While cyber-security technology may be one of the hottest areas in technology in terms of investment, it is also the most interesting. Right now we are living in an age in which the world is being run by a massive amount of technology that wasn’t created to exist safely in a networked world. In addition, the rise of mobile devices and the Internet of Things has radically extended the data center and increased the need for cyber-security technology.
Some deep and intense questions lay at the root of cyber-security. In terms of geopolitics, the countries that are the masters of offense are also the most vulnerable because of the vast footprint of technology and automation. Countries less steeped in technology are relatively safer, and have the ability to inflict harm without much worry about retribution from cyber attacks.
The role of government in helping keep a nation safe is also fascinating. Is it possible for a government to promote best practices in cyber security without creating a regulatory quagmire? When should the government mandate specific best practices for critical infrastructure?
There are many initiatives and smart people talking about all these questions, but after years of talking, they are far from resolved.
From a CIO’s perspective, the challenge of cyber-security is daunting. For example, will any amount of money or technology keep a company safe from attack? No. Complete safety is not possible. Given that, how can you determine the right level of spending? It is irresponsible to do the cyber equivalent of leaving your keys in the car. But it is also irresponsible to make promises about safety you cannot keep. No CIO or CSO or vendor can guarantee that an attack won’t succeed.
The modern CIO and CSO must perform a complex balancing act along many dimensions. The problem is that once that balancing act is through, you won’t know if you are right, ever. What careful attention to a plan will do, however, is give your CEO and board of directors a clear idea of the rationale for your cyber-security strategy and tactics so as time passes and technology advances, you can make adjustments that increase protection for the money invested, provide the same amount of protection for less money, or reduce the amount of protection based in a reduction in risk for a specific threat.
One of the most interesting tradeoffs facing CIOs and CSOs is the challenge of determining the right balance between on-premise and cloud cyber-security technology. By analyzing the differences between these two types of cyber-security technology and explaining the nature of the tradeoff to CEOs and boards of directors, it is possible for CIOs and CSOs to bring clarity to an area that is hard to explain. My hope is that CIOs and CSOs can use this article and others I plan to write to start a more sophisticated discussion so that the reaction to a successful attack won’t be to fire someone, but to understand what was learned and how to improve both strategy and tactics. To make my point I examine two cyber security companies, Zscaler and FireEye, with whom I have worked on research projects. My familiarity with the details of each product has helped me deepen my analysis.
What is the Sweet Spot for Cloud-based Cyber Security Technology?
Right now many vendors are attempting to capitalize on the significant, and justified, fear about cyber-security to claim that there is one cloud-based approach to rule them all. In my view, reports of the death of on-premise cyber security technology go too far. On the other hand, cloud-based technology must be part of a comprehensive enterprise security solution for the following reasons:
- Mobile devices and other endpoints are no longer inside the corporate firewall.
- Devices are too powerful to leave unsecured.
- But devices are not powerful enough to run a complete and robust cyber-security system.
- The answer, therefore, is to place same sort of functionality that would have been in the firewall and on the device in a cloud security gateway.
- When a mobile device or other distributed endpoint needs to access the Internet, it can do so through the cloud-based gateway that can block threats.
Making this work on a global basis is much easier said than done. I recently spoke with Jay Chaudhry, CEO and Founder of Zscaler, a pioneer in cloud-based cyber security whose global security cloud works as described above.
“The proliferation of mobile devices and the increased adoption of cloud applications makes it difficult to manage and protect users as they travel outside the network perimeter,” said Chaudhry. “Traditional security boxes cannot deliver visibility or control into mobile devices and they create a choke point for cloud applications, but prohibiting access to Internet resources will simply encourage users to bypass enterprise controls. Organizations need to embrace a distributed network and security architecture that meets its users in the cloud to accommodate direct access while enabling visibility, control and a high degree of security”
To support such a product, Chaudhry has had to build a worldwide presence of the Zscaler cloud so that a mobile device is as close as possible in network terms to the cloud gateway. The gateway is then able to look at each request flowing to and from the mobile device and look for all of the usual cyber-security attacks, shutting them down when they are found. It is also possible to use this sort of approach for remote offices.
“The world is adopting mobility and cloud. The hub-and-spoke model was created for the old IT world where applications and users were protected by a moat, inside the corporate castle. In the new world of IT, applications have moved to the cloud and users are everywhere. The notion of bringing user traffic to a few gateways for policy enforcement before it goes to the Internet is not practical. It creates a poor user experience and increases the cost of bandwidth due to traffic backhauling. Appliances are obsolete in protecting users.”
With Zscaler’s cloud service, Internet bound traffic can be sent directly from branch offices to the Internet without incurring costs and performance degradation across wide area networks. Backhauling web traffic can be virtually eliminated. The perimeter has become dynamic so the only way to ensure security is through a distributed cloud architecture.
The Sweet Spot for On-Premise Cyber Security Technology
I accept Chaudhry’s arguments that a cloud-based solution is needed, but I disagree that the appliances that reside on premise are obsolete. Chaudrhy’s strongest point is that mobility has changed the perimeter and that individuals are protected everywhere by a cloud-based defense. Appliances that protect you inside your offices are going to have more difficulty protecting you when you are in Starbucks.
