Software-defined defences - keeping the cyber-risk at bay

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/software-defined-defences--keeping-the-cyber-risk-at-bay/article/398314/

Putting a strong lock on a weak door is unlikely to deter thieves,
particularly when there are valuables inside. Yet all too often in the
battle against cyber-attacks, businesses do just that: they attach advanced
digital security systems to inherently insecure corporate network
infrastructures. The result is two-fold: those tasked with maintaining
enterprise risk registers and ensuring data security are kept awake at
night. And secondly: frustration for those keen to embrace next-gen
mobility and cloud technologies to generate efficiencies and competitive
advantage.

The attraction for cyber-criminals to a company rises as the intrinsic
value and spread of companies' digital platforms grow. While the commercial
benefits of a company's use of digital platforms exceed the cost of
cyber-attacks, evidence remains that some CIOs in Fortune 500 companies
view cyber-security as a barrier to incorporating new technologies such as
‘Bring Your Own Device', social networking and public or hybrid cloud
technologies. This is not entirely surprising; most cyber-security
strategies today are based more on a defensive or reactive approach, rather
than an offensive methodology.

One CIO recently told me: “We have long worried about the stolen laptop,
the files left on trains or the misplaced memory stick carrying sensitive
customer records. But now, faced with systematically putting our business
into the cloud while ensuring all employees have useful and appropriate
access is a much more daunting prospect.” Such a view is not uncommon
across many industry sectors today.

Whilst CIOs and defenders of technology infrastructure ponder the right
approach to balancing security with agility and innovation, cyber-criminals
are becoming increasingly sophisticated operators deploying next generation
tools and techniques to infiltrate enterprise-wide networks. For the
defenders all is not lost. Next generation networking technology based on
software-defined networking, or SDN, can offer enterprises a step change, a
new generation defensive arsenal for the CIO, but only when the SDN is
engineered from the outset to be inherently secure.

The challenge with today's traditional, legacy networks is they are based
on TCP/IP, an inherently insecure architecture developed in the days when
‘hackers' referred primarily to high handicap golfers. TCP/IP is an
enterprise network's weak door. Even with increasingly stronger digital
locks attached, the overall architecture remains vulnerable. This offers
encouragement rather than a deterrent to cyber-criminals.

Software-defended networks

Today's SDN-based networks can be developed with security integrated into
the design rather than as an overlay or afterthought. Because of this, SDN
represent a cyber-security game changer for the industry. The key change is
they can allow the enterprise to actively protect against what security
teams call advanced persistent threats (APTs), distributed denial of
service (DDoS) attacks, unknown malware and zero-day attacks.

Active SDNs can be designed to continuously monitor for and block
vulnerabilities by default, across all networks elements, from simple
access devices to a range of network elements to the data centre. The key
difference is that in an SDN design, the capability can be fully
virtualised and embedded. With an SDN, security policies can be created to
match the type of service they are designed to protect.

This means CIOs can go on the offensive and secure devices, applications,
network elements. Employee access can be actively controlled by time of
day, location, time zone and other factors that can be configured into the
network through centralised management and control tools. The CIO's
priority can now be ensuring useful access rather than restrictive
characteristics of a strategy based on reactive responses.

However, just because the capability exists doesn't mean that all SDNs are
being developed with an equal focus on security. Also, there is a
significant cyber-security industry that depends on the spread of fear,
uncertainty and doubt. If the SDN-based architecture doesn't combine
security reputation, big data, sandboxing, as well as other technologies to
prevent unknown threats, it's essentially replacing an old weak door with a
new weak door, despite the stronger locks being fitted.

Cyber-security is a technical challenge but it is also a human challenge.
Every CIO and network security engineer knows only too well about the
continuous battle to improve the behaviour of employees to underpin
existing security procedures. While this challenge remains, SDNs, for the
first time, have the ability to materially transform the technical defences
and provide added security capability to protect against human weaknesses.

Less well-recognised, perhaps, is the continued risk of ‘the illusion of
security'. The time to ask a vendor searching questions about the integrity
and security of an SDN is before purchase. Any SDN architecture or roadmap
that promises ‘security measures to follow' is effectively replicating the
flaws, the weak doors with strong locks of the past.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!