With SSL, mobiles and cloud applications complicating traditional defences, shunting all traffic to the cloud has helped one CISO sleep at night
Security executives are enjoying increasing prominence amongst business leaders as growing awareness of ransomware's business risks motivates new levels of CISO empowerment, one cloud-security CISO has observed while warning that those without full visibility of their environments risk squandering the goodwill when new attacks slip by.
“Boards are holding CISOs accountable,” Michael Sutton, CISO with cloud-security vendor Zscaler, recently told CSO Australia. “That's a positive thing because the role of the CISO is getting elevated – but not every CISO will survive that transition.”
“The back-office technologist who doesn't know how to deal with the business side, is never going to survive. But the person who does understand that, and can use it to his advantage – he's going to be able to use it to his advantage and get resources that he never had access to before.”
And while those resources may include business and financial support for reinvention of the business security regime, Sutton warned, deciding the next steps will be the difference between successful protection and a disastrously exposed organisation.
Getting broad visibility across information resources has become more difficult with the proliferation of endpoints and the growing use of Secure Sockets Layer (SSL) – encryption technology that is being adopted by consumer-grade cloud-storage services and ramrodded onto user devices thanks to the likes of Google, which recently began promoting a more-secure option and will soon begin marking all standard HTTP pages as 'not secure'.
Such enthusiasm for encryption is commendable, Sutton said, but it's also exposing the blind spots in conventional appliance-based security tools that have become “nothing but big paperweights” as ever-changing threats outstrip their ability to adapt. “Attackers are getting more dynamic,” Sutton explained.
“Ransomware is technically not that sophisticated,” he explained. “It often doesn't even take advantage of a vulnerability but just tricks a user into installing something. What attackers have done that is so smart, is to do a really good job of morphing that malware. Every day the binary just changes and changes. And if you don't have the detective capabilities to be able to see that and mitigate it as quickly as possible, you're going to have problems.”
Even when installed, those binaries can be hard to spot with tools providing limited visibility into network traffic: a recent LightCyber report, for one, found that most malware exploration of victim networks is conducted using common, unremarkable network tools whose presence is no basis for a red flag. Similarly, with SSL used to encrypt up to 65 percent of Web traffic, according to the 2016 Dell Security Annual Threat Report, malware can easily ride legitimate communications channels to and from mobile devices and other online services.
Given that malware authors are using the same cloud-based services to build and deploy their code as enterprises are, URL-based blocking “is really adding very little value at this point”, Sutton said. Malware authors “are in the cloud, leveraging content distribution networks, and so on. And we're not blocking Amazon Web Services sites.”
As the person charged with securing a security company, Sutton has lived the dream. His CISO role is high profile, but that has required him to move proactively to deal with the new truths of malware practice – and his solution has been to “drink our own Kool-Aid” by forcing all of the company's network traffic, regardless of device, to pass through Zscaler's cloud-based security services, which can peer inside SSL sessions as well as conventional traffic.
“The average employee spends less than half his time in an office,” Sutton said. “We're very comfortable with people using personal devices, although it always worries me that there's a gap somewhere that we're not seeing. I don't care where they are on a particular day, or whether they're using a personal or corporate device; if they want to use it for business purposes it has to be going through the cloud so we always have visibility into what they're doing.”
Shunting network traffic to the cloud not only offloads the process of finding and dealing with potential malicious attacks, but offers scalability that many CISOs may not initially realise is necessary. This, because the addition of on-premises tools for inspecting SSL traffic would require a massive boost in security tools – “2 to 3 times the number of proxies that I had before”, Sutton said.
“These things require companies to have to scale their infrastructure and many are thinking that they never wanted to own that much infrastructure. They're saying that it's time to rethink all this and use a different approach – and when they go to a cloud model, all of that becomes someone else's problem.”