WHITE PAPER PROTECTING MODERN IT PRIORITIZATION IS KEY FOR SECURITY AT SCALE

Transcription

1 WHITE PAPER PROTECTING MODERN IT PRIORITIZATION IS KEY FOR SECURITY AT SCALE

2 OVERVIEW Security teams today face a daunting task: protect infrastructures that have a level of complexity never seen before. Many organizations are finding that the increased efficiency gained from new technologies is critical in order to remain competitive, and these technologies underpin many key business and operational innovations. The number of devices, identities and systems that interact, whether from inside or outside the corporate firewall, is growing rapidly. This is driven by factors such as increased collaboration in the cloud, the mobility of sales and operations teams, an expanding number of internet-capable devices and sensors, and an expanding number of privileged external users. The explosion in the number of devices, identities and systems isn t just transforming business; it s also transforming security due to challenges related to scale and complexity. Modern organizations have a huge and still-growing attack surface and with it an assortment of weak points an attacker can exploit to enter an environment. Yesterday s security tools are not effective at keeping today s organizations safe, and neither is yesterday s security strategy. With a misinformed legacy view that no data loss is acceptable and all data should be equally protected, some organizations are suffering from security fatigue. In spite of intense, prolonged effort, they are unable to effectively manage risk and protect their most important data. Modern organizations are beginning to realize that all data is not created equal. They are prioritizing and dedicating a higher level of protection to sensitive information such as competitive intelligence or personal information about employees and customers. They are working with operational leaders to identify where that sensitive data lives in the infrastructure. They are focused on protecting what matters most, and recognize that prioritization is key. 2 In short, security teams at modern organizations are moving toward a business-driven security strategy developed in collaboration with the broader IT team and operational leaders that prioritizes security efforts by connecting security risk to the business and operational risk. And they are implementing tools that align with that strategy. Business-driven security is the concept of creating explicit linkage between what security technology is telling you and what that means in terms of business risk. Business-driven security mandates a new way of thinking about how to protect what matters most to your organization. Many security strategies have grown by reacting to a new threat or in response to a security incident that negatively impacted their organization. With zero-day attacks happening every day, we don t really know what type of threat we will be up against next. What we do know is what systems, processes and data are most important to our organization, and we

3 absolutely have the ability to identify those critical areas and proactively align our security strategy to them. IT FOR THE MODERN ORGANIZATION Modern organizations are deriving efficiency and agility from four key IT trends: Cloud Mobility Internet of Things (IoT) / Cyber Physical Convergence Third-Party Access CLOUD CONVENIENCE BYPASSES I.T. Cloud technologies provide enterprises with anytime/anywhere access to key applications, services and platforms. Cloud systems are typically housed in mature data centers with excellent uptime. Cloud vendors often take on the burden of user support, relieving weary help desks. Many cloud vendors use monthly subscription payment models to absorb some or all implementation costs, which minimizes initial financial barriers. In fact, all of this convenience is at the heart of the problem. Vendor selection decisions tend to be departmental or decentralized. Cloud systems can often be purchased and implemented while bypassing formal approval channels and without the knowledge of IT a practice that is called Shadow IT. Operational processes, such as formal sourcing processes, budgeting or implementation support, would normally pull IT and security teams into the tool selection conversation or alert IT to a tool s existence, but that is often not the case with cloud technology. Typically accessed through the user s browser, cloud systems may not even require a user to install software. Malicious insiders and other attackers can take advantage of Shadow IT. Cloud systems often interact with other business and operations systems or are used to store the organization s valuable data such as information about prospects and customers. Attackers attempt to compromise cloud systems in order to steal proprietary or confidential information without triggering attention from network monitoring technology. Further, data can be orphaned in the cloud when a user s relationship with the provider has ended. Without knowing the cloud is being used, IT can t properly decommission the cloud system. Modern organizations must gain visibility into the cloud infrastructure and services being used and employ appropriate controls. 3 MOBILE ACCESS INCREASES PRODUCTIVITY AND RISK Many modern organizations use mobile technologies to allow employees and other users to work remotely from devices that may or may not have been issued by the organization. Many enterprises now allow users to access the organization s information from personal devices a practice known as Bring

