As security evolves from the client-server to the client-cloud model we have seen a shift in the solutions being provided.  In addition, the industry has had a dearth of solutions in areas that are significant to any organizations security.  Looking forward, we need to identify the areas of solutions that are needed based on three major areas of change.

  • The dramatic change of corporate networks as the content and transactions security is protecting has now migrated outside of the perimeter.  This changes the model in how we need to implement solutions due their location.
  • The dramatic industrialization of cybercrime.  This has changed, not only the method of attacks, but also the significant maturity in how corporations responds.  The rise of “Threat Response” teams is directly related to this issue.
  • The technology adoption of consumer technologies and always on networking.  As a result, employees are using devices and services that don’t reside on the legacy corporate network.  In addition, they are not coming into the corporate network to work on a normal basis.  This challenges security with implementing solutions that protect the content and transactions that reside on devices they don’t manage and via networks they don’t control.

Looking forward there are six core areas of solutions, which the majority of enterprises need.

Network Controls Management

For over twenty years organizations have segmented themselves from other networks, including the Internet, with firewalls.  These firewalls then matured into gateways that performed various network based control functions.  In an interconnected world the effectiveness begins to drop significantly as more and more of the traffic to inspect and control is not going through it.  This is due to the new location of content and transactions as well as employees residing mostly outside of the enterprise.  With that premise a new network control layer needs to be developed.

The features of this new system will be:

  • It’s “cloud” based.  To protect the users and the content and transactions at all times the solution needs to be a “cloud” solution because those objects are no longer on the Enterprise.  This also allows an always-on capability with no redirection through the “Enterprise”.
  • Fundamental controls.  As with any gateway solutions there are expected capabilities such as malware identification, traffic logging, application layer restrictions, etc that will be available.
  • Attack Methodology sharing.  One of the major benefits of this new control implementation is the ability of the service provider to extrapolate the characteristics of a malicious actor and not only share it in real-time to other customers but also drive preventative controls in place.
  • Advanced Behavior Analytics.  The benefit of sophisticated analytic algorithms is the complexity in which they need to be developed and managed.  The conversion of an on premise control to one that is a “cloud” service creates an advantage of the management of the service.  This allows for those complex things to be managed on behalf of the customer.  As a result these advanced capabilities can be realized.  The new network control service will be able to implement advanced algorithms that will identify malicious actors without the limitations of being on premise.
  • Risk based authorization.  There are two main areas where authorization to a destination can be done.  The first is in relation to the content that is being interacted with.  The second is based on the threat posture of that destination.  By providing inspection of the content, in context to the data, data classification can be achieved with a destination policy.
  • Identity & Authentication.  The management of Identity and Authentication (I&A) has historically been one that is highly fragmented.  Internal to the organization is the ability to centralize it for the various network and application access.  This can be externalized in a SAML capability, however, it creates a management layer problem which is why 3rd party I&A services have proliferated.  As cloud network control solutions mature they will take on more of the I&A functions.  This will result in their ability to provide identity validation, identity brokering, federation
  • Reverse Proxy Enablement.  Where access to Internet based services in a secure and managed fashion is important.  Moving forward is the ability to be agnostic to any of the services and provide the capability to access the organizations’ internal services in the same fashion.  As a result it would enable the mobile workforce and centralized control capabilities the service provides.
  • Service Access Control (SAC).  The ability to analyze and vet a device for appropriateness has been the longstanding objective of Network Access Control (NAC).  Albeit complicated and cumbersome, the objective held significant validity.  With devices being externalized the need, and opportunity, for that function in the interconnected world remains.  While access to the “network” isn’t the limiting capability it’s access to the services that are protected that are.  As a result, the inspection of devices and authorization to services based upon policy becomes a core feature.

Monitoring and Threat Response

Historically, we have had various solutions, such as SEIM’s and home grown solutions, to assist in the identification and response of attacks.  While significantly limited in how they technically identify issues, they are also limited in where they operate.  While they have mostly been on the organization’s network, this has limited their ability to identify malicious actions outside of their domain.  In addition, the identification of attacks and their investigation processes have been technically separate.  The solution that is needed will merge the SEIM and Threat Response spaces together.  The result will be a solution that enables detection and mostly case management of the various actions a security team must respond to.

The features of this new system will be:

  • Increase in detection technology.  The migration from legacy regular expression and correlation rules to advanced machine learning algorithms will enable the identification of historically unknown and more complex attacks.  Anomaly detection, weighted decision trees and other algorithms are placed in context to the types of attack models that we have seen in the past and can predict in the future.
  • Cloud based operation.  By placing the system “in the cloud” as a service it will provide the backend corporate support that is needed.  This will mitigate the existing labor problems organizations have in managing existing SEIM solutions as well as the advanced capabilities.  In addition, the increase in feature releases will drive an accelerated capability to take advantage of new features with little to no overhead.
  • Case management system integration.  Integrating a case management system will enable the entire flow of the “detect to response” process.  With eDiscovery, HR and other issues being inputs into the identification and remediation of security events, these workflows must be incorporated.  This drives integration with HR systems and legal whistleblower sites, etc.
  • Perimeter and Internet Enabled.  The solution must collect from a full spectrum of sources.  This includes legacy Enterprise based devices and applications as well as cloud providers and devices on the Internet.  This is another reason why the service must reside as a cloud service.
  • Integrated customer threat sharing.  One of the major benefits of this new analytics model is the ability of the service provider to extrapolate the characteristics of a malicious actor and not only share it in real-time to other customers but also drive preventative controls in place.  This shifts the exploitation between organizations as the timeframe is driven down from six months, or a year to hours for the mitigation.

