Security first: implementing the cyber-resilient enterprise

Image courtesy of Adi Goldstein

The ongoing paradigm shift towards the digital economy is forcing enterprises to confront the reality that standard IT security is no longer enough to protect their assets in a digital world where just about everything is connected – and that their digital transformation (DX) strategies must be designed to address this fundamental truth.

The threat landscape has changed in scale, speed, and cleverness; we are long past the days where firewalls and end-point security was sufficient to keep malware and distributed denial-of-service attacks to a minimum. Today, security must encompass infrastructure, users, data, and apps – and it must be proactive, not reactive.

Put simply, as part of the organization’s DX strategy, its security strategy must also be transformed and modernized. Enterprise security must transform to enable maximum ‘cyber resiliency’ for the organization – not only to detect and prevent attacks from unknown threats and evolve as the landscape evolves, but also to recover from attacks quickly with minimal or no disruption to the business. At the heart of it all should be a zero-trust architecture providing end-to-end security from the chip to the cloud.

Panelists at a recent webinar hosted by Hewlett Packard Enterprise (HPE) explored the topic of cyber resiliency. And here’s what they said.

The threat landscape has changed dramatically

The starting point to understanding the importance of cyber resiliency is the realization that the threat landscape has changed dramatically in the last couple of years.

This is partly because attackers have become more sophisticated (or at least have access to automated, user-friendly exploits), but it’s mostly because digital tech trends have resulted in an increased attack surface. There are far more connected devices, with IoT devices in particular being notoriously insecure. Appliances traditionally used to perform network functions such as routing, security, and load balancing are now becoming a hindrance as data usage continues to grow exponentially. Scaling those appliances to handle the load adds latency and complexity to the data center, which means more potential vulnerabilities to exploit.

Meanwhile, inside the data centers, virtualization and distributed micro-services are becoming the norm, with over 70% of network traffic now running within the data centers (east-west), which requires granular security to isolate specific hosts from each other. Consequently, security breaches now happen more and more inside the data center, where security solutions are less effective and breaches take longer to detect – as long as 56 days, according to CapGemini, which is far too long.

“The current approach based on appliances or point solutions is difficult to scale and very costly, to the point that the cost for network operations is now three times the cost of the network itself,” said Yogesh Hinduja, Worldwide Cybersecurity Lead at HPE.

In other words, ironically, the shift to hyperconnected digital services is itself making such services more vulnerable to attacks. One example is the current trend of organizations looking to consolidate their IT infrastructure with their operational technology (OT) infrastructure. While this may result in opex savings and productivity gains, it also presents a new attack surface for threat actors, said Sam Parmar, head of Strategy and Technology at Cyfirma.

“OT environments used to be inward-looking and used to run their own protocols – very rarely would they even have an IP address. But now you’ve got manufacturers connecting directly into these devices, so the firewall between IT and OT doesn’t exist anymore and that means you’re increasing your attack surface across this OT environment,” Parmar explained.

Another major shift in the threat landscape has come from the rise of remote working in the wake of the COVID-19 pandemic, said Bruce Chai, head of Threat Prevention for Southeast Asia and Korea at Check Point.

“At the start of the COVID situation in 2020, the amount of phishing attacks went up by a staggering amount, partly due to the changing nature of how people are working,” he noted. “Remote connectivity is dependent on your username and passwords, which means if I ever phished those from a user, I’ve basically got the keys to your kingdom.”

COVID-19 has created a “perfect storm” where WFH employees are more susceptible to messages that look like they’re work-related whilst being connected to the office network from outside the usual perimeter defenses, Chai said.

All of this puts additional emphasis on the need to understand the external threat landscape in more detail – which in itself is a shift from the usual inward-looking security postures that focus on end-point security and firewalls, observed Sam Parmar of Cyfirma.

“It’s no longer just the inward-facing firewalls – you also need to complement that with understanding what does your external threat landscape look like and what is coming towards you,” he said. “What are the inroads for cyber criminals to come into your organization? What are the vulnerabilities of those inroads? Who is talking about your brand out there? You need to understand who the threat actors are, why they’re interested in you, what you have that they want, what’s their motivation to attack you, and what modes of attack they would use to attain their goal.”

