New Challenges Require Identity-Centric Security
In a 2016 Cloud Security Research Report by Crowd Research Partners, 91% of
organizations have security concern about adopting public cloud, however only
14% believe that existing network security tools are capable of truly
protecting the public cloud.
The reality is, just as organizations were getting comfortable with their
security solutions sitting on the edge of the network, the network perimeter
has dissolved. Now users are accessing SaaS applications directly from mobile
devices, bypassing network-centric tools. It’s not just SaaS applications
either, more and more companies are lifting and shifting workloads to the cloud
running in IaaS environments.
To make matters worse, good security resources are scarce. Budgets are
shrinking, and even if you can find the money, an Economist Intelligence Study
indicates that 66% of cyber-security job openings cannot be filled by skilled
candidates. All this while the sophistication of threats is growing.
Today’s attacks have increased in sophistication. The threat of zero-day
exploits is expanding on a scale unseen before and putting a strain on
researcher’s ability to identify and prevent using signature-based techniques.
This makes anomaly detection the only way to spot the needle in a haystack.
Today’s threats now leverage multiple vectors, and breaking apart the attack
sequence into smaller, more difficult to identify, chunks that are re-packaged
and executed making sequence awareness of the attack chain critical. The attack
focus is now targeted where it used to be indiscriminate which makes user
awareness and attribution invaluable in detection. Early detection is the key
to containment, as today’s attacks no longer go on for just hours, they are
persistent as networks, applications and services can be probed for days, weeks
With all these challenges our old network-centric tools are being asked to
secure data/assets in ways that they are not capable of. It is only identity
that is bringing these disparate worlds together. It is the identity context
brought together with new technologies such as machine learning, big data, and
advanced analytics that allows a security professional to centralize and
normalize user activities. Then correlate and analyze those user events
against cloud application, device and network based events to identify
anomalistic and potentially risky behavior in near real-time. Last, the outcome
of this leads to preventative actions to defend against current and future
attacks across the affected planes.
Modern Security Requires a New Detection & Response Paradigm
Historical security measures are reactive and focused on protecting the front
door to applications and data. These controls are absolutely important and
required for a defense-in-depth model, but alone are not sufficient for today’s
threats. The demand for preventive technologies using advanced and lean-forward
security technologies is growing. Organizations have been responsible with
putting the “locks and cameras” on in their organization, but lack in the
ability to correlate multiple penetration attempts together to look for
patterns, root cause, and predict the next phase of the attack sequence.
Security professionals are starting to accept the reality today, which it isn’t
a matter of IF you will be attacked, it is HOW frequent, and WHAT data (if any)
was compromised. This is the driver behind faster detection and response
with complete audit & analysis of the event sequence.[GJ1]
What’s needed is a full cycle controls environment that combines for preventive
and detective solutions. Leading organizations are recognizing a need for a
four stage model that includes Discover, Secure, Monitor and Respond.
Discover: To improve you must measure and have visibility into what
services are being used, how and by whom. This includes visibility into both
sanctioned as well as un-sanctioned activity that is occurring with Shadow IT.
Secure: We still need all the preventive controls with proactive
application and content security to ensure sensitive data is protected. We
still need to authenticate and give authorization to users and applications as
well as protect data with strong application encryption to keep it safe.
Monitor: However those preventive controls are not enough. We must
continuously monitor the environment to detect threats and identify anomalous
activity when it’s occurring.
Respond: Automated response is necessary to augment your already stretched
security teams. Organizations don’t have the resources to detect issues and
then hand the over for a forensic professional to research and ultimately come
up with a manual response plan for each threat.