4 Your Own Device or BYOD. Two primary variables create mobile security risks: devices and connections. Users may rely on a device and/or connection that is not owned, managed or controlled by the organization. While organizations are monitoring their own devices, with the increased use of personal devices, they must begin monitoring activity for all devices from which organizational data is accessed. In part, modern organizations are working to identify the business data that is accessed by and saved to mobile devices. Then in the event of a user s departure or a security incident involving a mobile device, the resulting business and operational risks from the compromise of that data are understood. A security team can use this knowledge of what is accessed to help reconstruct a security incident. In addition, an organization s administrator can use remote wipe technology to instantly delete organizational data stored on a device when needed; for instance, when an employee leaves the company. INTERNET OF THINGS: THE NEXT INDUSTRIAL REVOLUTION? It seems that everything sold today that could potentially have an internet connection does. In the consumer setting, this includes dolls, baby monitors, medical devices, refrigerators and connected vehicles, to name a few. The impact is no less striking in work settings where printers, environmental controls and equipment are internet-enabled. Many of these devices send a stream of information about business and operational activities across the internet to vendor databases where that information is harvested for insights. In fact, some are calling the Internet of Things (IoT) the Next Industrial Revolution because the access to detailed performance data promises to dramatically increase the production and efficiency of manufacturing and physical systems. Because so many devices are now capable of connecting to the internet, organizations must put in place a much broader security strategy that takes into consideration the diversity of devices, platforms and operating systems and the massive quantity and new types of data generated by IoT devices. This strategy also must consider the pervasive connectivity of these devices, the ability to maintain a constant connection to the outside world, which means 24x7 penetration of the perimeter. 4 While organizations continue to defend traditional systems, such as phone systems, laptops and applications, they must also now defend against potential attacks on smart electrical systems and connected heating, cooling and video surveillance systems. They must defend connected industrial equipment and handheld devices. Because many IoT technologies interact with physical environments, an attacker could create a real or spoofed emergency. For instance, an attacker could interrupt operations with a false alert on an environmental system or increase the real-world temperature in industrial freezers or on assembly line equipment. An attacker could force the evacuation of a building or use IoT access to jump to an unrelated system.

5 Modern organizations understand that IoT cyber attacks can have physical impacts and are considering how to manage the security of these devices at scale. THIRD-PARTY ACCESS CREATES SECURITY PIVOT POINTS In the last decade, many organizations have increased their use of external partners, vendors and consultants. For instance, third parties may be called upon to provide support during a busy season, to offer expertise during the deployment of an enterprise tool, or to manage a freestanding piece of operations that doesn t require significant integration with in-house teams. This practice may allow modern organizations to better focus on core activities, may provide access to pricey expertise that is lacked in-house or may reduce costs as the organization avoids creating full-time roles for part-time needs. The problem is that modern organizations provide third parties with access that attackers can potentially use as a conduit into an organization s infrastructure, and it is difficult to determine whether the third party is protecting data from unauthorized access, use and disclosure. On the other hand, organizations may have access to the third party s systems access that an attacker can use as a conduit back into the third party s network. The security of each organization is vitally linked to the other. Modern organizations are considering how to defend against attackers that use third-party access to compromise the organization or that use an organization s access to third-party systems to compromise the third party. RESULT: MASSIVE EXPANSION OF ATTACK SURFACE All four technology trends are expanding the attack surface of the modern enterprise, and each introduces a level of complexity that at first might not be obvious. Traditional security strategies are proving ineffective because they rely on creating a perfect perimeter to prevent attacks, rather than managing attacks based on business and operational risk. Another fault line is that traditional security protects all assets equally, which isn t feasible when the number of assets to be protected is increasing so rapidly. In addition, some core systems that were exempt in the past from security testing or patching need to be scrutinized. Many security teams are asking their operational leaders new questions, such as: Which information or systems are the most sensitive or most important to protect? What is the potential impact if attackers obtain that data or can manipulate those systems? (i.e., an inability to meet customer obligations, notification to regulators, interruption to normal operation, reputational impact, etc). 5 The true impact of these modern security challenges is sometimes only realized in the event of a security incident, when organizations are unable to readily answer the most important question: How bad is it?

