The cybersecurity environment is constantly changing. The Cipher Brief spoke with Tammy Moskites, Chief Information Officer at the cybersecurity firm Venafi, who says cybersecurity professionals must refocus on the basics and build secure systems from the bottom up with security in mind while being quick and agile to address new threats.
The Cipher Brief: How has the security landscape changed in regards to cyber? How do you see it changing moving forward?
Tammy Moskites: The security landscape is always changing. It’s never been at a standstill, and it’s changing faster than ever today. The ability to stay at least one step ahead of the bad guys is increasingly difficult, even for organizations with a lot of money and resources. The unfortunate reality is that cyber criminals are always going to be two steps ahead of us. So, from a tools perspective, cybersecurity and IT professionals really need to get back to the basics. Without a strong security foundation there is no way any organization can adapt quickly to the constant changes in the threat environment.
TCB: What are those basics, and how have we deviated from them?
TM: Business technology is changing very quickly, and every organization has a wide range of devices and infrastructure that change on a day-to-day, and sometimes even an hour-to-hour, basis. Many organizations have a lot of “shadow IT” devices that are installed in the environment without IT’s knowledge, that dramatically increase security risks. If we don’t have a good, real-time knowledge about what is on our network, or attempting to connect to our network, there is no way we can secure and protect our businesses.
It really comes down to the foundational basics of cybersecurity: a strong identity and access management programs that include securing and protecting user names, passwords, keys, certificates and domain name service (DNS). It also has to include an accurate hardware and software asset inventory and a program that keeps these assets securely configured. None of this is new or sexy, but it’s more important now than ever.
When you have a solid foundation, you can build more sophisticated security processes and technology on top, but without a solid foundation, the latest technology will not reduce your security risk in any meaningful way. This means that you have to make sure you are not only doing the right things, but doing the right things in a way that really improves your security posture. Cybersecurity professionals never intend to miss things, but at times we get distracted from the basics.
TCB: What do you think are the most significant emerging threats facing people from the cyber domain right now?
TM: Attacks on trust are a big-ticket item at the moment. The ability to use rogue and counterfeit certificates is a huge threat, because it allows bad guys to slip into your network undetected, even with the most sophisticated security technology. Cyber criminals have really started to focus on this attack vector over the last few years. Just because we check the box and put a certificate on something so we know it is encrypted, is not enough anymore. We need to realize that key and certificate information is not being tracked or managed well, so if a certificate is being used maliciously, we probably don’t have the telemetry to detect it.
There are a lot of different problems that result from weak management and security around keys and certificates. There are operational efficiencies—if a certificate expires unexpectedly, it can take down critical infrastructure. Unplanned certificate expirations may also cause connections with your customers and business partners to no longer be trusted or encrypted.
Theft or abuse of certificates and keys are a favorite attack vector for malicious insiders, because it allows them to steal information using encrypted channels. This is a very effective way to steal data, because even the most sophisticated security technology can’t see inside encrypted traffic, so it allows malicious insiders to steal data with impunity.
TCB: How are businesses adapting to these new threats? What can they do to adapt more effectively?
TM: Having a really good incident response programs is a critical component of an effective security programs. If you have a good foundation in place, you will have the information necessary to be able to react and respond in an agile manner to a wide variety of threats. Without that foundation, no matter how sophisticated your security technology is, you won’t be able to respond quickly and effectively to an attack. If you want to find out how strong your security foundation is, then test your incident response plan regularly.
TCB: What can the U.S. government do to help support businesses? Does the government have a role in helping to mitigate some of these threats? If so, what is it?
TM: Governments can help codify and disseminate effective guidelines and best practices. The problems come in when governments are tempted to set rigid guidelines on what businesses must and must not do. This approach does not work, because every organization is different, and each has a different appetite for risk. So, if you have government entities saying you must do a set of specific things, it limits organizations’ ability to build a security program that works for their unique business. Sometimes organizations may decide to be more lax with specific security controls, even though it increases security risks, in order to drive revenue; in these cases the organization may decide to adopt other, mitigating controls.
This is why testing incident response programs is crucial. Every organization needs to know that they are able to effectively monitor their infrastructure and react quickly if something should occur; especially if they’ve made some different decisions about security controls and risk.
TCB: What do you see as being the two or three key drivers of change in the security landscape right now?
TM: Fast IT, DevOps, (the collaboration between software developers and IT professionals), and the move to cloud data storage are all huge drivers for change in the security landscape, because they are pushing all kinds of business and IT boundaries. The goal for these initiatives is to be able to move very quickly to spin up infrastructure and services in near real-time. The success of these initiatives depends on the ability to be agile, but the push for speed also increases the temptation to circumvent security controls. Unless you have really good processes and procedures in place that can adapt to these extreme requirements, security will suffer.
Organizations implementing these approaches need to make sure their security controls are working in these environments. For example, DevOps teams may reuse certificates because it’s faster, even though it increases security risk significantly. Security teams needs to ask themselves how they can make security frictionless for DevOps and cloud teams. For example, are you able to quickly add and remove certificates without having to do a lot of manual touches? Do you have the information you need to be sure that rogue certificates have not crept into the development or production environments? No matter which tool and security investments are in place, we still need to verify they are actually effective; an approach that worked last year, or even last month, may not be working today.