Software Development

Application security has and is a significant portion of any security program.  The majority of security risks lies within the application layer and is the most complex of any organization.  This creates a large need to ensure the design, creation and management of software development is done with as much security in mind as possible.  This is complicated by the fact that software development has gone through major changes over the past ten years.  From solely internally developed applications to multi layered development parties.  Most applications today are created by using opensource and other third party code that is “plugged in”.  The solutions of tomorrow need to have this in mind.

The features of this new system will be:

  • Cloud Service based.  With the development being a multi party and organization endeavor, the solution needs to be born in a globally accessible model.  This drives it to be a “cloud service” which enables the brokering of the service across any party.  Not only allowing the brokering but also the easy integration and exchange of those 3rd parties and their respective code.
  • “Bill of Materials” Assessment.  The complexity of multi party and multi layered development has driven a need for a complete detailing of what components are used and their respective version.  The new service will enable an analytics component in the organizations code repository.
  • Integrated policy establishment.  The ability to establish coding standards or policies and have them be applied to all in the development project is important.  By enabling this in a cloud service this could be extended to any 3rd party coding on behalf of the organization.  This is even more important when that 3rd party does not want to release IP but only the finished product.  The service acts as a trusted escrow for the analysis of the policy application.
  • Trusted Software Exchange.  As third party software is analyzed for it’s safety it’s then able to be ranked among other like components by that rating.  The result is the ability to search for all 3rd party developed software performing a certain function and be able to select only “high safe” rated components.
  • Trusted Developer Exchange.  Not unlike the ranking of software components the service could also act as a ranking and exchange of developers.  This would result in an organization finding highly ranked developers to include in their new project.
  • Risk Based Development.  The management of risk in the development process has always been challenging.  This is even more challenging with 3rd party code and an agile process.  This service would enable the ability of the security teams to apply a policy of what code could be leveraged by their development teams as a result of the providers risk assessment of that code.  As a result, the organization can say “use any code with an appropriate rating” to its process.

Application Management

While applications are moving to the cloud this does not mean the Enterprise doesn’t have or need to manage applications.  Applications will continue to reside on devices, client and server, for some time.  The abstraction of application types is critical to drive a proper management of all of them in a risk based model.  This is why a proper application management capability will be integrated in the development process.  This will include “wrapping” of 3rd party applications as well as internally developed ones.  As a result, the ability to manage all application layer controls in the ecosystem will be possible.

The features of this new system will be:

  • Policy based application control.  The ability of an application to manage access, authorization and transactions based on a policy is currently nearly impossible.  This capability, inside the application, would allow all of this based on sensitivity of content, transaction, threat concerns, etc.  In short, it would drive the expected preventative policy controls that we enjoy in network and other capabilities into all of the applications regardless where they reside.
  • Content protection and encryption.  As content is transferred or interacted with the application layer the ability to encrypt and decrypt that content needs to be implemented.
  • Logging and Monitoring.  The implementation of a common set of API’s to log and monitor activity will drive the deeper inclusion of applications in the new SEIM space.

Device Management

Devices include both endpoint as well as server type of devices.  In this context we have seen a shift of ownership, from corporate to employee, and location type as is the case with 3rd party IaaS.  While content and transactions are dramatically migrating from endpoint devices to cloud services, there still will be a portion of them residing on the endpoints.  This drives the need to apply controls to those devices but agnostic to the device type.

The features of this new system will be:

  • Cloud based management.  Since the devices bridge the Enterprise and Internet as a whole the service must be globally accessible.  This drives the management layer as a cloud service to ensure constant control and access.
  • Configuration Management.  Basic to any device management, configuration management is an expected staple.  The ability to audit and manage the OS and applications needs to be done based on the role of the device and risk profile of its use.
  • Compliance Governance.  The ability to drive configuration policies based on regulatory or industry requirements is important to ensure proper corporate governance risk mitigation.  This being done in context to the identity context, personal or corporate, and content sensitivity is significantly beneficial and possible.

Risk Management (GRC)

The security industry has tried for many years to implement a risk management capability.  In today’s environment that need is only more important.  The ability to translate security into a business context and facilitate a corporate governance capability is critical due to the current amount of tangible risk.  Yet, the type of solution needs to be different than what we have today.

The features of this new system will be:

  • Drive to business risk.  The ability to contextualize risk must be in terms of the business.  This means Reputation, Revenue and Operational impact.  This requires a deeper connection to the general ledger, asset database, legal context, etc.
  • Include 3rd party provider.  There is no ability to perform risk calculations without including 3rd parties.  The ability to assess 3rd party platforms to collect relevant content sensitivity, controls management, and overall realtime health of that provider.