Embed Size (px)
Citation preview
WHITE PAPER
PROTECTING MODERN ITPRIORITIZATION IS KEY FOR
SECURITY AT SCALE
WHITE PAPER
2
OVERVIEW
Security teams today face a daunting task: protect infrastructures that have a
level of complexity never seen before.
Many organizations are finding that the increased efficiency gained from new
technologies is critical in order to remain competitive, and these technologies
underpin many key business and operational innovations. The number of
devices, identities and systems that interact, whether from inside or outside
the corporate firewall, is growing rapidly. This is driven by factors such as
increased collaboration in the cloud, the mobility of sales and operations
teams, an expanding number of internet-capable devices and sensors, and an
expanding number of privileged external users.
The explosion in the number of devices, identities and systems isn’t just
transforming business; it’s also transforming security due to challenges
related to scale and complexity. Modern organizations have a huge and
still-growing attack surface—and with it an assortment of weak points an
attacker can exploit to enter an environment.
Yesterday’s security tools are not effective at keeping today’s organizations
safe, and neither is yesterday’s security strategy. With a misinformed legacy
view that no data loss is acceptable and all data should be equally protected,
some organizations are suffering from security fatigue. In spite of intense,
prolonged effort, they are unable to effectively manage risk and protect their
most important data.
Modern organizations are beginning to realize that all data is not created
equal. They are prioritizing and dedicating a higher level of protection to
sensitive information such as competitive intelligence or personal information
about employees and customers. They are working with operational leaders to
identify where that sensitive data lives in the infrastructure. They are focused
on protecting what matters most, and recognize that prioritization is key.
In short, security teams at modern organizations are moving toward a
business-driven security strategy—developed in collaboration with the
broader IT team and operational leaders—that prioritizes security efforts by
connecting security risk to the business and operational risk. And they are
implementing tools that align with that strategy. Business-driven security is
the concept of creating explicit linkage between what security technology
is telling you and what that means in terms of business risk. Business-driven
security mandates a new way of thinking about how to protect what matters
most to your organization. Many security strategies have grown by reacting
to a new threat or in response to a security incident that negatively impacted
their organization. With zero-day attacks happening every day, we don’t really
know what type of threat we will be up against next. What we do know is what
systems, processes and data are most important to our organization, and we
WHITE PAPER
3
absolutely have the ability to identify those critical areas and proactively align
our security strategy to them.
IT FOR THE MODERN ORGANIZATION Modern organizations are deriving efficiency and agility from four key IT trends:
• Cloud
• Mobility
• Internet of Things (IoT) / Cyber Physical Convergence
• Third-Party Access
CLOUD CONVENIENCE BYPASSES I.T.
Cloud technologies provide enterprises with anytime/anywhere access to key
applications, services and platforms. Cloud systems are typically housed in
mature data centers with excellent uptime. Cloud vendors often take on the
burden of user support, relieving weary help desks. Many cloud vendors use
monthly subscription payment models to absorb some or all implementation
costs, which minimizes initial financial barriers.
In fact, all of this convenience is at the heart of the problem. Vendor selection
decisions tend to be departmental or decentralized. Cloud systems can often
be purchased and implemented while bypassing formal approval channels and
without the knowledge of IT—a practice that is called Shadow IT. Operational
processes, such as formal sourcing processes, budgeting or implementation
support, would normally pull IT and security teams into the tool selection
conversation or alert IT to a tool’s existence, but that is often not the case
with cloud technology. Typically accessed through the user’s browser, cloud
systems may not even require a user to install software.
Malicious insiders and other attackers can take advantage of Shadow IT.
Cloud systems often interact with other business and operations systems or
are used to store the organization’s valuable data such as information about
prospects and customers. Attackers attempt to compromise cloud systems
in order to steal proprietary or confidential information without triggering
attention from network monitoring technology. Further, data can be
orphaned in the cloud when a user’s relationship with the provider has ended.
Without knowing the cloud is being used, IT can’t properly decommission the
cloud system.
Modern organizations must gain visibility into the cloud infrastructure and
services being used and employ appropriate controls.
MOBILE ACCESS INCREASES PRODUCTIVITY AND RISK
Many modern organizations use mobile technologies to allow employees and
other users to work remotely from devices that may or may not have been
issued by the organization. Many enterprises now allow users to access the
organization’s information from personal devices—a practice known as “Bring
WHITE PAPER
4
Your Own Device” or BYOD. Two primary variables create mobile security
risks: devices and connections. Users may rely on a device and/or connection
that is not owned, managed or controlled by the organization.
