Making sense of enterprise security

Until recently, I knew nothing about enterprise security beyond some of the more widely publicized breaches in the United States.

That said, after spending most of 2016 immersed in the space, I’ve come to appreciate just how challenging and broad an issue security has become to enterprises.

I’ve also come to believe that our best hope for solving security is by understanding humans — the perpetrators and victims of cyberattacks — and, as a result, I’m convinced that security is fundamentally a human identity problem.

A philosophical view

Human beings have a tendency to do things with technology that go beyond original intent, and this inclination should be celebrated. After all, technology continues to drive radical innovation, whether in the form of new applications, use cases or platforms.

Unfortunately, it’s also this type of behavior that makes security such a difficult problem. As individuals and organizations leverage technology for intended and unintended uses, it becomes virtually impossible to foresee all threats and vulnerabilities that surface in the process. In other words, the issue with enterprise security is that, by nature, it’s reactive. No system or asset can ever be fully secure.

An economic view

Economic theory also highlights why security has become so problematic, as it explains both market and buyer/seller dynamics.

An obvious takeaway from RSA 2016 is that the market has become incredibly saturated and fragmented. Enterprise security companies — incumbents and challengers alike — claim to offer nearly identical solutions, and collectively crowd around a handful of themes (e.g. “endpoint security leveraging machine learning”). Moreover, buyers base decisions on an established set of “signals” — most of which do more to satisfy compliance checklists than address underlying security vulnerabilities.

The saturation, fragmentation and herd-like activity is symptomatic of the uncertainty that governs market forces in security, which I think leads to irrational buying and selling behavior. A slew of offerings for practically every market segment exists because we’re still nowhere near to figuring out how best to protect enterprises.

Buyers are still willing to pay for ineffective solutions in the midst of massive breaches, and sellers continue to champion product infallibility in their marketing brochures, even though they, too, are unsure of their products’ ultimate value.

So while it’s abundantly clear that there isn’t a single silver bullet in enterprise security, we’ve reached a point where, taken in aggregate, there are apparently hundreds, if not thousands, of distinct silver bullets. Though unusual, economics suggests that this occurs when buyers and sellers operate within an environment of extreme uncertainty.

On cloud and IoT

Cloud and IoT further complicate the issue, namely by altering and expanding the total enterprise attack surface.

On cloud. The traditional (and clearly outdated) approach to security involves a single enterprise firewall that encompasses the entirety of an organization’s IT infrastructure. This approach has been made largely obsolete as companies embrace the cloud, with assets no longer centrally housed and structurally isolated.

Not only that, but with increased adoption of cloud applications, companies face unprecedented levels of IP, data and identity sprawl beyond the enterprise firewall. What is frequently touted by cloud evangelists (i.e. distribution of IT assets) creates a nightmare scenario for security professionals.

On IoT. An influx of connected devices entering the IoT ecosystem exponentially increases (1) the number of entry points exposed to breaches and (2) the permutation of paths attackers can exploit to arrive at targeted assets.

The recurring theme in all this is that there are countless moving parts in enterprise security.

The notion that existing endpoint security solutions can effectively mitigate IoT-borne risks is hard to accept, as connected “things” are by design very different from desktop and mobile devices. IoT hardware and software come in many more shapes and sizes than those of traditional endpoints, and the absence of standardized protocols in deployment today makes it difficult to secure all assets within the IoT ecosystem. A shift toward verticalized applications and use cases suggests that even if standards are put into place, they will be somewhat federated and industry-specific.

Also, because IoT devices face limited system resources, they are incompatible with most endpoint and antivirus solutions in the market. And even if they are compatible with existing offerings, security professionals must deal with the lion’s share of devices that currently run on legacy operating systems unable to support cutting-edge technologies,

Yet what makes IoT the single biggest security risk of our generation is that attacks are no longer constrained to IT assets. Because the foundational value of IoT lies in bridging the physical-digital divide, attackers can now target operational technology (OT) to cause actual physical damage.

Again, because humans have an inclination to do things with technology that go beyond original intent, the possibilities are endless for hackers. Recent attacks targeting control systems and physical assets (e.g.  vehicles, power grids, HVAC systems, dams, steel mills) only scratch the surface — it’s very possible to see how future attacks can be carried out by organized crime groups to exact injury and even death.

The enterprise view

None of this should come as news to security professionals, who know much more about the space that I do (and probably ever will). Still, I’ve observed that in most organizations, security is defined as a largely operational function, which in turn leads to reactive, incohesive decision-making.

These dynamics have become institutionalized to a point where there are now established “religions” in security, which include:

  • Network versus endpoint. A network-centric approach is mostly about capturing standardized packets, while an endpoint-centric approach is touted for securing the actual devices in which data and IP is stored
  • Detection versus prevention. Detection is focused mainly on reducing enterprise response time, while prevention is about preemptively identifying threats
  • Large versus small vendors. Large vendors are focused on providing integrated bundles of security solutions, while small vendors are more about offering individual point solutions

Relying entirely on the “religions” above to secure enterprises is dangerous, not least because attackers and threats are constantly evolving. Tactical decision-making is effective only to the extent that it’s guided by an overarching, unified enterprise security strategy.

My view

So how should companies think about approaching security at a broader strategic level? To address this question, it’s worth re-emphasizing that:

  • Security is reactive, making it virtually impossible to foresee all future threats today
  • The market is governed by uncertainty, which drives saturation, fragmentation and irrational behavior among buyers and sellers
  • Cloud and IoT make things considerably worse

The recurring theme in all this is that there are countless moving parts in enterprise security. A natural corollary to this point is that because the challenge is so dynamic, committing technological, organizational and financial resources to a specific tactic is counterproductive — and bound to fail. It’ll only be a matter of time before the next major breach renders an approach ineffective.

There is, however, an element that remains consistent throughout — that despite the uncertainty that governs market forces and recent advances in IT/OT infrastructure, human beings have been, and will always be, the ones carrying out cyberattacks.

Notwithstanding the varying motives and approaches pursued, attackers — whether they be rogue actors, corporate insiders, industry competitors, organized crime groups or nation states — can only operate within the constraints dictated by human tendencies and behavior.

With that said, I’d like to argue that security is really about understanding human beings. While there’s no shortage of attention around incorporating the most advanced technology into security solutions, I’m bullish on innovation for the sake of innovation. I feel strongly that advances are only helpful to the extent that they shed light on who the attackers are, and how they behave both inside and outside the enterprise.

This means that when addressing potential insider threats, a company needs full visibility into every employee, contractor and customer with access to its underlying assets. Growing mindshare around Identity and Access Management (IAM) is an encouraging trend, as it goes beyond solutions that are focused exclusively on the application layer.

Because identity is no longer abstracted from IT infrastructure and networking components, enterprises are able to achieve full visibility and provision, assign and manage privileges in a seamless (and hopefully automated) fashion throughout the entire stack.

To more effectively address external threats, this means that enterprises shouldn’t rely solely on a blacklist of attackers and vulnerabilities — which is as reactive as it gets — but also should proactively scour the entire threat landscape to identity attackers and their recognized patterns of behavior. Threat Intelligence is starting to address this challenge, and I’m optimistic about solutions that systematically profile and contextualize attackers with a level of detail and granularity that has never been achieved before.

While my role in enterprise security is to invest in the most promising products and technologies, my biggest takeaway over the last few months has been that security, as technical a space as it may be, is about better profiling and understanding the attackers, thus making the problem fundamentally about human identity.

A special thanks to Dan Ahn, Anirban Banerjee, Alan Boehme, Taher Elgamal and Mark Hoover for their insights, feedback and inspiration.