal security tools and external sources to reduce the mean time to detect and respond."

Building a cyber memory involves recalling event data gathered seamlessly from both internal security tools and external threats, instead of dealing with each event separately. Machine learning should be used to identify patterns to more effectively and efficiently address malicious activity.

Secure, intelligent ecosystems are cloud-based memory banks that continuously fuse and enrich data from internal security tools and external sources. This enriched data can automatically update cyber defense tools or conduct triage for further action by analysts. Data from an individual ecosystem can be shared with other companies or organizations to form a collaborative defense ecosystem.

"This is not a call for a singular product but a new mindset to use 'intelligence' to integrate and automate data workflows from security tools and sources used within and between enterprises to create intelligent ecosystems," the paper states.

Enterprises "need to get holistic visibility across all of their public cloud environments, and deploy unified, automated cloud-native protections, compliance enforcement and event analysis" to close the security gaps, said Check Point's Gonen. "This way, they can keep pace with the needs of the business while ensuring continuous security and compliance.