6 MODERN SECURITY STRATEGY SECURITY PILLARS: VISIBILITY, CONTEXT, RAPID INSIGHT AND APPROPRIATE RESPONSE As security strategy shifts from creating an impenetrable perimeter to managing a dynamic, distributed infrastructure, four pillars of modern security are coming into play: Full Visibility. The security team must be able to see what s happening in the enterprise at all times across business processes, networks, devices, people and transactions. Only with that 360-degree ability can you identify security risks across the whole business environment. Too many security monitoring strategies today have an overreliance on a single data source (e.g., logs), which provides an incomplete picture of the organization s attack surface from the endpoint to the cloud. Rapid Insight. Faster time to insight, through better analytics and detection capabilities, is paramount in the modern business environment of external business partners, cloud computing, personal devices and the like; where plenty of unusual behavior will be harmless and plenty will not. The time to insight for security teams is collapsing to zero. The more time you need to interpret an event, the greater your risk can be. Efficient, Comprehensive Response. Today, security teams take the findings from their security tools and remediate in a highly manual way that doesn t scale. The most effective way to turn insights into action is to orchestrate and automate response. When you spot a user acting suspiciously, you can enable the control plane of identity to go into action stepping up authentication to ensure that you are confident this user is legitimate. Business Context. The security team can t rely only on seeing what is happening on its network and among its system users; they must be able to interpret those events quickly and understand the criticality of the systems and/or processes affected. This contextual intelligence facilitates faster and better decisions. If you re an analyst, understanding business context (such as the criticality of an asset) can help you determine how urgently you should escalate incidents. FOCUSES: TECHNOLOGY, PEOPLE AND PROCESSES Traditional security strategy has typically been an afterthought, focused almost exclusively on protecting technology and systems that had already been put in place. Business initiatives were and in many instances still are developed without considering the cyber risk exposure associated with them. In fact, many organizations have not even gone through the exercise to determine what their cyber risk appetite is. 6 Security strategy for modern organizations should encompass people and processes in addition to IT to identify human risk and to shore up any process weaknesses. One of the most important things to note here is that cyber risk must include both intentional and unintentional scenarios. And even as new attack tactics become more sophisticated and diverse, that identity continues to be the most consequential threat vector.

7 CAPABILITIES NEEDED FOR A MODERN DEFENSE Modern organizations are increasing operational efficiency and bolstering cybersecurity by adding capabilities that defend against cloud, mobile and IoT risks as well as risks caused by third-party users. Cloud Make identity management consistent across cloud, mobile and on-premises systems. Most organizations are already working to retire any monolithic, application-specific, on-premises identity management tools because such systems create islands of identity or identity silos and such silos involve risk due to lack of visibility. Many organizations are also considering how to get a unified view for instance, through Identity as a Service of anomalous activity on on-premises systems, cloud infrastructure and cloud services. Large organizations increase efficiency by centrally managing user privileges and using an authentication method that allows a user to seamlessly log into multiple applications with a single sign-on. By provisioning and deprovisioning users centrally, there is no risk that the user s access to an application might be accidentally preserved when other access is removed. Gain visibility into Shadow IT and the use of cloud systems. Organizations need to assess the degree to which Shadow IT is an issue and answer key questions such as: What organizational information is accessed or housed by the system? Who can access it, including external users? What security measures does the cloud application or service vendor use? Are the connections trusted? Can the vendor pass the usual sourcing security evaluation? Security tools that offer network monitoring can be very helpful in identifying Shadow IT. 7

