Home > Blogs > VMware CIO Exchange


I Know You’re Not Safe from a Cyber Attack

Bask Iyer Headshot-crop

I Know You’re Not Safe from a Cyber Attack
By Bask Iyer, CIO, VMware

Benjamin Franklin famously said, “…nothing can be said to be certain, except death and taxes.” I would add enterprise network breaches to that list. If you think “cyber-attacks can’t breach my network security,” or more humbly, “our business isn’t that attractive for hackers,” think again.  If you believe your company’s network is foolproof because you have a solid perimeter defense, consider what former FBI Director Robert S. Mueller, III said a couple of years ago:

“,,,I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again…”

Don’t believe me yet? Talk to the CIOs, CTOs, and CISOs of eBay, Target, Home Depot, JP Morgan, Sony, or Anthem. If you’re still not convinced, ask the IRS or Hillary Clinton.  Or the US Government last week.  That’s just the tip of the iceberg.

Hackers are growing more sophisticated, lurking inactively for longer periods of time within a system in order to evaluate data flows and targets, and IT infrastructure is growing more visible via the cloud. These facts, coupled with the ever-present threat posed by lax employee practices and weak BYOD policies, guarantee that it’s going to be an uphill battle from here on out, no matter what kind of network you’re tasked with securing.

If you aren’t sufficiently nervous yet, consider these stats:

  • According to the recent Verizon Data Breach Report (April 2015), network border-security applications are only 24% effective. In 76% of cases, hackers get easy access to server data using stolen or weak credentials.
  • Another report by Juniper Research (May 2015) suggests businesses will suffer more than $2 trillion in losses due to data breaches in 2019—four times the cost this year.

What’s even more startling is that whenever there’s a breach, chances are disturbingly high that it could be an inside job:

  • Insiders with malicious intent cause up to 20% of breaches. (Mary Meeker Internet Trends Report, May 2015)

These facts put a big question mark on the perimeter-only approach to security.

What’s Wrong with the Current Security Model?

About fifteen years back, a solid perimeter defense was all an organization needed to secure their data center. Back then security breaches were still akin to bank heists or home robberies; the “bad guys” were outside the perimeter, trying to find a way in, and the “good guys” were inside. In this scenario, focusing your security spend on border controls made sense. Now the “bad guys” have perfected the art of penetrating a system through phishing, user password reuse, or by piggybacking malware atop legitimate traffic. Once inside, they take advantage of flat network topologies that allow unmanaged flows of traffic in the datacenter. That’s why two-thirds of corporate security budgets are spent on securing porous borders, yet they achieve only a 24% success rate.

What’s more, almost all of our devices in the future will connect to corporate network wirelessly and we’ll have applications and data everywhere. This is the exact opposite of the traditional relationship where your desktop had a physical relationship through the network via your Ethernet cable. So, that traditional security model for the modern devices is completely broken.

This is why we need a better approach, some time around yesterday.

Finding a Way Forward

Specifically, I recommend increasing focus and investment in three areas:

  1. Promoting visibility across all environments.
  2. Enabling secure, pervasive identity and access management capabilities (policy-driven).
  3. Tightly coupling threat intelligence (internal, external, public, private) with proactive security strategies.

By tying this off with network virtualization, logically abstracting the physical network, you get:

  • Independence from physical network topology
  • Policy-driven segmentation based on apps, users, and containers
  • Automated deployment of security
  • More efficient use of scarce security resources and staff
  • Enhanced compliance monitoring and reporting

To improve a network’s agility, speed and efficiency, the Software-Defined Data Center (SDDC) is recognized as game-changing—and rightly so. But it hasn’t been long since it started to dawn on CIOs that to secure the data center, network virtualization could be the key.

 

Among other benefits, virtualization makes micro-segmentation possible. Micro-segmentation divides elements of a system into small segments so an administrator can apply security policies to a cluster of servers or a single virtual machine from any elevation. With a network virtualization technology such as VMware NSX, an organization can easily protect individual VMs within a network. Even if the bad guys penetrate the perimeter, they’ll still have many other security mechanisms to face, each protecting a small, integral data center asset.

 

Another major benefit of virtualization is the rapid shifting of workloads without involving an administrator—a major savings in the operational cost of firewalls. Network virtualization tools enable automated provisions without human intervention, distributing in-kernel firewalling routines to all hypervisors, moving/adding/changing workloads, and offering distributed implementation at the virtual interfaces.

Here’s a question: if this approach is so beneficial, why weren’t more people trying it before now?

Well, because even if you somehow purchased enough firewalls to inspect all the incoming traffic, keeping up with rule management would have finally become impossible when more and more workloads were added, moved, and retired. However, with the ever-increasing adoption of SDDC and network virtualization, micro-segmentation has become both operationally feasible and economically practical for large-scale enterprises.

But is it really a silver bullet? Unfortunately not. Nothing is. As security sophistication increases, so too does the hacker toolkit—probably somewhere akin to the pace of Moore’s law.

The stark fact is that no network security measure will be 100% effective all of the time. But all you can do to secure your data is, well, everything you possibly can do. In 2015 and for the foreseeable future, it’s clear that we can no longer afford to entertain the idea that our current security efforts are sufficient, but we can engage and take back control of our digital world.  We can make the job of the hacker much, much harder while at the same time restricting the attack surface, when a breach inevitably occurs, to be as small as possible.

 

Bask

On Twitter: @baskiyer

One thought on “I Know You’re Not Safe from a Cyber Attack

  1. Ed Leary

    Interesting points on the OPM break-in … all of which could be addressed with NSX.

    OPM’s Massive Data Breach in 6 Easy Sound Bites – http://meritalk.com/blog.php?user=MeriTalkNews&blogentry_id=3959

    “Only a couple of weeks ago, the government made an important move, and said they recognized the need to increase visibility inside their networks,”

    Einstein 3 is an intrusion detection system employed by Federal agencies. It’s the 3rd generation based on the original Einstein (US-CERT program) intrusion detection system.
    “It’s good, but it’s not enough, and we know that because the commercial security industry is already moving away from that kind of defense.”

    “Cybersecurity must mean more than protecting the system — it must also include protecting data,”

    “Network defense is hard, and it’s even harder to do at scale.”

    What this telling me is that once breached, hackers roamed freely to exploit at will. While agencies are mandated to use Einstein 3, NSX could provide an additional level of internal security for VMware-based systems to prevent further exploits.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*