While organizations are monitoring their own devices, with the increased
use of personal devices, they must begin monitoring activity for all devices
from which organizational data is accessed. In part, modern organizations
are working to identify the business data that is accessed by and saved to
mobile devices. Then in the event of a user’s departure or a security incident
involving a mobile device, the resulting business and operational risks from
the compromise of that data are understood. A security team can use this
knowledge of what is accessed to help reconstruct a security incident. In
addition, an organization’s administrator can use remote wipe technology
to instantly delete organizational data stored on a device when needed; for
instance, when an employee leaves the company.
INTERNET OF THINGS: THE NEXT INDUSTRIAL REVOLUTION?
It seems that everything sold today that could potentially have an internet
connection does. In the consumer setting, this includes dolls, baby monitors,
medical devices, refrigerators and connected vehicles, to name a few. The impact
is no less striking in work settings where printers, environmental controls
and equipment are internet-enabled. Many of these devices send a stream of
information about business and operational activities across the internet to
vendor databases where that information is harvested for insights. In fact, some
are calling the Internet of Things (IoT) the “Next Industrial Revolution” because
the access to detailed performance data promises to dramatically increase the
production and efficiency of manufacturing and physical systems.
Because so many devices are now capable of connecting to the internet,
organizations must put in place a much broader security strategy that takes
into consideration the diversity of devices, platforms and operating systems
and the massive quantity and new types of data generated by IoT devices.
This strategy also must consider the pervasive connectivity of these devices,
the ability to maintain a constant connection to the outside world, which
means 24x7 penetration of the perimeter.
While organizations continue to defend traditional systems, such as phone
systems, laptops and applications, they must also now defend against
potential attacks on smart electrical systems and connected heating, cooling
and video surveillance systems. They must defend connected industrial
equipment and handheld devices. Because many IoT technologies interact
with physical environments, an attacker could create a real or spoofed
emergency. For instance, an attacker could interrupt operations with a false
alert on an environmental system or increase the real-world temperature in
industrial freezers or on assembly line equipment. An attacker could force the
evacuation of a building or use IoT access to jump to an unrelated system.
WHITE PAPER
5
Modern organizations understand that IoT cyber attacks can have physical
impacts and are considering how to manage the security of these devices at scale.
THIRD-PARTY ACCESS CREATES SECURITY PIVOT POINTS
In the last decade, many organizations have increased their use of external
partners, vendors and consultants. For instance, third parties may be called
upon to provide support during a busy season, to offer expertise during
the deployment of an enterprise tool, or to manage a freestanding piece of
operations that doesn’t require significant integration with in-house teams.
This practice may allow modern organizations to better focus on core activities,
may provide access to pricey expertise that is lacked in-house or may reduce
costs as the organization avoids creating full-time roles for part-time needs.
The problem is that modern organizations provide third parties with
access that attackers can potentially use as a conduit into an organization’s
infrastructure, and it is difficult to determine whether the third party is
protecting data from unauthorized access, use and disclosure. On the other
hand, organizations may have access to the third party’s systems—access
that an attacker can use as a conduit back into the third party’s network. The
security of each organization is vitally linked to the other.
Modern organizations are considering how to defend against attackers
that use third-party access to compromise the organization or that use an
organization’s access to third-party systems to compromise the third party.
RESULT: MASSIVE EXPANSION OF ATTACK SURFACE All four technology trends are expanding the attack surface of the modern
enterprise, and each introduces a level of complexity that at first might not
be obvious.
Traditional security strategies are proving ineffective because they rely on
creating a perfect perimeter to prevent attacks, rather than managing attacks
based on business and operational risk. Another fault line is that traditional
security protects all assets equally, which isn’t feasible when the number of assets
to be protected is increasing so rapidly. In addition, some core systems that were
exempt in the past from security testing or patching need to be scrutinized.
Many security teams are asking their operational leaders new questions, such as:
Which information or systems are the most sensitive or most important to protect?
What is the potential impact if attackers obtain that data or can manipulate those
systems? (i.e., an inability to meet customer obligations, notification to regulators,
interruption to normal operation, reputational impact, etc).
