Kerravala: Network Visibility Key to Security

ka_0011-2Zeus Kerravala is Founder and Principal Analyst with ZK Research. Kerravala provides research and advice to end user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers. Follow Zeus on Twitter: @zkerravala.

OPAQHow will IT security budgets change over the next 12 months, and how will IT directors prioritize spending?

ZK: Security is a top driver for IT spend, and it’s the number-one driver for network spend. I think that we will see 8-10 percent growth this year over last year, which is three times the overall IT spend growth. This trend has been going on for the last five years or so, partly because with social media, any kind of perceived breach gets magnified so fast. It can cause public embarrassment, or as with Target, the company had to bribe customers to come back with incentives. Some companies have had to change their business models, while others like Sony had lots of employees leave the company after the breach. If you talk to a CEO or CFO, they usually don’t care about what servers and cloud platforms are in use, but they do care that there is a security strategy because it’s something that shareholders and customers are asking about.

I see a shift in security spending. Today about 90% of spend is still focused on the perimeter but only 27% breaches occur there. We’ll see more focus on protecting users, apps, internal networks. It takes a lot of work to get through a state-of-the-art firewall. It’s much easier to launch malware by a user clicking on a link.

OPAQWhich cyber security threats seem to be foiling enterprises today and the vendors who serve them?

ZK: The greatest challenge today is malware through encrypted traffic, because traditional security tools can’t see it. If I can embed malware in corporate email it bypasses security systems. Ransomware is another big problem, caused by users clicking on links that they shouldn’t. We are also seeing more corporate fraud where someone will mimic a CEO’s message. They do this by studying language from emails and LinkedIn profiles. This happened to a tech vendor in Silicon Valley where an email went from someone posing as the CEO to the finance division and the company cut a check for over $45 million to a fake supplier. The whole nature of threats has changed: they are very sophisticated and targeted.

OPAQ: Do you think security priorities would be different if there was no compliance pressure?

ZK: I don’t think it would be less important, but sometimes compliance can create a false sense of security. Let’s say that a company has a policy in which employees must change their passwords every quarter, but how many people can have 13 passwords that they memorize? I spoke with one employee at a company with a policy like this and he just made passwords with the seasons of the year which he changed periodically. Companies should do the work to understand whether requirements are making the company more secure or not. For instance, one well-scripted password might be better than having people change their passwords every month.

OPAQ: What are some basic principles of security that perhaps companies overlook when making their plans and strategies?

ZK: The first one is that more isn’t better. My research shows that companies have around 32 different security vendors. If you have a bunch of tools and they all are on their own island, that’s complex and overwhelming. If you make a change in one system, you don’t know what other changes you need to make elsewhere. Then you can’t be effective.

You’re only as secure as your weakest link. You could be spending a lot of money protecting the perimeter, but if you have an insecure wireless LAN, what good is that? I advise companies to think about security more architecturally. Take a step back and realize what systems you have in place instead of piling on more technology.

Organizations need to think about having strong network visibility. This is about anomaly detection, which is a means to identify breaches that might be hard to find otherwise. A company with a connected soda machine that is suddenly trying to access the accounting server is probably not a good thing. The network sees all traffic and devices, and can pick up patterns veering from normal which could indicate a breach.

IT Security Professionals Take a Stand: Why They’re Divorcing Themselves from the Security Product Ball and Chain

Business executives despise security – it’s often viewed as an impediment to growth and innovation – but they know they need it. On the other hand, IT security professionals thrive on security and an ecosystem of roughly 1,500 security product and services vendors that compete in a Zoolander-like fashion show, puckering up and striking poses every few minutes to show off their latest wares.

What organizations really need is a set of security functionality that works together to reduce the attack surface and reduce risk. This has traditionally been delivered through a multitude of products and services cobbled together with duct tape and fishing line, resulting in a massively complex and costly infrastructure. In addition to the massive costs, this approach continues to fuel the need for impossible-to-find security experts who can manage and maintain the infrastructure.

What more and more organizations are now realizing is that, rather than receiving the needed security functionality through an array of products and services, they can instead receive it from the cloud. Security-as-a-service not only frees up time for IT security professionals to focus on more strategic business initiatives, but it also reduces costs for business executives seeking to maximize every dollar invested in security.

As a result, what we’re seeing is an influx of IT security professionals picking up bolt cutters and snapping the chains of their traditionally product-centric approach to security. This shift is supported by a market study conducted by analyst firm 451 Research, where they sought to gain insight into the challenges and opportunities more than 300 US mid-tier companies face with respect to network security.

What’s Wrong with More Security Products and Services?
Nothing. As long as you have the personnel expertise, budget and time to dedicate to testing, procuring, integrating, refreshing and managing them. According to the study, more than 82% of respondents claimed they devote between 20 to 60 hours per week of in-house staff resources procuring, implementing and managing network security. The average mid-market organization invests an average of $461,000 per year on IT security, and nearly 40 percent of the total budget is spent on network security. These businesses also expect to increase spending on network security by an average of 10.9% over the next 12 months.

The reality is most mid-tier organizations lack the resources to keep up with this approach. Cloud, mobile and IoT adoption are only making this challenge more difficult.

Despite significant investment in network security, 63% of the respondents expressed having little to no visibility and control over all their distributed network, especially mobile devices, remote users, IoT devices and third parties.

According to the study, tackling these challenges are typically between 3-5 employees dedicated to IT security. This handful of employees are spending many hours managing the various traditional IT security products and services required to protect the network. Many organizations also rely heavily on contractors and part-time employees, as well as MSSP providers, which adds complexity to daily coordination efforts.

What’s keeping these organizations from advancing? 62% cited legacy IT. Challenges presented by legacy IT and personnel shortages are forcing organizations to look for new solutions to solve the network security and resource conundrums.

Nirvana: Automation and Centralized Security Control – From the Cloud
IT security professionals are increasingly looking to cloud-based services and new technologies to address business requirements and security challenges. In fact, two-thirds of the respondents indicated that they strongly prefer using a cloud-based security solution from a security-as-a-service provider for managing or co-managing their security. More than 70% of the respondents indicated they prefer security-as-a-service over on-premises or MSSPs.

The urgency around this shift is strong. More than 85% of the respondents in the study indicated that network security-as-a-service is “important” (within 12 months) or “critical” (within three months). Branch office enablement and optimization and threat management were cited as the main priorities for a swift shift to a network security-as-a-service solution.

The common thread between business executives and IT security professionals is that network security remains a significant business priority. The shift to security-as-a-service is not only about fleeing a complex and costly problem. It’s also about making a smart, strategic move to a delivery model that is strong and sustainable.