“The Whole Model is Broken”
Why the time is ripe for a radical overhaul of cybersecurity solutions
Equifax has become the latest in a long line of high-profile breaches, and as long as the cybersecurity model remains the same, it won’t be the last. Lucy Ingham hears from Alert Logic’s Misha Govshteyn and Marc Willebeek-Lemair about how the industry is ripe for transformation, from a piecemeal best-of-breed approach to cohesive integrated solutions
So often in business, practices remain in place not because they’re the best solution, but because they are the norm. Approaches that were developed in response to the climate of the time are continued even when the world around them has moved on, and executives maintain them out of habit, with little consideration for why they are done.
Cybersecurity has in many ways suffered this fate, and it’s this that is arguably responsible for the prevalence of high-profile breaches such as Equifax.
“You need to look no further than the front page of pick-your-favourite-news-agency to see 'hey, they got breached',” says Marc Willebeek-Lemair, chief strategy officer of security-as-a-service cloud provider Alert Logic. “What model were they using? It's that old model.”
The model in question is widespread across businesses: the use of an array of different products selected for being the best at that particular application, and cobbled together with the aid of in-house security professionals to form a complete cybersecurity solution. This may have worked at one time, but in the business world of today, and particularly looking towards the future, this approach is simply not working.
“There's some big changes that have to happen in security. I think we've kind of reached the plateau of what you can do by buying your own product, or seven products, and assembling them together,” explains Misha Govshteyn, founder and senior vice president of products and marketing at Alert Logic.
“It hasn't been working, and it doesn't really work all that well. The companies that can afford to have a small army servicing these products might be able to get some value out of it, but I think we've run that out, that's just not going to work in the long term.”
For Texas-based Alert Logic, the answer is a transition to an integrated solution, where all components come as an easy-to-implement toolkit provided by a single company.
“An integrated solution is where you come to the table with more of those piece parts ready set to go, rather than have this exercise of the customer having to go find maybe eight, nine different products from different vendors, pick the best ones they can, bring those in house, plumb them together and then hire a team of experts to go manage them,” says Willebeek-Lemair. “When you think about that, I believe anyway, five-to-ten years from now you'll going to look back and go 'that's crazy'.”
From Target to Equifax: Failures in the best-of-breed model
Govshteyn and Willebeek-Lemair argue that the best-of-breed model’s days are numbered, and their case is extremely compelling. First and foremost, this standard model represents increasingly poor value for companies.
“The argument has always been, well, the top companies buy the best-of-breed in each category and then bring that together, and what we find is that in order to extract that best-of-breed value, it’s enormously difficult to have the next level of the solution,” says Willebeek-Lemair. “So you actually end up paying more for a piece part that you never get to extract that value from.”
However, it’s more than just about cost. The old model is also heavily reliant on human talent, with different teams often working on different security software, and where there’s joins as a result of different packages, there is the risk of things being missed.
This was the case with the infamous Target breach, which affected the data of 41 million customers back in 2013. At the time, Target had outsourced part of its security operations centre to India – then a common practice – which hosted a team that worked in conjunction with the company’s US-based headquarters. The day the breach occurred, everyone did their jobs properly, but the structure of the company’s security system meant that it simply was missed.
“They had all the components in place to order to detect it, and do something about it, they just didn't put it together. They had FireEye that detected it, they had an Indian security operations centre (SOC) that saw it, there were 50,000 alarms that day that said generic malware: how do you know which one of the 50,000 is the one that matters?” says Govshteyn.
“The guys in India did their job, they logged it over to Minneapolis which is where Target is headquartered. Maybe they didn't send over 50,000 that day, but they sent over probably more than they could have processed, and they missed it. Simple as that, right? Almost there, but not good enough.”
“How quickly and how well the manageme nt team responds determines the level of reputational damage.”
As part of this approach, no preference was given to specific areas of risk, so when Target’s payment system was hit – perhaps the most at-risk area of the company’s business – it was not afforded any more focus than other areas of the business.
“I think the whole model is broken,” he adds. “What makes a lot more sense to me is if you're going to secure a certain set of applications, they're critical to you because, for example, for Target they got breached through their payment systems. That is one of the biggest areas of risk.
“If I was Target I would say 'this is my exposed area. I'm going to find someone who owns the outcome of these systems not getting breached.”