The true impact of these modern security challenges is sometimes only realized in
the event of a security incident, when organizations are unable to readily answer
the most important question: How bad is it?
WHITE PAPER
6
MODERN SECURITY STRATEGYSECURITY PILLARS: VISIBILITY, CONTEXT, RAPID INSIGHT AND
APPROPRIATE RESPONSEAs security strategy shifts from creating an impenetrable perimeter to managing a dynamic, distributed infrastructure, four pillars of modern security are coming into play:
• Full Visibility. The security team must be able to see what’s happening in the enterprise at all times—across business processes, networks, devices, people and transactions. Only with that 360-degree ability can you identify security risks across the whole business environment. Too many security monitoring strategies today have an overreliance on a single data source (e.g., logs), which provides an incomplete picture of the organization’s attack surface from the endpoint to the cloud.
• Rapid Insight. Faster time to insight, through better analytics and detection capabilities, is paramount in the modern business environment of external business partners, cloud computing, personal devices and the like; where plenty of unusual behavior will be harmless—and plenty will not. The “time to insight” for security teams is collapsing to zero. The more time you need to interpret an event, the greater your risk can be.
• Efficient, Comprehensive Response. Today, security teams take the findings from their security tools and remediate in a highly manual way that doesn’t scale. The most effective way to turn insights into action is to orchestrate and automate response. When you spot a user acting suspiciously, you
can enable the control plane of identity to go into action—stepping up authentication to ensure that you are confident this user is legitimate.
• Business Context. The security team can’t rely only on seeing what is happening on its network and among its system users; they must be able to interpret those events quickly and understand the criticality of the systems and/or processes affected. This contextual intelligence facilitates faster and better decisions. If you’re an analyst, understanding business context (such as the criticality of an asset) can help you determine how urgently you should escalate incidents.
FOCUSES: TECHNOLOGY, PEOPLE AND PROCESSESTraditional security strategy has typically been an afterthought, focused almost exclusively on protecting technology and systems that had already been put in place. Business initiatives were and in many instances still are developed without considering the cyber risk exposure associated with them. In fact, many organizations have not even gone through the exercise to determine what their cyber risk appetite is.
Security strategy for modern organizations should encompass people and processes in addition to IT to identify human risk and to shore up any process weaknesses. One of the most important things to note here is that cyber risk must include both intentional and unintentional scenarios. And even as new attack tactics become more sophisticated and diverse, that identity continues to be the most consequential threat vector.
WHITE PAPER
7
CAPABILITIES NEEDED FOR A MODERN DEFENSEModern organizations are increasing operational efficiency and bolstering cybersecurity by adding capabilities that defend against cloud, mobile and IoT risks as well as risks caused by third-party users.
Cloud Make identity management consistent across cloud, mobile and on-premises systems.
Most organizations are already working to retire any monolithic, application-specific, on-premises identity management tools because such systems create islands of identity or identity silos and such silos involve risk due to lack of visibility. Many organizations are also considering how to get a unified view—for instance, through Identity as a Service—of anomalous activity on on-premises systems, cloud infrastructure and cloud services.
Large organizations increase efficiency by centrally managing user privileges and using an authentication method that allows a user to seamlessly log into multiple applications with a single sign-on. By provisioning and deprovisioning users centrally, there is no risk that the user’s access to an application might be accidentally preserved when other access is removed.
Gain visibility into Shadow IT and the use of cloud systems.
Organizations need to assess the degree to which Shadow IT is an issue and answer key questions such as:
• What organizational information is accessed or housed by the system?
• Who can access it, including external users?
• What security measures does the cloud application or service vendor use? Are the connections trusted?
• Can the vendor pass the usual sourcing security evaluation?
Security tools that offer network monitoring can be very helpful in identifying Shadow IT.
WHITE PAPER
8
Mobile Monitor all mobile endpoints including BYOD.
Modern organizations are beginning to monitor activity for all mobile devices from which organizational data is accessed, regardless of who owns the device. Organizations are identifying the data that is accessed by and saved to these devices to better understand business and operational risk.
In addition, many businesses are implementing remote wipe so an administrator can immediately eliminate mobile access to organizational data if needed.
Leverage mobile capabilities to improve and expand authentication.
Modern organizations should consider the benefits of modern, next-generation authentication.
