Keeping organizations secure in a post-Heartbleed world [Q&A]
The recent Heartbleed bug, in addition to a general rise in cybercrime activity, has led to companies scrambling to re-evaluate their online security. But how can organizations ensure that have a consistent and reliable approach to protecting themselves?
We spoke to Tanya Bragin the principal product manager at ExtraHop Networks, a global leader in real-time wire data analytics for IT operational intelligence, to find out.
BN: How can organizations ensure that they're properly protected in the wake of Heartbleed?
TB: Cataloging all affected servers can be an onerous audit task, especially for a large or distributed IT organization. In one case, we heard from the CISO of a large online company who had spent the 48 hours since the vulnerability came to light running port scans on all of the company’s systems. While the CISO reported that the scans had thus far been successful because none of their systems had gone down (the fear of the DevOps team), every passing minute without a complete understanding of the vulnerabilities in their architecture exposed them to risk.
While traditional approaches to security monitoring, visible in the previous CISO use-case, certainly play an important role in detecting threats, the Heartbleed vulnerability underscores the limitations of these systems. The port scans performed by these systems impose a considerable burden on the network, and take time to identify vulnerabilities. In this situation, the most scalable way to understand what systems are affected is to evaluate communication choke points, rather than individual hosts. Wire data is the most comprehensive source of visibility into these choke points because it offers an unbiased view of all traffic moving across the wire. Employing solutions that provide this deep, cross-tier visibility are crucial in making sure that Heartbleed and other vulnerabilities are detected rapidly and without impacting network performance.
BN: What if your web servers are outsourced to a third party?
TB: If your infrastructure is outsourced, your options may be limited since you are now reliant on the third party provider to evaluate and monitor their servers for this vulnerability. Selection criteria for managed services need to include access to tools that provide uniform visibility into an environment. Ideally, the solution in place is an easily extensible platform, able to monitor a variety of environments in a vendor-agnostic manner and be adjusted to handle unexpected use cases.
BN: Have recent events dented consumer confidence in ecommerce and what can be done to rebuild it?
TB: In the wake of recent high profile security breaches, consumer confidence in ecommerce companies has diminished. While these breaches should have motivated consumers to be more careful with what data they expose and how they protect it (ie strengthening and diversifying their passwords), ecommerce companies still bear significant responsibility for protecting the data consumers entrust to them.
Between the blow to consumer confidence and the subsequent lawsuits resulting from these data breaches, ecommerce companies, regardless of whether they have been affected, need to take a critical look at their security protocols. Internally assigning blame -- with the operations team blaming security, security blaming operations, and everyone trying to point the finger at the security vendor -- is not going to improve confidence. Instead, these companies must adopt a proactive, integrated approach by taking security into account at all levels, from development and test through to day-to-day IT ops.
BN: What is the main lesson that businesses should take away from Heartbleed?
TB: The threat landscape is constantly evolving, and vulnerabilities may crop up in the places you least expect them. Heartbleed is a prime example of this. In order to deal with new, advanced and persistent threats, IT teams need to rethink their approach to security for their networks, data and applications. Keeping security siloed from operations is no longer an option. Much like development/test and operations have become increasingly interconnected in recent years, resulting in DevOps, operations and security teams benefitting from a more collaborative approach. The reality is that security and operations teams share a common goal -- maintaining the integrity and availability of the organization's IT assets. If security is compromised, so is availability. Simply notifying the security team when a potential breach is detected is not sufficient. Operations needs to take a more active role in identifying the genesis of the breach, and then work collaboratively with the security team to remediate it.
BN: How do you see the overall threat landscape changing? How much of this is driven by new service models like BYOD?
TB: The complexity, dynamism and decentralization of today’s IT environments not only opens the door for new vulnerabilities and exploits, it makes preventing, detecting and neutralizing potential threats a complex task. BYOD is a good example. As individuals increasingly demand to use their personal devices in the workplace, controlling which devices access the network, data and applications, is no longer simple. In order to prevent a potential breach, IT teams need the means to pervasively and persistently monitor which devices are connecting and from where, and then track how and to what extent they are accessing applications and data. If, for example, the NSA was equipped with a way to monitor which data Edward Snowden was accessing (and how much of it), they might have been notified of the anomalous behavior before it turned into one of the most infamous security debacles in history.
Likewise, things like public cloud are also transforming the way organizations are thinking about security. Hosting applications in public clouds like AWS make many IT teams nervous, knowing that they will lose a certain degree of control over the performance, availability and security of those applications. As with the BYOD problem, the resolution really comes down to visibility. Solutions like CloudWatch exist to help internal IT teams monitor their workloads running in AWS. A wire data analytics platform like ExtraHop can be deployed to extend the functionality of CloudWatch to deliver real-time, pervasive monitoring of applications running in the cloud, thereby enabling IT and security teams to detect anomalous behavior early.
BN: Are there additional risks associated with businesses moving to the cloud and to SaaS platforms?
TB: Yes. That risk is "uniformity". Economies of scale in SaaS and cloud necessitate streamlining and homogenizing solution stacks and environments in order to deliver infrastructure and services in a cost-effective manner. However, from the perspective of an attacker, their job just got easier! They now have to find vulnerabilities in a much smaller subset of software. By infiltrating one cloud or service provider, they gain access to numerous organizations’ resources and information.