But I would argue that appliances and other perimeter defenses still have a role in protecting the crown jewels of a company. Any effective cyber security solution must address the fact that attacks will succeed. How can you know if something is inside your computing infrastructure? How can you find attacks that have not yet been discovered? How can you detect and prevent advanced persistent threats, some of which will succeed? How can you limit the damage once an attack has started?
To address these needs, a comprehensive cyber security system must have locks (perimeter defenses), waiting rooms (for behavioral analysis), ears (for listening for abnormalities in huge streams of data from many sources), eyes (for scanning for abnormalities), a brain to make sense of all of this information, and arms and hands to take action to remediate the threats. In essence, the cloud provides the legs to move security functionality around.
In the long term, perhaps Chaudhry is right that all of the locks, waiting rooms, ears, eyes, brain, arms, and hands will be in the cloud. Zscaler has just announced its own APT solution, which is a combination of ears, eyes, brain, arms, and hands.
The fact is that most of the cyber-security that is in place is still needed. Personal computers still need virus protection. Firewalls are needed to control network access. Various types of new capabilities are also on the rise, such as the ability to scan file systems for threats and other advanced attacks.
But modern threats happen in stages, where one small foothold is used to gain increasing amounts of access and to ship valuable information out the door.
What on-premise security has lacked until recently is a secure waiting room and a brain to control the arms and hands. The waiting room is needed because there is no way to identify modern threats by looking for patterns. You have to watch various types of payloads after they arrive at the front door of your computing infrastructure. If they immediately start trying to break in, you know they are probably a threat. In this way, you can find threats before they are widely known.
The brain is needed to look at all levels of activity and find patterns or abnormal activity that indicate that an attack may have succeeded. The brain can coordinate all of the existing on-premise technology to quickly isolate an attack and limit the damage.
On-premise technology is also needed to put extra barriers around the most valuable parts of your computing infrastructure. The crown jewels of any company’s assets should be protected as much as possible.
FireEye is a leader in on-premise cyber security that meets the needs just described. To do its job, FireEye uses cloud technology for sharing threat information, but it also has on-premise components that closely monitor, interact with, and coordinate other on-premise security technology. (Because FireEye is in a quiet period following its recent IPO, I was not able to get comment from the company for this story.)
FireEye also provides a virtual execution environment that acts as the waiting room to examine payloads on the way into a computing infrastructure. While many companies offer such protection, FireEye differentiates its products in the approach that it takes to virtual execution, which is based on a custom virtual machine that is designed specifically for detecting threats. For example, the virtual machine goes to great lengths to conceal to the program being examined that it is running in a virtual environment. This is important because most modern threats try to conceal themselves.
The trick is, of course, to perform this work without slowing down the flow of traffic. For email, this is much less of a problem because you can delay the receipt of an email while checking for problems. For web pages and other time sensitive traffic, the challenge is greater.
FireEye’s approach to this is to test everything that appears to be suspicious, flagging anything that looks out of the ordinary and putting it in a hardened virtual machine to see what it will attempt to do. By observing its behavior, it’s possible to determine if it’s a threat or benign.
FireEye has integrations with many different types of on-premise and cloud cyber-security technology so that its brain can examine as much evidence as possible.
FireEye has two levels of threat intelligence sharing. It shares threats that are found within the company to all installations inside a company’s infrastructure. In addition, threats are also shared with identifying information removed to a global database in the cloud of threats that is shared by all FireEye customers.
Balancing On-Premise and Cloud Technology
In one sense, it is clear that the next generation of both types of technology are needed. If you do without cloud-based technology, it is going to be difficult to handle the new type of perimeter. If you don’t have modern on-premise technology you may be vulnerable to advanced persistent threats that get through.
Of course, there will be overlap. Some of the same techniques, such as virtual execution, may be used on both types of technology. The goal for a CIO or CSO is to be able to explain what each type of the new generation of technology will do to complete the portfolio and how it will work with the existing portfolio of technology that is currently in place.
In addition, there will always be a category of incidents that will be identified by cyber security systems that will need more analysis. In my view, every company will need to have its own security operations center to examine incidents in the grey area and use the knowledge gained to better tune the system. The full product for a cyber security vendor must include an active research capability that provides forensic tools to the company’s security operations team. This is where big data and cyber security are converging.
A balanced approach will be governed by your threat landscape. If you can find a way to isolate mobile devices easily, then it may make sense to start by cleaning up your on-premise security technology and then moving to the cloud. Of course it may be true that mobile devices represent the largest and most compelling threat, in which case starting with a cloud-based technology makes sense. Many companies will be able to afford both at once.
The question will then become: What is the right level of investment? While there is no right answer, smart CIOs and CSOs will have a sophisticated defense of their cyber-security strategy, tactics, and level of spending at the ready. This analysis should be explained in detail to the CEO and the board of directors. Then, when a security problem occurs, heads won’t roll, but spending that would make the company safer will be approved.
In other words, the right security balance is something that everyone is aware of and participates in adjusting.
Follow Dan Woods on Twitter: