Rather than working to cure the IT security disease, too many companies are focused simply on treating the symptoms by adding layer after layer of security complexity. To get to the root of the malady, what they need to be focused on instead are data analytics, machine learning, and an understanding of individuals’ roles.
That was my key takeaway from a recent interview with Stan Black, chief security officer at Citrix Systems, who said that conclusion had been reinforced by the findings of a newly released IT security survey, commissioned by Citrix and conducted by the Ponemon Institute. Black addressed the layering phenomenon in the context of what he sees as the role of public cloud:
Historically, if you wanted to do intrusion prevention, you would stick another appliance or piece of infrastructure into your business. That would add a layer of complexity and multiple headcount to monitor it, support it, manage it, and maintain it from a licensing perspective. And then you multiply that across firewalls, antivirus, anti-malware, intrusion prevention, intrusion detection, whitelisting, blacklisting, etc. So many of the platforms that are in the cloud now — [Microsoft] Azure and AWS [Amazon Web Services], for example — give you the ability to do many of the layered functions that we would historically do through infrastructure, people, processes, and technology, and instrument it in the cloud. That’s compelling. So if you virtualize your environment, you take away the need for all the patch management and the malware and all the other layers. DLP [data loss prevention] is a spectacular example. How can I have data leakage or loss, when it wasn’t in the building in the first place?
Black went on to explain where analytics come in:
In the security space, we historically have had things like SIEMs, or Security Incident and Event Management technologies, which were really a point of aggregation for security technologies. But anybody who was reasonably savvy also incorporated things like health checks on routers or servers. In other words, it’s producing logs, and it’s telling you that you’re getting to, say, 98 percent utilization of a router or a server, for example. Historically, the IT world will look at that and say, “Oh, well, we need to add more resources.” I’m a paid paranoid. I look at that and I say, “I think we’re getting DDoS’d, or someone’s owned a box.” So, instead of layering on extra controls, the way I’m approaching a lot of this is to do the analytics, and establish reasonable thresholds for operations.
Black referred in this context to the global Citrix/Ponemon Institute survey of IT and IT security pros, which found that 70 percent of the respondents cited data analytics, 77 percent cited machine learning, and 78 percent cited identity and access management, as keys to reducing security risk over the next two years:
What does that tell you? In my mind it tells me, one, a computer never committed a crime, so you better darn well know who your people are, and what they have access to. Part of that is going to be role mining. “Oh, well, let’s see, everyone has access to our financial systems even though they’re not part of the finance organization.” That’s bad. Data analytics and machine learning, I couple them together. When you do proper Big Data analytics and log aggregation, consistently producing metrics about your systems, whether security or operational, and you plug that into several of the machine learning technologies today, you can find a root cause that would have taken two years to identify. Maybe it’s an insider stealing something, or a compromised system that’s slowly eking out data. So as we add complexity — and I never thought this was going to be a reality in my career — we can actually have a machine look at that without any contextual knowledge of what we do for a business, what our people’s jobs are, and actually find anomalies and potential risks. That’s phenomenal.
Black provided a compelling example of what he was talking about:
There was a security software company out there that thought they had two people that might be stealing some of their code, and shipping it off to a nation-state. So for two years, they investigated by digging through logs, and subsystems, and access, router, and firewall logs, to finally get to the point where they were sure. But what they did before they finished that was they engaged a machine learning company to do the analytics, and they gave them their logs. And the logs were a mess. But the machine learning technology crawled through that data for approximately two weeks, and absolutely and empirically proved that they had two insiders. And that particular company said, “Well yeah, we figured that out ourselves.” The machine learning company said, “Oh yeah, and by the way, there are 11 more doing the same thing.” That’s pretty darn unique.
Black wrapped up the conversation by highlighting the essential nature of providing visibility into the protection:
I would challenge you to find me a single billion-dollar enterprise that does not have dependencies upon third-party vendors, and that has zero cloud presence, whether it’s an HR system, a travel system, or what have you. So it is my belief that these capabilities need to be able to gather data, without placing other companies at risk. In other words, if Citrix provides a cloud service to a customer, where data at rest, in use, and in motion is there, which is sensitive to them, we have to be able to instrument or provide the visibility into how we are protecting you. When we look at what the technology can do with identity and access management in the cloud, where you can federate across large, disparate organizations, where you can use the data from your service provider to prove in real time that they are testing vulnerabilities, that they are patched at the right level, you can begin to take what is locked in your data centers and put it in different locations. Because now, we can instrument it with technology that historically did not exist.