In fact, that expanded external focus should extend well beyond the usual IT security paradigm, said Yogesh Hinduja of HPE, who argued that the threat landscape is more than just hackers planting malware and stealing data. “As data and apps become more mission-critical, enterprises are becoming more vulnerable to everything from natural and man-made disasters to regulatory changes, geopolitical environments, and even negligence – all of which are capable of causing costly disruptions to business,” he said.

In other words, enterprises need to shift from thinking in terms of cyber security – a defense against attacks on their IT infrastructure – and more in terms of cyber resiliency.

From cyber security to cyber resiliency

Simply put, cyber resiliency is a combination of holistic risk management, security by design, post-event cyber crisis management/response, and business continuity and disaster recovery to enable your IT infrastructure to withstand any kind of attack or disruption, said Srinivasan Narayanan, regional solution leader for Pointnext APAC at HPE.

“It’s not just prevention. It’s not just detection. It’s also how resilient we are, how fast we recover, and how quickly we can run the business again, and how we can reduce the impact of the breach,” he said.

Casa Goh, country manager for Veeam Software Singapore, offered the rise of ransomware as an example.

“Ransomware attacks are currently seven times higher than 2020 and have happened to enterprises across industries, regardless of size, and they’re becoming more and more successful, which means we will see even more of them,” Goh explained.

While the obvious goal is to prevent ransomware attacks from happening, the problem is that once an attack is successful, you have two choices: pay up, or lose the data they’re holding hostage, and there’s no guarantee that paying the ransom will save your data. The takeaway, said Goh, is that data backup is a crucial part of your cyber resiliency strategy.

“We need to have the mindset that being attacked is a matter of when, not if, and that data backup is really your last line of defense,” Goh said. “So we have to make sure that the backups are not only good, but also recoverable in a reasonable amount of time. They also have to resilient during an attack, because we have seen attacks that target the backup data specifically so that you don’t have recovery as a fallback option.”

Three key pillars for digital transformation

However, said Hinduja of HPE, cyber resiliency isn’t a bolt-on IT security/business continuity hybrid. HPE envisions cyber resiliency as one of three pillars for enterprises to implement their overall digital transformation strategy.

The second pillar is a zero-trust architecture – which sounds like another solution to buy, but is in fact more of a process and a journey towards a security-by-design concept in which you start with a closed ecosystem and then decide which bits to open up and to whom.

Srinivasan Narayanan of HPE offered the analogy of a hotel quarantine scenario. “You are taken from the airport directly to the hotel, and you can’t access anything. Everything will come to you, but there’s limited and controlled access – so for example no one can visit you, you can only talk to them virtually. So it’s almost like that – you don’t trust anything, you just close everything up and then you start opening one by one, asking: Is it necessary? Is it secure? Can this be trusted, and how can I make sure I can trust it?”

The third pillar is security transformation and modernization, which HPE describes as “advancing security as a business and technology enabler to achieve faster time to value”. In practice, that means developing both a security reference architecture (SRA) to improve security maturity and readiness, and a roadmap for getting there – again, all of which should be aligned with your overarching digital transformation strategy.

Where to start?

According to Hinduja of HPE, the starting point for security transformation and modernization is a comprehensive assessment of security capabilities and documentation of current state and tooling for cloud readiness – this creates the foundation for defining a customer-specific SRA and determining which solutions will fulfil that goal.

In fact, he added, that’s really the starting point for cyber resiliency and zero trust. “During our day-to-day conversation with the customer, we start with their readiness in terms of where exactly they are today and whether their current incident management is really adequate enough to handle these kind of issues.”

Hiduja added that breach simulation is becoming more and more important for customer in terms of understanding how they can have a robust cybersecurity model, which then leads to cyber resilience.

Bruce Chai of Check Point agreed. “The first thing to do is speak to a trusted partner. Then you need to understand first where your gaps are, your weakest points, and how you’re going to reinforce them.”