Discover PerformanceHP Software's community for IT leaders // March 2014
Shift to protecting what matters most
CISOs need to adapt at least as quickly as their adversaries. HP Enterprise Security SVP Art Gilliland talks about protecting your data—and which data’s really worth your security spend.
2014 is shaping up to be a challenging year for enterprise security. Attacks were up in 2013, and defense costs were rising. Criminals are organized and well-trained. Our defenses are less successful. Fortunately, the changes we need to make to improve our defenses are well within reach.
In January, Discover Performance spoke to Art Gilliland, senior vice president and general manager for HP Enterprise Security, who shared his thoughts about how a better dialog between security and the business can help organizations identify and protect their most valuable assets. This month, we asked Gilliland about the specific techniques that can give us more defensive mileage, including application security and intelligence sharing. And before we’d finished, he brought us to a surprising conclusion: maybe you don’t need to protect all your data.
Q: Recently, businesses have poured a lot into maintaining a strong perimeter, but that seems to be paying diminishing returns. Is network security still the right place to invest?
Art Gilliland: Network security is still important, but there needs to be a shift away from a system-centric view of security, where we draw up a technical architecture and then say, "I need endpoint security, I need network security, I need web security," and so on. When you do it that way, it’s very difficult to prioritize what you should do first, and you’re likely to only add things to that mix and never take things out.
For network security in particular, it’s not that it’s less relevant, it’s just that what you do in the network and what you’re protecting have changed. For example, with the use of mobile devices, a lot of people are saying the user is the new perimeter. But all of those individual users still connect into some network superstructure. They still connect into services that the company is delivering.
Instead of the traditional firewall approach—let them in or don’t let them in—assume that they’re coming in, but also monitor what’s happening in the network traffic, understand what applications they’re touching, and what information they’re accessing.
Our security needs to evolve toward being identity-centric, and the network is one of those enforcement places, but we need to be focused more on the capability versus the technical architecture of the problem.
Q: Should we be more focused on individual attackers versus more generalized security strategies?
AG: The reality is that there are always going to be new threats, because the adversary is going to evolve. They don’t follow a single method. They may have norms of behavior, but as soon as those norms don’t work, they’ll create, borrow, or buy from someone else the process that does work. So we’re going to have to continue to be smart about it, and study who the bad guy is in aggregate. We need to better understand the adversary ecosystem.
Q: The bad guys benefit from using an ecosystem or marketplace. What can the good guys do as a countermeasure?
AG: As an industry, we’re horrible at sharing information: we don’t help each other. If we don’t learn from each other, we’re going to get crushed, because the adversaries are absolutely learning from and buying knowledge from each other.
When we share information we can take action on it faster. Information-sharing is at the heart of making us more resilient to what’s happening.
Q: Are there any other types of security safeguards that are currently underutilized?
AG: There’s a couple. The first one is application security. Historically, about 84 percent of breaches take advantage of vulnerabilities in an application. For the industry, this has been true for a very long time.
Now, with the explosion in mobile apps, cloud-delivered apps, and even the migration of existing legacy apps to cloud delivery within enterprises, we have a chance at redoing this. We’re rewriting access to back-end applications in mobile apps. We’re rewriting applications so that they are hostable and deliverable from the cloud. In that rewriting, we have a chance of reviewing and eliminating a lot of the vulnerabilities that we built into the original apps.
We blew it the first time, but now we’ve got a second shot: we could be building these new applications more securely, and yet we’re not doing it. In a recent study we performed on mobile applications, 9 out of 10 had security flaws written into them. We’ve got to code the next generation of applications better than the first. The tools are there to do that. We just have to believe it’s important enough, and then behave differently.
Q: And the second?
AG: The second area is to address breaches that take advantage of the user in some way. This includes socially engineered attacks, and attacks where users get compromised because they clicked on something. Helping to protect users from themselves is something we can do with technology.
One of the ways we can do that is through two-factor authentication—not just a password, but something that they have or something that they are, whether it’s fingerprints, hands, or a token. It’s still very painful to do two-factor authentication; there are ways to make it easier.
Q: The cost of enterprise security is rising steadily. How do CISOs think about security budget allocation for 2014 and beyond?
AG: The trick with security is finding and refocusing where we spend our money, so we are protecting only the most important things. Seventy to ninety percent of the data in your company, if somebody stole it, it wouldn’t matter. But there’s five to ten percent of your data, if somebody steals it, you’re in trouble.
If you just spend to protect that instead of protecting everything, you could get by with a lot less budget, or be much more effective at protecting what matters for the same money. You need to have a different conversation with the business person, so you know what data matters and zero in on protecting that.
Q: You’re talking about removing security from nonessential places. Won’t the business be uneasy about having less overall protection?
AG: Yes, that’s the conundrum we have, but that transition has to happen, and we have to help people understand why it’s more secure than what we had in the past. We will have to be able to demonstrate that it’s better, and that the information and assets that matter are more secure.
As a CISO, the reality is, I'm going to ask for $10, and I’m going to get three to five bucks. If half of my programs aren’t going to get done anyway, I’d rather be strategic about it than follow the checkboxes on the policy.
Q: How will enterprise security be different in five years?
AG: Five years from now, our infrastructure is going to be radically different. Look at how quickly things changed over the last five years: we went from no mobile devices to mobile devices everywhere, and the rate of change is increasing. Where and what we need to protect is going to change dramatically. There is now, and will be in the future, an expectation that we will be able to easily access corporate information from everywhere. In this world, we will need to be more targeted and flexible in how we protect our enterprises.
For more on making the right strategic moves in the 2014 security landscape, visit HP Enterprise Security, and take our free HP/IDG IT security assessment.
HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episode.
Preparing today for tomorrow’s threats.
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
Welcome to a new reality of split-second decisions and marketing by the numbers.
IT Operations 20/20
How can you achieve the data center of the future?
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Looking toward the era when everyone — and everything — is connected.
Data Center 20/20
The innovation and revenue engine of the enterprise.