Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Are you failing Security Basics 101?

Mary Branscombe | April 7, 2016
Patching, backups, firewall configuration … when it comes to security, make sure you take care of your infrastructure before you invest in next-level tools.

Security tools are getting more sophisticated. DevOps is bringing us automation in operations, and a more holistic way of looking at how we manage infrastructure. But all too often, we're not doing basic things to improve security and reliability, like protecting against known vulnerabilities.

Hewlett Packard Enterprise's 2016 Cyber Risk Report points out that "29 percent of all exploits samples discovered in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice." It takes an average of 103 days for companies to patch known network and security vulnerabilities, according to a study vulnerability risk management vendor NopSec ran last year; that goes down to 97 days for healthcare providers and up to 176 days for financial services, banking and education organisations. That's not taking into account misconfigurations, or lack of communication between different teams.

"If you're blocking email from an IP address because it's sending you phishing messages, you probably don't want it to be logging in to your SQL database either, but your email and database admins probably aren't sharing that information," points out Paul Mockapetris, the chief scientist at THREATstop, which offers a cloud service for blocking known malicious IP addresses by regularly updating the block lists on your existing firewalls. It sends the details over DNS "for the same reason the bad guys use it for data exfiltration; it pretty much goes everywhere and every device in the world understands it."

"We want to show that security can be understandable and simple," says Mockapetris (best known as the co-inventor of DNS). "We can configure all your firewalls for you automatically."

Chris Bridger's, THREATstop's senior director of security points out the benefits of automation. "Ensuring security controls are in place that govern network access and apply appropriate protection filters to block threats in near real-time becomes a challenge for any organization's security policy. As the threat landscape is constantly changing, an automated approach which removes the time costs, as well as the potential for human error, has become an essential component."

But Mockapetris makes a point that applies beyond THREATstop's Shield service. It might not sound as sexy as threat intelligence systems with dramatic visualizations, he admits, "but you can fix a lot of your life by doing all that simple stuff."

CaaS - get used to it

The idea of configuration as a service - and treating infrastructure declaratively - is part of the automation and standardization that enterprise IT departments are going to have to get comfortable if they want private and hybrid cloud to work. If you run Azure Stack, Microsoft's forthcoming hybrid cloud solution, you'll be following a much more prescriptive way of working. "In the past, we left how to patch systems as an exercise for the customers. Now we'll provide an update, and an orchestration system together with the patch," explains Vijay Tewari from Microsoft's Enterprise Cloud team. "We will orchestrate the patch across the system so it does not take down any workloads."

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.