Security experts from Cylance, Fortinet, Varonis and vCORE joined forces to discuss the latest challenges enterprises face along with some high-tech solutions.
vCORE Technology Partners | Nov. 20, 2018
Advances in machine learning and artificial intelligence are providing powerful new tools to help IT security professionals protect company assets and sensitive data, but the human element continues to pose significant challenges, according to a panel of experts recently assembled for the vCORE IT Security Forum in Phoenix.
Global security leaders like Cylance, Fortinet, Varonis and others are training machines to analyze massive amounts of data to detect anomalies in network traffic and computing processes, aiming to stop intruders before they compromise systems or steal information.
As a result, many IT organizations are gaining greater visibility into their complex environments and a better understanding of what data they possess and who is accessing it.
But the human element — whether it’s a lack of end-user training or a reluctance from management to invest in preventative security measures — remains a persistent source of difficulty.
“As engineers, we tend to get focused on the technical aspects, but a lot of times it’s easier to trick a human being into giving you what you want than a computer,” said Jason Graun, manager of solutions engineering for Fortinet, and one of three panelists at the vCORE forum.
Graun was joined on the panel by Cylance engineer Ryan Williams and Varonis engineer Brian Pavnick. During a 90-minute discussion moderated by vCORE Senior Security Architect Jon Bartlett, the group discussed 5 critical challenges many IT organizations are facing today and offered up some potential solutions.
Challenge #1 — Complex problems require a holistic approach
Too many IT organizations are focused primarily on perimeter security while neglecting the holistic approach necessary for a successful security program, the panel experts said.
“I think it’s because we’ve always done it that way, it’s just human beings getting into bad habits,” Graun said. “You need to have defense in depth, multiple controls on the end point, in the perimeter, in the middle of the network. People get lazy and I get it, it’s not a fun task.”
A certain level of paranoia is beneficial to security professionals, and IT leaders should think about security like they would their own health, Graun said.
“You can’t just say I ate a kale salad today, hence I am healthy, or I walked a mile today but then ate a Big Mac, and I’m healthy,” he said. “It’s looking at it from the moment that data is consumed by a human being all the way to how it is stored.”
Williams compared security strategy to building a Dungeons & Dragons character: You might be stronger in some places and weaker in others, but you need all the pieces to succeed.
“If you don’t, you’re not good,” Williams said. “It has to be a holistic approach.”
Implementing security measures to meet regulatory standards and compliance rules is a good start, but a mature security program should go further, panelists said. Critical pieces include not only firewalls but endpoint security, encrypted traffic analysis, application security, breach detection, identity management and more.
Challenge #2 — IoT devices introduce new attack vectors
Network-connected smart devices, from thermostats to CCTV, are revolutionizing business and home automation but at the same time can open up new vectors for attackers to exploit security weaknesses, panelists said.
“Vendors are releasing IoT devices, getting really creative in how these things can be incorporated to help businesses grow, which is fantastic, but I think we’re in a period where security is definitely the afterthought,” Pavnick said.
Businesses should vet these IoT vendors before dealing with them to ensure the vendors are taking security as seriously as possible, Pavnick said.
An example of what’s at stake? A Las Vegas casino was hacked through a temperature gauge in one of its aquariums, Pavnick said. The attackers exploited the device to gain credentials and were able to escalate and move laterally from there, he said.
Challenge #3 — Limited budget or buy-in from the business
Convincing business leaders to invest in enterprise-grade security solutions can be a challenge, especially when resources are limited and budgets are tight, panelists agreed.
“There are some who just see it as an annoying business expense, and they want to do the cheapest thing, and maybe they just want to be compliant,” Williams said. “Others get it, and they’re going to spend the money now, like they would for insurance, to make sure something doesn’t happen.”
Building a clear business case can be even more difficult for a smaller organization, because many of the enterprise tools may not be cost effective for them. Those companies often find value in a managed services provider who can leverage those tools for their clients.
“You can outsource across town to some professionals who can help leverage that kind of experience that only people who do this every single day can have,” Williams said.
For organizations at the enterprise scale, a risk management framework can help security teams prioritize their spend and speak intelligently to corporate management about security needs.
Challenge #4 — Dark data contains unknown security risks
It’s not what you know, it’s what you don’t know that is scary when it comes to IT security, according to the panelists.
Dark data, or information a business collects but does not use or may not be aware of, can introduce the risk of releasing unprotected sensitive data that the business didn’t even realize it was storing.
For example, some organizations don’t feel like they have PCI data because they don’t transact credit cards, Pavnick said. But an in-depth security assessment may tell a completely different story.
“A lot of organizations are very proud of the fact that they have outsourced credit card processing 100 percent, and then we go in and assess and find that their environment is littered with credit cards,” Pavnick said. “There are healthcare-related documents that exist in the environment, and social security numbers. When they see this, it really opens up their eyes.”
Challenge #5 — End-user mistakes
Security engineers can help a company build a network and environment that is locked down tight and has an array of amazing tools integrated into it, but a careless mistake from an end-user can expose companies to threats.
“IT in general would be easy if it wasn’t for the end-users,” Williams quipped. “There’s always going to be some responsibility for keeping the people from doing dumb things — clicking on an email they shouldn’t have or surfing something they shouldn’t have on the machine.”
CISOs can implement awareness training to help mitigate the risk, and a phone call can also become a powerful tool in thwarting scammers, Graun said.
“If it feels weird, stop, pick up that weird thing that sits on your desk — it’s called a phone — and call somebody,” he said. “Ask them, did you send this email?”
Learn more from vCORE Technology Partners
vCORE engineers don’t take a product-oriented mindset when discussing security solutions with clients, but rather listen to client needs with the goal of maturing their security program, vCORE Senior Security Architect Jon Bartlett said.
The vCORE team can help clients choose a risk management framework, go through a gap assessment for PCI or NIST standards or have a conversation with the business to secure more budget for solutions in breach detection, firewall, data security, cloud, application security and more.
Interested in learning more about how vCORE can help strengthen your security program? Click here to request a no-obligation consultation or email our team at firstname.lastname@example.org.