Making sense of undertaking security

Source:   —  April 16, 2016, at 6:19 PM

How to connect the network Until recently, I knew nothing about undertaking security beyond some of the more widely publicized breaches in the United States.

Making sense of undertaking security

Tom Seo is an investor at Envision Ventures.

How to connect the network

Until recently, I knew nothing about undertaking security beyond some of the more widely publicized breaches in the United States.

That said, after spending most of two thousand sixteen immersed in the space, I’ve arrive to appreciate just how challenging and wide an issue security has become to enterprises.

I’ve also arrive to believe that our best hope for solving security is by understanding humans — the perpetrators and victims of cyberattacks — and, as a result, I’m convinced that security is fundamentally a human identity problem.

A philosophical view

Human beings have a tendency to do things with technology that go beyond original intent, and this inclination should be celebrated. After all, technology continues to drive radical innovation, whether in the form of new applications, utilize cases or platforms.

Unfortunately, it’s also this type of behavior that makes security such a challenging problem. As individuals and organizations leverage technology for intended and unintended uses, it becomes virtually impossible to foresee all threats and vulnerabilities that surface in the process. In other words, the issue with undertaking security is that, by nature, it’s reactive. Number system or asset can ever be fully secure.

An economic view

Economic theory also highlights why security has become so problematic, as it explains both market and buyer/seller dynamics.

An obvious takeaway from RSA two thousand sixteen is that the market has become incredibly saturated and fragmented. Undertaking security companies — incumbents and challengers alike — claim to proposal nearly identical solutions, and collectively crowd around a handful of themes (e. g. “endpoint security leveraging machine learning”). Moreover, buyers base decisions on an established set of “signals” — most of which do more to satisfy compliance checklists than address underlying security vulnerabilities.

The saturation, fragmentation and herd-like action is symptomatic of the uncertainty that governs market forces in security, which I think leads to illogical buying and selling behavior. A slew of offerings for practically every market section exists because we’re still nowhere close to figuring out how best to protect enterprises.

Buyers are still willing to pay for ineffective solutions in the midst of massive breaches, and sellers continue to winner product infallibility in their marketing brochures, even though they, too, are unsure of their products’ ultimate value.

So while it’s abundantly clear that there isn’t a single silver bullet in undertaking security, we’ve reached a point where, taken in aggregate, there are apparently hundreds, if not thousands, of distinct silver bullets. Though unusual, economics suggests that this occurs when buyers and sellers work within an environment of extreme uncertainty.

On cloud and IoT

Cloud and IoT further complicate the issue, namely by altering and expanding the total undertaking attack surface.

On cloud. The traditional (and clearly outdated) approach to security involves a single undertaking firewall that encompasses the entirety of an organization’s IT infrastructure. This approach has been made largely obsolete as companies embrace the cloud, with assets number longer centrally housed and structurally isolated.

Not only that, but with increased adoption of cloud applications, companies face unprecedented levels of IP, data and identity sprawl beyond the undertaking firewall. What's frequently touted by cloud evangelists (i. e. distribution of IT assets) creates a nightmare scenario for security professionals.

On IoT. An inflow of connected devices entering the IoT ecosystem exponentially increases (one) the no of entry points exposed to breaches and (two) the permutation of paths attackers can exploit to come at targeted assets.

The notion that existing endpoint security solutions can effectively mitigate IoT-borne risks is tough to accept, as connected “things” are by design very different from desktop and mobile devices. IoT hardware and software arrive in many more shapes and sizes than those of traditional endpoints, and the absence of standardized protocols in deployment today makes it challenging to safe all assets within the IoT ecosystem. A shift toward verticalized applications and utilize cases suggests that even if standards are put into place, they'll be somewhat federated and industry-specific.

Also, because IoT devices face Ltd system resources, they're incompatible with most endpoint and antivirus solutions in the market. And even if they're compatible with existing offerings, security professionals should deal with the lion’s share of devices that currently running on heritage operating systems unable maintain cutting-edge technologies,

Yet what makes IoT the single biggest security risk of our generation is that attacks are number longer constrained to IT assets. Because the foundational cost of IoT lies in bridging the physical-digital divide, attackers can presently target operational technology (OT) to cause real physical damage.