Organizations that have a large number of users working off site should consider taking advantage of mobile as a second authentication factor. This means that a successful attacker could only linger in a system or network for one session, until the user logs out. The attacker wouldn’t be able to continue the attack on the next login, even if the user’s password is compromised, if mobile authentication is also required.
In addition, mobile devices offer inherent biometric and haptic capabilities that can become part of the authentication process. In this way, all mobile device users can operate more securely, without significant additional effort.
IoT Discover and monitor IoT devices on the network.
Modern organizations need to discover and monitor the connected and smart devices on their networks and understand the extent of IoT activity in connecting to systems and recording and storing business information.
Control access to configure and manage IoT devices.
IoT devices should be considered as identities on the network since they are granted access to network resources, and organizations should ask the same types of access questions posed for other user types. For instance, do these devices need to be deprovisioned at times and what is the process for doing that? What level of authorization do they need and to which systems?
WHITE PAPER
9
Third Parties
Manage the identity of third party users throughout the identity lifecycle.
As with employees, a third party’s role and responsibilities in an organization changes over time. All identities, including those for third parties, should be actively managed and periodically reviewed throughout the identity lifecycle. Organizations should also require the same security rigor for external users who access sensitive systems and data as is required for employees.
Organizations need to consider the volume of third-party provisioning, management and deprovisioning when selecting identity tools because not all are built for scale.
Perform regularly scheduled security/risk assessments of third parties.
When connecting to a third party’s systems or allowing a third party to access its systems, a modern organization investigates the security and risk posture of that party. To understand whether the party’s risk level is an appropriate match for the organization’s risk appetite, the organization must conduct a security evaluation and audits to check whether real-life practices follow established policies and procedures.
Because the environments of both parties are organic and the relationship between parties is dynamic, risk is ever changing. Therefore, evaluation of third parties is not a once-and-done activity. Security evaluations and audits must be conducted on a regular basis.
CONCLUSIONThe goal of a modern organization’s security strategy is to create harmony between the security strategy, IT environment and business and operational priorities. This is difficult because the IT environment and the organization itself are constantly in the process of transformation; therefore, the organization’s risk and security posture is also dynamic.
An organization can take proactive steps to operate more securely—for instance, taking measures to inventory the cloud applications that are in use, understanding how mobile devices (organization owned and personal) are used for professional interaction, assessing the security of devices that transmit information over the internet, and better managing the lifecycle of identities including the identities of third parties and IoT devices.
A rapidly expanding and increasingly complex IT infrastructure cannot be secured purely through more technology. Organizations must drive success by including people and processes in their security strategy. In part, security teams should collaborate with operational leaders to identify the level of security various information assets require and integrate security into every phase of an organization’s initiatives.
WHITE PAPER
10
In summary, modern organizations must understand security risk in the context of impact to operations. With a business-driven security strategy, organizations can connect security risk to business risk that is contextual and specific to the organization. Modern organizations can achieve consistently high levels of organizational efficiency and security even as their attack surfaces continue to expand with every added device, identity and system.
BUSINESS-DRIVEN SECURITY SOLUTIONS FROM RSAThe RSA NetWitness® Suite provides the essential visibility to detect advanced threats and deliver the right response in minutes, not months.
RSA SecurID® Access provides world-leading authentication and access assurance solutions protecting 25,000 organizations and 55 million users. With RSA SecurID Access, organizations can have secure access to cloud and mobile applications without creating roadblocks for users.
RSA® Adaptive Authentication is a comprehensive authentication and fraud-detection platform designed to measure the risk associated with a user’s login and post-login activities by evaluating a variety of risk indicators.
The RSA Archer® Suite ensures that you can take command of risk, including the new sources of cyber risk that have emerged.
ABOUT RSARSA helps leading organizations around the world take command of their security posture by partnering to build and implement business-driven security strategies. With RSA’s award-winning cybersecurity solutions, organizations can effectively detect and respond to advanced attacks; manage user identities and access; and reduce business risk, fraud and cybercrime. For more information, go to rsa.com.
RSA and the RSA logo, are registered trademarks or trademarks of Dell Technologies in the United States and other countries. © Copyright 2017 Dell Technologies. All rights reserved. Published in the USA. 10/17 White Paper H15654.
RSA believes the information in this document is accurate as of its publication date. The information is subject to change without notice.