It was the same story in the Equifax breach, where a failure to patch the web server application Apache Struts led to the leaking of personal data for over half the US’ adult population.
“The Struts application that got broken into is very much a core asset,” says Govshteyn. “Somebody should own the core outcome of that application not getting breached.”
Old habits die hard: Security spending with yesterday in mind
This misalignment of risk and security focus is particularly acute in cybersecurity spending, which is exacerbated by the piecemeal best-of-breed approach. In reality, the best approach is to concentrate spending on the biggest risk areas, however with an assemble-your-own-security-system approach, this focus can often be lost.
“You can never be 100% secure, that's just a fact, and anybody that tells you that you can isn't actually a professional in this field. But the question that companies are always trying to answer is: what level of risk is acceptable? And what level of investment is required to reach that level?” says Willebeek-Lemair. “The more sophisticated companies are able to identify what assets are the most critical, and let’s not invest disproportionately, let’s invest where we think the biggest risk areas are, and make sure those are as tightly secured as possible, and balance our budget across other areas where it’s less significant.”
Of course, the resulting question is: what is the biggest risk area? According to Alert Logic’s research, it’s web applications.
“Our data is telling us it’s all in that application, that web app layer, and so we disproportionately focus our content security research on that layer which we think is the soft underbelly where the attack is going to come,” he explains.
“There is a huge disconnect in spending: for every dollar spent on web security, enterprises will spend $23 securing just about everything else.”
However, the reality of companies’ spending habits just doesn’t match this.
“There is a huge disconnect in spending,” adds Govshteyn. “We did the math: for every dollar spent on web security, enterprises will spend $23 securing just about everything else.”
Essentially, companies are spending far too much on older security solutions such as firewalls and antivirus, when they should be focusing on web-specific security solutions, such as web application firewalls (WAFs).
“You know what people buy way too much of? Firewalls. We have way more firewalls than we could ever need,” exclaims Govshteyn. “And that's pretty frustrating because I think it’s one of the few technologies where – antivirus reached this point – at some point people stopped asking why we need it.”
“Old habits die hard, and so for everybody there is a budget for these things,” adds Willebeek-Lemair.
For Govshteyn, the Equifax breach is an example of negative consequences from this disproportionate spending.
“The Equifax breach could have been stopped. The technology that can do it is web application firewall,” he says. “How large is the web application firewall market? $600m. How is it possible that one of the most critical risk areas in the cloud, really in a lot of data centres, is only a $600m market? I think the firewall market is over $2bn.”
The value of an integrated cybersecurity solution
There are a host of reasons why an integrated cybersecurity solution, where one company provides all aspects of security as an integrated package, can offer superior results, but one stand-out reason is the ability to shift focus to the areas of most critical risk.
“If you arm the content team with: here's all the tools in your toolbox, pick the best way to protect yourself, they have a much better chance of providing a level of protection using the right tools, rather than try to finagle each piece in,” says Willebeek-Lemair.
This allows individuals or teams to own areas of critical risk and reduces the chances of a devastating breach.
“That's kind of the way we built our business. We don't roll in there and tell them 'look, we're going to give you all this information; you decide what you're going to do with it',” explains Govshteyn.
“Our job is to say 'we're going to make sure that one incident out of the giant haystack that's going to kill you, we deal with that right and we escalate it to you, and it’s our job to go all the way'.
“I think that's the model that can actually work, and frankly we don't actually get it all right 100% of the time, and when we don't we deserve to get fired, but that's the model that I think people need to start thinking about.”
In addition, this approach is far better suited to modern businesses, which, in the world of digital, have far lower overheads than their older competitors, and so are looking for affordable, easily adopted solutions. And an integrated solution is by definition far easier to adopt, as it eliminates the need for teams of in-house experts to cobble it together.
“That's exactly why this model that we're espousing is going to work, because there's so many companies today that pop up out of nowhere overnight, all you need is a good web presence and you've got a company, right?” explains Willebeek-Lemair. “They have no security expertise, so back to the old model: what are they going to start doing, hire a bunch of security folks and start buying these pieces? They are going to have to rely on organisations to take that on for them.”
“There's a lot of activities that human experts perform today that they don't need to perform, that could be automated.”