Again, because humans have an inclination to do things with technology that go beyond original intent, the possibilities are endless for hackers. Recent attacks targeting control systems and physical assets (e. g.  vehicles, power grids, HVAC systems, dams, steel mills) only scratch the surface — it’s very possible to look how future attacks can be carried out by organized crime groups to exact injury and even death.

The undertaking view

None of this should arrive as news to security professionals, who know much more about the space that I do (and probably ever will). Still, I’ve observed that in most organizations, security is defined as a largely operational function, which in turn leads to reactive, incohesive decision-making.

These dynamics have become institutionalized to a point where there are presently established “religions” in security, which include:

Relying entirely on the “religions” over to safe enterprises is dangerous, not minimum because attackers and threats are constantly evolving. Tactical decision-making is effective only to the extent that it’s guided by an overarching, unified undertaking security strategy.

My view

So how should companies think about approaching security at a broader strategic level? To address this question, it’s worth re-emphasizing that:

The recurring theme in all this is that there are countless emotional parts in undertaking security. A natural corollary to this point is that because the challenge is so dynamic, committing technological, organizational and financial resources to a specific tactic is counterproductive — and bound to fail. It’ll only be a matter of time before the following major breach renders an approach ineffective.

There is, however, an element that remains consistent throughout — that despite the uncertainty that governs market forces and recent advances in IT/OT infrastructure, human beings have been, and will always be, the ones carrying out cyberattacks.

Notwithstanding the varying motives and approaches pursued, attackers — whether they be rogue actors, corporate insiders, industry competitors, organized crime groups or nation states — can only work within the constraints dictated by human tendencies and behavior.

With that said, I’d love to argue that security is really about understanding human beings. While there’s number shortage of attention around incorporating the most advanced technology into security solutions, I’m bullish on innovation for the sake of innovation. I perceive strongly that advances are only helpful to the extent that they shed light on who the attackers are, and how they behave both interior and exterior the enterprise.

This means that when addressing potential insider threats, a company needs full visibility into every employee, contractor and customer with access to its underlying assets. Growing mindshare around Identity and Access Management (IAM) is an encouraging trend, as it goes beyond solutions that are focused exclusively on the application layer.

Because identity is number longer abstracted from IT infrastructure and networking components, enterprises are able to attain full visibility and provision, appoint and manage privileges in a seamless (and hopefully automated) fashion throughout the entire stack.

To more effectively address external threats, this means that enterprises shouldn’t rely solely on a blacklist of attackers and vulnerabilities — which is as reactive as it gets — but also should proactively scour the all threat landscape to identity attackers and their recognized patterns of behavior. Threat Intelligence is starting to address this challenge, and I’m optimistic about solutions that systematically profile and contextualize attackers with a level of detail and granularity that's never been achieved before.

While my role in undertaking security is to invest in the most promising products and technologies, my biggest takeaway over the latest few months has been that security, as technical a space as it may be, is about better profiling and understanding the attackers, thus making the problem fundamentally about human identity.

A special thanks to Dan Ahn, Anirban Banerjee, Alan Boehme, Taher Elgamal and Label Hoover for their insights, feedback and inspiration.

Featured Image: Bryce Durbin

MLB daily notes: Adhere with Scherzer and Harvey

MLB daily notes: Adhere with Scherzer and Harvey

It'south a daily version of our Fantasy Forecaster, in which we project the best pitcher game scores as well as the best team hitting matchups based upon a no of factors.

Crews work to corral mountain lion that triggered high school campus lockdown

Crews work to corral mountain lion that triggered high school campus lockdown

The large cat was spotted walking across the quad at John F. Kennedy High School shortly after noon. Instead of sitting down to eat, students and teachers quickly secured themselves in classrooms and called authorities.

MA man fights $250G learner loan debt for his three kids

MA man fights $250G learner loan debt for his three kids

The Boston Globe reports that a federal appeals Ct has urged a bankruptcy judge to consider a settlement with the company that holds the loans to authorize Robert Murphy, of Duxbury, to erase the debt.

Battle over Obama immigration actions lands before Supreme Ct

Battle over Obama immigration actions lands before Supreme Ct

A coalition of states calls it an executive power grab. "President Obama'south executive action is an affront to our system of republican self-government," said Sen.