The threat landscape is a daunting place – with morphing malware strains, denial of service attacks and malicious actors holding enterprises for ransom. In the digital age, nothing says progress like sound security controls and a commendable posture. Enterprises that can manage risk, explore efficient solutions and communicate security in a business context are operations bound to succeed.
But it’s no easy feat. As mentioned, hackers breathe down the necks of security practitioners on a daily basis. Today’s mantra is not so much preventing bad actors from nearing your network, but instead, preventing them from accessing your crown jewels.
A part of the larger transition is the migration to the cloud, which poses its own unique challenges. To get his take on this, as well as the state of cyber security as a whole, we spoke with Tufin CEO Ruvi Kitov.
Since 2005, Tufin has dealt with security policy orchestration, primarily for large organizations. Tufin acknowledges that the “network of yesterday” is no longer totally applicable today. As elements are added to networks, Tufin oversees their defense – from inadvertent vulnerabilities to lateral movement.
See Related: 'Not Going To Automate Our Way Out': FBI's David Wallace
Kitov caught up with the Cyber Security Hub to discuss these topics:
Cyber Security Hub: How would you assess the current threat landscape?
Ruvi Kitov: The threat landscape is interesting because it’s evolving, and getting worse. The going assumption of Fortune 100 companies is that on some part of the network, bad people (are) already (there), trying to get to critical assets. It’s next to impossible to patch everything. A year ago, they might’ve assumed that they could just patch everything: “If you follow the process, you’ll be 100% safe.” No way. One part (of protection is): finding who is already on the network. The other part: trying to avoid them getting there in the first place. In Fortune 1000 companies, the number of events that occur there is so overwhelming… First of all, you have attacks going on all the time. To figure out if something nasty is happening is like finding that needle in a haystack – it’s practically impossible. So, take where we were a year or two ago, and increase it by factor of five. At the same time, organizations are trying to save money. Very often they have a bigger security spend, but don’t necessarily increase staff – they’re overworked, (hence the) skills shortage.
CSHub: How has the rise of DevOps impacted network security and visibility?
Kitov: I think it’s a huge movement in today’s world. DevOps is the new norm, the new way to develop applications. It’s interesting to look at it in organizational politics – of who manages what. So, in the DevOps world, they’re connected to developers. They sit in business units; they’re generally not a part of IT. Suddenly, you have people in charge of technology in a greater extent than ever before… There is a growing frustration in business units, related to IT and whether they can make the changes they’d like to. In DevOps, it’s about agility, trying different things, experimenting. They want to make changes as quickly as they can – it’s an agile culture, an agile methodology. Security has historically been a part of IT, but the security team is not a part of the business unit. DevOps don’t have security folks on (their) “side.” Their charter is: to roll out apps as quickly as possible, yes, with security and care about it. But, it might be priority number four or five on their list. If it conflicts with agility, then they don’t want to deal with it…
For the DevOps team, the last thing they want is something to slow them down… (They’re) making 50 changes per day, on the fly – they can’t work that “slow.” There’s an inherent conflict there… Essentially, a lot of DevOps teams are running fast, with almost no security oversight at all. I’m not saying they don’t write scripts or try to put some security into their work. But if you ask them about policy, and what should connect to what…there’s very little control or thought that goes into that…
CSHub: What are some ways to resolve that ‘inherent conflict’?
Kitov: There are various ways to resolve it. Some of it can be: better tools to automate security analysis, so practitioners can review changes without slowing down the DevOps team. Otherwise, it’s going to be like a wound that’s festering, or you wait until something blows up or there’s a huge hack. There’ll be a day of reckoning where they then say, “Wait, we need control in DevOps.”
CSHub: What challenges do organizations face in today’s complex IT environment?
Kitov: The move to the cloud is probably the biggest revolution of our age. It’s big for organizations. We first had the Internet, the revolution of mobile computing and the iPhone – and now there’s the move to the cloud for enterprise software. It is just a massive revolution. The ramifications of the move are still not fully understood by everyone. From a network perspective, suddenly you have all of these networks that are software-defined – (and you can) manage the network from anywhere. You don’t have to log in to a console to make changes. There are benefits to it. There are also huge challenges. The complexity is increasing even further… (and) I don’t see a way for organizations to benefit from it without investing more in education and having more people (in the space) as well. The overall spend in security, even today, is not enough. A vast majority (of enterprises, agencies, etc.) still underspend on security… There’s unbelievable complexity.
CSHub: What is a simple or practical way to assess various cloud services – in deployment, effectiveness, etc.? (This includes services running on various platforms, data being stored there, and access.)
Kitov: This is a huge topic – when you’re looking at cloud services. The infrastructure of the service, the market – Amazon, Google – etc. Obviously, basic cloud services have been around for a while. There are (of course) leaders in respective spaces…. There are all different certifications that cloud services need to go through. (Enterprises should) look at that. What regulations do you need to comply with? Make sure the cloud provider adheres to those. Enterprises: if you have data of various countries in the EU, then you need a cloud provider to have zones where data resides.
(Also, other criteria include): How responsive they are with breaches, how quickly they respond to things. And, this is more on the business side, but, often the IT team is looking at choosing something; the tech folks have chosen a solution… They then go back and higher-ups shoot them down, because they feel like the business competes with them (the cloud provider)… (They say they’ll) never work with cloud providers because a part of it competes with the business.
CSHub: When you say “going back to the basics” with regard to infrastructure, people and processes, what do you mean?
Kitov: “Back to basics,” from our perspective, means when I try to break down what can go wrong. Why are there breaches? How are things breaking down? If I look at any breach I’ve heard of in the past year or so, it can be broken down… Zero-day (threats) you absolutely can’t protect against. So, we’re leaving those out of the equation. (Outside of that), I think at the end of the day, it comes down to one of a few things. Either it’s a policy issue – you either don’t’ have a policy for a certain aspect of security, or you’ve defined it wrong. Or, it’s a process issue, that’s another alternative. Or, it’s literally about management or people not doing their jobs… The biggest one is policy. If you look at almost any breach, either the organization did not define how to handle that certain type of activity, or they defined the policy but not well enough, or they didn’t specify (enough)… (You might even) have policy, but it’s a Word doc that sits on a shelf with no one enforcing it… Going back to basics, then, is: defining policy for every aspect of security.
Back to basics needs to be: What policy do we have? What is our process? Is every change analyzed by someone else to make sure we didn’t make a mistake? (Are we) checking changes before implementing them on the network? (Are we) checking things periodically? Audit all systems and networks. If you do all of that, you’ll be in a good position.
CSHub: Where do you see the cyber security space in three to five years?
Kitov: That’s tough to predict. It’s going to expand into areas that it doesn’t exist in today. The big challenges for security are: The systems we deal with are so complex, it’s almost impossible to do advanced screenings. If we go back to basics – with policy, process and people – let’s see how we manage. I also think that with advancement in technology, we’ll see more things around machine learning and AI. I think we’ll see something where people can, for example, run simulations on all the ways an attacker can get into the network, and predict what it’ll look like… (So), instead of coding patterns that we think are the right patterns – on how to detect an attack – we’ll use more advanced techniques to simulate all the possible ways to attack. I think AI and machine learning will be the next phase of the evolution. I can see that in the next three to five years.
Be Sure To Check Out: 'Cyber Security's Not An Install Process': Q&A With Kayne McGladrey