In the longer term, however, an integrated solution also provides a host of other benefits, as it solves a long-standing problem within the industry: a lack of centralised data on threats and attacks.
“For all of the discussions about threat intelligence sharing, there's just not enough of this data out there,” says Govshteyn.
This is because data is held in small batches by individual companies, and there is no incentive for them to share it. With an integrated system, however, one company would hold large batches of data, which could be used to move cybersecurity techniques forward considerably.
“One of the reasons I'm such a believer in this integrated model is it more easily enables these two other factors,” explains Willebeek-Lemair. “The first one is analytics: you've got to have the data to perform those analytics.”
Better analytics would, Willebeek-Lemair argues, better allow under-used technologies such as machine learning to be implemented, enabling fresh understanding of attack patterns and risk areas.
“Machine learning is just beginning, we've got some very nice results already, we see that happening, that is going to change the way we defend,” he says.
“The second one is automation. Sure you've got that need for human experts, but there's a lot of activities that human experts perform today that they don't need to perform, that could be automated. And we've been investing also in that area, we make sure that when it’s time for a human to put their eyeballs on it, a lot of work has been done to minimise the energy and the effort that we need to now put into that.
“So we see those two things happening to facilitate the defensive side; I think we're going to see some pretty dramatic improvements over the next five or ten years as well.”
Enter the cloud: Fuelling a transformation of the cybersecurity industry
One of the biggest areas of business technology growth in recent years has been in the cloud, and that is only set to increase further.
But as companies are expanding into cloud-based technologies, they are looking for cloud-appropriate security solutions, and it is here that the integrated solution model is seeing the most immediate adoption.
“The cloud is a clean sheet of paper and the team is asking what should we do for cloud? And now you get into a couple of interesting things, because one, you want it to be cloud-native, and that's another huge strength of our solution is it’s got to scale, it’s got to be flexible, all of things that you want, and obviously also focus on the types of threats that you're going to encounter there,” says Willebeek-Lemair.
“And then the second piece is, well I haven't invested a whole bunch of technology there, so I have an opportunity to think more fresh here. And that is why I think we're seeing this popularity of that new approach as you move into cloud.”
“If security companies don't realise that cloud companies will become their largest competitors in the future and they've got to out-perform them somehow, they're just going to be extinct.”
However, many of the major players in the cybersecurity industry, which have ultimately seen their success from the old best-of-breed model, are being immensely sluggish in responding to new challenges the cloud presents.
“I'll predict this: if the security industry doesn’t step up and change, the cloud provider will do it for us. When I talk to my counterparts - we work very closely with both Microsoft and Amazon, and they're telling us, look, security is so messy and it requires so much expertise and things change every single day, I don't have any interest in doing that. But ultimately the cloud doesn't grow if it doesn't get secured properly,” warns Govshteyn.
“[The cloud providers are] going to say, you know what? I’m done waiting for HP, or Symantec or Trend Micro to get this right, I’m going to do it myself.”
“We're living in an environment where the internet was built without security in mind, and it’s just this gigantic infrastructure now. The cloud, one of the reasons people love it so much, is it gets updated in the background constantly, and it can stay very fresh. And it’s often completely hidden from the end customer: it just works,” adds Willebeek-Lemair.
“And so [there’s] the ability for the cloud provider to start embedding more and more of this capability as they go forward in order to just say: ‘hey, you know what? This is too important, we're not going to rely on this fixed bolt-on method as we did before.’”
This is good news for companies looking for effective security solutions, but less good news for traditional cybersecurity providers.
“I think it’s a shot across the bow. If security companies don't realise that cloud companies will become their largest competitors in the future and they've got to out-perform them somehow, they've got to be more valuable, they're just going to be extinct,” says Govshteyn. “So five years from now, pick the top five security providers, they're going to be much smaller and in decline.
“It’s already happening. Go online and plot the Symantec revenue trajectory for the last five years: you'll see a company in decline. That's a company that refused to acknowledge that antivirus - the latest guidance from Gartner is don't deploy antivirus in the cloud - it's not useful. They didn't see that coming. It's not that nobody buys antivirus anymore, it’s that the growth is happening in the cloud, and they're definitely not buying antivirus there.”
“Sometimes they see it coming but that revenue, that cash cow, is so powerful within the company that they can't get out of their own way,” adds Willebeek-Lemair.