Tidal Forces: The Changes Ripping Apart Security as We Know It

Transcription

1 SESSION ID: CSV-T09 Tidal Forces: The Changes Ripping Apart Security as We Know It Rich Mogull

2 Image: lordsong-d5lrxws from

3

4

5

6

7 Image:

8 Technology Tidal Forces 8

9 Technology Tidal Forces IaaS Endpoints SaaS 9

10 Why You Care Many existing security skills sets have a best used by date. Many existing security tools have a best buy by date. We can learn from the organizations already over the event horizon. We can plan for a smoother transition. Smaller objects experience less tidal forces. Big objects can iterate across the event horizon. 10

11 Endpoints are different, more secure, and less open

12

13 Source:

14 No Widespread Malware

15 Closed Systems Can Improve Security 15

16 But Challenge Existing Models 16

17 Possibilities The Market The Profession Consumer AV contracts We are already seeing vendors prepare Enterprise EPP contracts Slower and less Network box vendors are in trouble Watch this thread Security better, monitoring and compliance harder Fewer endpoint tools to manage Greater use of cloud-based monitoring and filtering Enables Zero Trust Networks 17

18 SaaS is the new back office

19

20 AlwaysEven onyet Fewer No the non-saas security Internet; internal iscentralized consistency inalways servers the cloud encrypted

21 Possibilities The Market The Profession Bumps in the wire are incompatible with SaaS Square peg/round hole The value of perimeter security appliances declines CASB is here to stay But likely as a feature Fewer boxes to secure And smaller networks Risk instincts and assessment skills need to evolve You can t own or lock down all the devices Industry-specific providers will appear for verticals with special compliance needs 21 Monitoring will change Zero Trust networks enabled IR is redefined

22 IaaS is the new data center

23 Source: Fortune

24 Economically-Enforced Baseline Security 24

25 Hypersegregated Application Environments Security Group Security Group Security Group Security Group Security Group Security Group Subnet Subnet Subnet Subnet Subnet Subnet Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network Account Account Account 25

26 New Architectures Where do you put your NGFW? Image credit: Parallax Agency Ltd 26

27 New Operational Frameworks Source Code Functional Tests NonFunctional Tests Security Tests Teraform Templates Git Jenkins Test Prod Chef Recipes Welcome to DevOps 27

28 The Power of Immutable Load Balancer a b c Auto Scale Group 28

29 The Power of Immutable Load Balancer a b c Auto Scale Group 29

30 The Power of Immutable Load Balancer a b c Auto Scale Group 30

31 The Power of Immutable Load Balancer Vulnerable Patched a b c Auto Scale Group 31

32 The Power of Immutable Load Balancer Vulnerable Patched a b c Auto Scale Group 32

33 The Power of Immutable Load Balancer Vulnerable Patched a b c Auto Scale Group 33

34 The Power of Immutable Load Balancer Vulnerable Patched a b c Auto Scale Group 34

35

36 < It s a Developer-Driven World />

37 Zero Trust Networks 37

38 Possibilities The Market Bumps in the wire are incompatible with IaaS Double whammy Data center security appliances contract Server-focused endpoint security tools contract As they exist, opportunity to refocus Developer-friendly application security tools expand The Profession Programming skills become essential You don t need to be a developer, but you need to know how to code Provider-specific technical cloud skills are vital to survive Application security architecture is critical Static patterns won t last, must be consultative Zero Trust networks redefine on-premise security strategies Don t tell Jericho Many existing skills will be less in demand Get used to change Cloud native == cloud survival 38

39 Roadblocks ahead

40 Challenges Security vendors are tied to existing revenue models Shareholders may be unwilling to balance quarterly revenue requirements with R&D and revenue model changes for future success Shifting sales models, especially at scale, is fraught with danger Rethinking product strategy without oswalding existing customers is also extremely difficult Security professionals need new skills, tools, processes, and mindsets while still protecting everything they have There has been a mid-term mindset that GRC > technical skills, but you can t make this transition without a firm understanding of new fundamentals Some technical skills also have an expiration date If you haven t been a developer, it s hard to think like one, even once you learn a little programming 40

41 Strategies to Thrive Vendors Build a cadre with a cloud-first mindset Start a skunkworks and/or buy your way in Talk to cloud-first/zero-trust network companies and understand what they want to buy, don t rely on your existing channels and customers Build the case for your stakeholders Professionals Learn to code, at least a little, even (especially) if you are management Go to cloud and DevOps events Get a personal cloud account and build something Embrace continuous change 41

42

43 Be like Iron Man Tidal Forces: The Changes Ripping Apart Security as We Know It Rich Mogull