David Monahan: The Perimeter is an Amoeba

ka_0011-2David Monahan is Research Director at Enterprise Management Associates (EMA). He has organized and managed both physical and information security programs, including security and network operations (SOCs and NOCs) for organizations ranging from Fortune 100 companies to local government and small public and private companies. Prior to joining EMA, David spent almost 10 years at AT&T Solutions focusing on the network security discipline. Follow David on Twitter: @SecurityMonahan.

OPAQ: Do most mid to large organizations know how many devices they have on their network—and what issues and remedies does this present for security?

DM: From our research, there is a wide gap in visibility. We estimate that organizations are lacking visibility of at least 10% to as much as 25% of their systems. There are many causes: untracked development systems, BYOD devices, rogue systems being set up under “shadow IT,” random IoT devices and other physical and virtual machines going up all the time.

To gain control of this environment, we are always looking at new niche technologies available to help identify systems and devices. Organizations are evaluating solutions from providers like NAC, established vendors like ForeScout, Cisco, HPE, as well as newcomers like Pwnie Express, and Zingbox.

The good news is there are a lot of things you can do about this problem, but companies need to go about it programmatically rather than in a knee-jerk fashion. That way you don’t end up with a bunch of disparate technologies that don’t work together. We are in a challenging time because there is no hard and fast perimeter anymore. The new elastic perimeter is like an amoeba that changes based on what is happening in that moment.

OPAQ: What are other pressing needs in network security today and are there good solutions?

DM: Knowing your assets, whether in your own data center or in the cloud, is key. Identifying what and where they are, who has access to them and when they are being accessed is really table stakes. Active breach detection is extremely important because the bad guys are still getting in. Endpoint defense is crucial area because that is where a lot of attacks are focused. A good example of that is ransomware. But ransomware can’t encrypt files that it doesn’t have access to so companies need to do a better job of controlling access to their networks and systems as well as detecting these insider threats faster. Security analytics is another area that is really useful, delivering large value to customers. These forms of analytics are used to detect an entity (user, applications, system) that begins acting differently than it has in the past or differently from other similarly classified entities are acting both historically or presently. These changes in behavior can come from insiders that have turned against the company or from external threat actors that have gained access. In this case I like to make a distinction from insider threats and threats on the inside. The former is when an employee is misusing their access to do bad things. The latter is when someone from the outside has acquired credentials and does bad things but we think we can still trust them because they are masquerading as the trusted insider. A lot of attacks today come from people leveraging credentials that they shouldn’t have.

OPAQ: What do mid-market executives say is a top barrier for delivering strong enterprise security today?

DM: The two main issues are skills and tools shortages. Budgets have not really been the main issue for the last few years. In every survey that I have done the results show that on average security budgets are increasing by 12 to 16% yearly. Aside from shortages, there are also issues with what I refer to as political, tools and data silos restricting organization’s ability to gain full visibility and context for events. Tools silos arise from having different groups in the business buying tools and they are not really working together. Data silos are created from gaps in data for some reason, which might be from misconfigured or poorly configured tools not gathering or retaining the data properly. Some examples would be only retaining server logs for 10 days, so I cannot research a newly discovered breach which actually began before that. Or perhaps my logging levels are set too low so the data I need wasn’t captured or set too high, in which case I can’t find the crucial data through all of the data “noise”. Political silos are created by individuals who own data, tool, or human resources and do not openly share those resources to maintain control for some reason or another. There are so many issues that are troubling enterprises today. Often companies don’t fully understand the scope of what they are doing and its impact on security.

OPAQ: What is the biggest security technology game-changer today—or in development now?

DM: There are a number of tools which can make a big difference. The next generation endpoint security vendors are fighting the battle of defending endpoints where antivirus technologies are not doing a good job. Another one is active breach detection systems which gather data off networks. These two technologies are ideally situated to augment each other. A really interesting new space is called deception technology. There are only a handful of companies focusing on this right now. The technology places trigger artifacts on endpoints and on the network, that would not be encountered in the normal course of business so when they are touched, security is alerted for response. (Other capabilities vary by vendor.)Then there is the space of security analytics. This is categorized into predictive analytics, anomaly detection and user entity behavior analytics (UEBA). These tools have evolved out of the need to provide real-time analytics for identifying incidents and events. Another growing area is micro-segmentation which is the policy-based control of cloud resources. It is designed to control how virtual, cloud and hybrid IT systems interconnect to create secure workloads and workflows. As containers and cloud adoption advances, traditional firewalling does not work so micro-segmentation across all of these deployment strategies will be an imperative.