8 Mobile Monitor all mobile endpoints including BYOD. Modern organizations are beginning to monitor activity for all mobile devices from which organizational data is accessed, regardless of who owns the device. Organizations are identifying the data that is accessed by and saved to these devices to better understand business and operational risk. In addition, many businesses are implementing remote wipe so an administrator can immediately eliminate mobile access to organizational data if needed. Leverage mobile capabilities to improve and expand authentication. Modern organizations should consider the benefits of modern, next-generation authentication. Organizations that have a large number of users working off site should consider taking advantage of mobile as a second authentication factor. This means that a successful attacker could only linger in a system or network for one session, until the user logs out. The attacker wouldn t be able to continue the attack on the next login, even if the user s password is compromised, if mobile authentication is also required. IoT Discover and monitor IoT devices on the network. In addition, mobile devices offer inherent biometric and haptic capabilities that can become part of the authentication process. In this way, all mobile device users can operate more securely, without significant additional effort. Control access to configure and manage IoT devices. 8 Modern organizations need to discover and monitor the connected and smart devices on their networks and understand the extent of IoT activity in connecting to systems and recording and storing business information. IoT devices should be considered as identities on the network since they are granted access to network resources, and organizations should ask the same types of access questions posed for other user types. For instance, do these devices need to be deprovisioned at times and what is the process for doing that? What level of authorization do they need and to which systems?

9 Third Parties Manage the identity of third party users throughout the identity lifecycle. Perform regularly scheduled security/risk assessments of third parties. As with employees, a third party s role and responsibilities in an organization changes over time. All identities, including those for third parties, should be actively managed and periodically reviewed throughout the identity lifecycle. Organizations should also require the same security rigor for external users who access sensitive systems and data as is required for employees. Organizations need to consider the volume of third-party provisioning, management and deprovisioning when selecting identity tools because not all are built for scale. When connecting to a third party s systems or allowing a third party to access its systems, a modern organization investigates the security and risk posture of that party. To understand whether the party s risk level is an appropriate match for the organization s risk appetite, the organization must conduct a security evaluation and audits to check whether reallife practices follow established policies and procedures. Because the environments of both parties are organic and the relationship between parties is dynamic, risk is ever changing. Therefore, evaluation of third parties is not a onceand-done activity. Security evaluations and audits must be conducted on a regular basis. CONCLUSION The goal of a modern organization s security strategy is to create harmony between the security strategy, IT environment and business and operational priorities. This is difficult because the IT environment and the organization itself are constantly in the process of transformation; therefore, the organization s risk and security posture is also dynamic. An organization can take proactive steps to operate more securely for instance, taking measures to inventory the cloud applications that are in use, understanding how mobile devices (organization owned and personal) are used for professional interaction, assessing the security of devices that transmit information over the internet, and better managing the lifecycle of identities including the identities of third parties and IoT devices. 9 A rapidly expanding and increasingly complex IT infrastructure cannot be secured purely through more technology. Organizations must drive success by including people and processes in their security strategy. In part, security teams should collaborate with operational leaders to identify the level of security various information assets require and integrate security into every phase of an organization s initiatives.

10 In summary, modern organizations must understand security risk in the context of impact to operations. With a business-driven security strategy, organizations can connect security risk to business risk that is contextual and specific to the organization. Modern organizations can achieve consistently high levels of organizational efficiency and security even as their attack surfaces continue to expand with every added device, identity and system. BUSINESS-DRIVEN SECURITY SOLUTIONS FROM RSA The RSA NetWitness Suite provides the essential visibility to detect advanced threats and deliver the right response in minutes, not months. RSA SecurID Access provides world-leading authentication and access assurance solutions protecting 25,000 organizations and 55 million users. With RSA SecurID Access, organizations can have secure access to cloud and mobile applications without creating roadblocks for users. RSA Adaptive Authentication is a comprehensive authentication and frauddetection platform designed to measure the risk associated with a user s login and post-login activities by evaluating a variety of risk indicators. The RSA Archer Suite ensures that you can take command of risk, including the new sources of cyber risk that have emerged. ABOUT RSA RSA helps leading organizations around the world take command of their security posture by partnering to build and implement business-driven security strategies. With RSA s award-winning cybersecurity solutions, organizations can effectively detect and respond to advanced attacks; manage user identities and access; and reduce business risk, fraud and cybercrime. For more information, go to rsa.com. 10 RSA and the RSA logo, are registered trademarks or trademarks of Dell Technologies in the United States and other countries. Copyright 2017 Dell Technologies. All rights reserved. Published in the USA. 10/17 White Paper H RSA believes the information in this document is accurate as of its publication date. The information is subject to change without notice.