It's Time to Change the Way We Think About the Internet

Thursday, April 09, 2015

Peter Zavlaris

Af2c9843333cc1e2578ddf18b3eed066

Moore’s Law is the observation that processing power for computers doubles every 18-24 months. The microchips that power technology have improved at an exponential rate, making compute power and storage exponentially more powerful and less expensive.

This exponential growth has resulted in tremendous leaps forward in how the Internet is used by individuals, organizations and businesses. The current problem, however, is that while IT has scaled and made tremendous advancements over the last decade, security continues to lag behind.

Alex Stamos, CISO for Yahoo, recently wrote that he believes that the security industry is failing. The issue is that most of the security industry still wants to sell “solutions” that don’t meet the modern demands of scale, automation and efficiency. IT creation and development is now virtualized. Compute power and storage is a commodity. But hardware security devices, agent-based solutions and manual processes aren’t practical at scale. Stamos points out,

For the most part, the security vendors I meet believe that IT departments want to run another agent on their Windows laptops, that production engineers are willing to put a cheap Lintel 1U security device in their critical path, and that every company's security team is staffed like a Top-5 bank. These assumptions are not true. Companies across the world are waking up to the fact that their security posture is insufficient to fend off the threats that breached Sony, Anthem and JPMC, and we can no longer build products like it's 2005.

The fact is that many security vendors have built technologies around a defensive perimeter. But times have changed; business now operates across the Internet, and data doesn’t sit nicely behind a walled garden anymore. The next generation of security solutions needs to address problems being created today, not yesterday.

Online channels between businesses and their consumers are operational pillars. Losing the channel could have devastating consequences, but so could having the security of these channels be compromised. The Internet has scaled so rapidly that many security controls are well behind the threats.

How do you prevent malware from turning your websites against you? How can you ensure the client-facing code on your website isn’t beaconing out to the bad guys or redirecting visitors to malware-infected infrastructure? How many infected URLs are interconnected with your website right now? Are you sure the digital ads running on your websites are safe?

It’s safe to say that if your budget is devoted to 10-year-old technologies designed to fix the same flaws they have been addressing for years, then you’re in trouble. Are you hesitant to explore new alternatives because you’re over-burdened by compliance requirements?

You’re not alone! But something needs to change drastically. Your company and its security organization need to wisen up. And guess what? There is technology available that has been designed to operate at the scale of the Internet, and more innovations will continue to follow.

You can have clear visibility into the areas where your customers are at risk. You can build controls OUTSIDE of your walled garden that will make meaningful improvements in the security of your company, your employees AND your customers.

The technology revolution continues to scale at exponential rates. Businesses have become forward-thinking and agile when it comes to the Internet but have lost focus on the security risks. The very channels your business uses to interact with its customers are under attack, and this is all happening outside of your control. It’s time to do something before its too late.

This was cross-posted from the RiskIQ blog. 

11019
Firewalls IDS/IDP Network Access Control Network->General SCADA Breaches CVE DB Vulns US-CERT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.