In the two most recent Virtualization and Cloud Security Podcasts, we concentrated primarily on three subjects: WannaCry and its impact, multicloud security, and the role of security in the future of the data center and multicloud. We listed perfect examples of how security can reach out and grow its impact on an ever-changing organization by using automation.
From these discussions emerged several themes—themes that are as important today as they were yesterday. They are:
- If you are worried about escape-the-VM or container, you have missed some very important aspects of security. These should not be your first concern.
- Defense in depth is always preferred. This is how you defend against things like WannaCry and others.
- Segregate and limit your attack surface, shutdown unneeded ports and processes! The latest Ransomware — Peyta — takes advantage of this lack.
- Patch, patch, and patch again. Long uptimes are not a badge of courage. Actually, I would rather see long uptimes for a cluster as a whole than long uptimes for any individual machine of a cluster. The lack of patching has lead to the latest attack of Ransomware — Peyta.
- Bring alternatives to the discussion; leave the word “no” in the wastebasket beside your desk.
- Clouds and virtual environments are not black boxes. Understand what happens within them. You can place security within those environments where appropriate.
- Automate security deployments and updates!
- Consider scale!
Scale is changing everything, and speed is changing everything. When you combine scale and speed, it absolutely requires that control measures be automated. Automation is the secret tool within any IT security toolbox. Automation requires learning new things, new tools, and new concepts as well as joining the Agile Cloud Development or DevOps movement.
And that is the crux of the matter: the old ways of doing things just do not work anymore. Signature-based approaches are falling behind. Since regulatory compliance has not caught up with modern threats, we need to move our approaches along ourselves. Modern antivirus, for example, is more behavior based than signature based, even to the extent of including deep learning. More and more tools are moving away from mechanisms that can lead to false positives and toward the use deception techniques (or honey point and honey pots). These techniques always return a positive result about known and unknown threats.
However, that does not mean we no longer have to go threat hunting. This is a skill that is becoming increasingly valuable as the threat landscape undergoes a major change. The new threats require us to whitelist network access just as we do for files. We know that blacklisting doesn’t work. Whitelisting means we need to keep rules and policies up to date and to use groups instead of users. That in turn means group membership must be continually audited.
Once more, we see the need for automation: not just automation of security procedures and updates, but security automation as part and parcel of any application. We are in need of security automation within HR systems to ensure that a person just let go no longer has access to anything. This type of workflow should be part and parcel of today’s IT security. Yet, it is not. The risks are growing; the threats are growing.
In the end, IT security needs to work smarter, not harder. We need to use automation and workflows to replace our by-hand procedures. We need to trust our automation. IT security needs its own captured cyber ranges to test out major automation efforts. These ranges can live within today’s private or public clouds as well.
We need to better understand the risks as our business, development, and IT move faster—too fast for humans to keep up. Security’s job is not being automated away, security’s job is evolving!