A well-planned enterprise asset security strategy, with an IT and software security architecture approach leveraging automation and integration, is crucial to stopping hacker attacks like WannaCry, according to Ron Temske, a 20-year IT security veteran. Getting that strategy together calls for finding order in the chaos of today's distributed user base, connected system and security tool vendors' hype.
"There's no such thing as perfect security or an environment that cannot be compromised, but the architectural approach can be highly effective in preventing and detecting these attacks," said Temske, security solutions vice president for cloud provider Logicalis Group. In this interview, he surveys the challenges in secure application development and gives advice on prioritizing modern security strategies, creating an enterprise software security architecture, using security frameworks like CIS and choosing security tools.
Today, Temske sees CIOs and enterprise architects being less afraid of data and application security threats like WannaCry than confused by the complexity of securing their assets. They're bombarded with pitches for software security products and technologies, and they're hearing constantly about new hacker tools and techniques. Factors like cloud, social media, connected devices and working from home have added complexity by making traditional physical perimeter security -- such as firewalls -- inadequate. "Some say that data is the new perimeter, but that's not entirely accurate. It's about protecting your assets, which may exist in many places," Temske said.
Another point of confusion is defining assets. Many business leaders are concerned about security but don't know the breadth or scale of importance of the assets that must be protected, Temske said. They don't have a comprehensive understanding of particular assets that are more valuable to the company's brand. They don't have foreknowledge of the financial results if a security event, incident or breach tarnished the company's brand. A one-size-fits all software security architecture and security strategy can't protect each unique company's assets.
How different is the way hackers work today than in the past?
Ron Temske: For one thing, the motivations behind hacking have changed. If you go back 10 years, hacking was egocentric and malice for the sake of malice. They were thinking, 'Can I do it? Can I wreak havoc? Can I cause mayhem just for the perverse satisfaction of doing so?'
Ron Temskesecurity solutions VP, Logicalis Group
Fast forward and hacking has changed from a hobby to a business, motivated by financial gain. Certainly, ransomware has gotten the lion's share of the media attention of financially motivated attacks, but it's by no means the only type of attack. There are other avenues like data theft, blackmail and exhortation, for example.
Also, we didn't see hacktivism 10 years ago. We didn't see things before like the highly publicized WikiLeaks release of the Vault 7.
How has social media made businesses and people more vulnerable to financially motivated hackers?
Temske: Hackers are leveraging social networks, like Facebook and LinkedIn and the sorts, to gain information.
Friends on the business side often tell me, 'I got an odd request from someone on Facebook. Why did they do that?' Well, it's because they're trying to get your personal information to launch an attack against you [as in identity theft] or your business.
A lot of those attacks against individuals are not targeted. They're actually broad brush phishing campaigns. And if you happen to click on the link or, you know, go to the wrong malvertising site, you may pick it up.
On the business side, the attacks target people with influence. An example is leveraging social networks to target new CFOs and people who move into leadership at organizations. They prey upon their newness by sending them forged email attacks, masquerading as the CEO of the company. They are leveraging the fact that the new CFO or CEO hasn't built up personal relationships yet.
What is your first-step advice to CIOs and enterprise architects who must choose software security tools?
Temske: Think about how a tool fits into your strategy and software security architecture. Does it fit into your strategy? How does it interoperate with what you already have? How will you manage it? It's all those questions that should be answered and frequently aren't.
Of course, your company has to have a software, date and/or asset security strategy. I run into many companies that don't have one. If you're shopping for a security technology and you don't have a strategy or security architecture to guide you, you're going to have spotty protection.
Traditionally, most organizations have bought best-of-breed IT and software security products that handle specific types of threats or provide system perimeter protection. Redundancy is often the result. So, many companies have security solutions from different vendors that are maybe 10% or 20% unique, but have an 80% feature overlap.
How do 'best-of-breed' and software security architecture approaches differ?
Temske: In the architectural approach, the components are integrated, even if all the tools do not come from one vendor. Here's a simplistic example of the benefit of integration: Say I detect something worrisome on the firewall. In my integrated and automated security architecture, my endpoint network instantly knows of that threat and activates a prevention process. So the security [architect or administrator] doesn't have to think, 'Oh, we need to manually make that same change on the network and at the endpoint.' The activity just happens in the background.
What are alternatives to building a software security architecture or framework from scratch?
Temske: The struggle is where to start. There are great frameworks from information security organizations like NIST (National Institute of Standards and Security), [International Organization for Standardization], CIS (Center for Internet Security) and [Health Information Trust Alliance] that provide a blueprint, a path to follow.
There are a couple reasons we happen to be fond of using CIS programs. One, it's a little more consumable, less complex. For example, NIST is so complex. CIS is a little smaller to start with. Later, if you decide to go to something like NIST, there's a lot of cooperation between the CIS and NIST teams. So, the effort you put into working with CIS is not lost when you go to NIST. Also, CIS is a nonprofit, so there's no concern of ulterior motives or sales gimmicks -- [its] only purpose in life is to help make organizations' asset security stronger.
A solid vulnerability management program, such as CIS Control 4, is key to ensuring systems are updated and protected against attacks that leverage known vulnerabilities.
What are other benefits of using CIS for vulnerability management planning?
Temske: The other thing CIS does, which is nice, is not only do they have controls, but they're in priority order. You're free to form your own opinion, but many people find their advice on the priority you should assign to your security tasks beneficial.
What is your advice for companies that are analyzing their current security measures?
Temske: Once you've gone through the exercise of what assets you're trying to protect, the next step is mapping your inventory of security solutions against your asset protection goals. As I mentioned, we see a lot of overlaps in security tool portfolios. We have seen companies that have bought sophisticated technologies that did not protect the most basic asset security needs. For the amount of money spent on duplicating or triplicating tool functionality, you could have invested in a software security architecture and matching portfolio.
Building security into DevOps
The role of security architects in DevOps
Developing secure mobile apps