BOSTON -- There's no board game that can help enterprise information security managers win in their jobs, but one of the industry's most respected security analysts believes identifying key changes in IT and getting the resources to secure them can often seem like a game of "Chutes and Ladders."
Speaking this week at the SANS Institute's Security Leadership Summit, John Pescatore, the organization's director of emerging trends, said enterprise information security success hinges on finding ways to gain the trust of the C-suite and ensuring executives will listen when new resources are needed or new controls might affect users.
Virtualization lets IT spin up poorly configured servers much faster.
director of emerging trends, SANS Institute
"Are we a chute or a ladder? How do we convince managers that we know where the ladders are and can avoid the chutes?" Pescatore said. "No CEO thinks security is going to be a solved problem. They want to know they have a security leader who knows what the problems are and can do something about them."
Pescatore, who joined the Bethesda, Md.-based research and education organization last year after 14 years at research giant Gartner Inc., offered his take on the key change agents in IT that are affecting how infosec leaders defend their organizations.
Increasingly, Pescatore said, enterprise employees are choosing to do their work using whatever hardware, software or service will enable them to do so. Citing April 2013 data from Gartner, he said 55% of U.S.-based employees use personally owned devices for work.
"The strategies we had for controlling security in the past were always dependent on dictating the device," Pescatore said. "Those days are gone and the world will never go back there again. As IT loses that control, what are we going to do about it?"
Though there are few easy answers, Pescatore stressed the need for "fundamentally different" security strategies, emphasizing the need to foster secure user behavior as advances in security technology have driven attackers further into social engineering.
Virtualization and cloud computing
Since 2012, Pescatore noted, the majority of enterprise x86 workloads have been booting up in a virtual machine, and that number is expected to grow to nearly three-fourths by the end of this year. Tongue in cheek, he said that change hasn't been entirely positive.
Salary survey preview
Pescatore previewed findings from the 2014 SANS Salary Survey, which will be officially released this spring.
Though no hard numbers were shared, Pescatore said most firms expect to see little to no growth in the number of infosec pros they hire, but incident handlers and responders remain in demand. The need for audit and compliance staffers is expected to decline.
Enterprises, he said, really want to reduce the time spent on administration and technical tasks, and instead focus on security management and forensics.
Not surprisingly, security certifications were seen as the No. 1 factor contributing to career success. Admitting there may be bias among SANS-certified respondents, he said certifications remain a valuable tool to help hiring managers determine which applications actually understand the tasks and skills critical to security.
"Virtualization lets IT spin up poorly configured servers much faster," Pescatore said. "Doing the wrong thing faster rarely increases productivity or security."
However, virtualization and cloud computing have already transformed CIOs' views of the data center, Pescatore said, because it has greatly reduced the cost associated with maintaining and expanding a data center. IT security teams have lost much control over the data center as part of that transition though, he noted, and security defenses of the past are no longer applicable.
"Huge percentages of systems are moving outside of IT's control," Pescatore said, "meaning some of those reliable strategies -- like putting firewalls in front of the data center or putting Symantec on every server -- aren't going to work."
In response, Pescatore highlighted the importance of relying on technologies like network access control and mobile device management, and in the future, implementing data encryption and security as a service, including cloud-based security gateways.
Internet of Things
Citing SANS research on the explosion of non-traditional Internet-connected devices, Pescatore said the Internet of Things (IoT) is no longer a futuristic concept, but a reality facing enterprise security leaders.
A 2013 SANS survey found that among those organizations already dealing with IoT devices, 70% indicated that consumer-oriented devices like set-top boxes and cameras were already in their environments. More than half said Internet-connected HVAC systems, the IoT category believed to have played a large role in last year's Target data breach, were in play.
"Target had a data exposure, but that system could have been used to cause fires in stores," Pescatore said. "There are a lot of IoT sensors where even a DDoS [distributed denial-of-service] against them can lead to loss of life because they're in the health, medical and safety worlds.
"It's hard to patch Windows," Pescatore noted, "but it's even harder to patch an MRI machine."
He advised infosec pros to watch for emerging IoT devices and to strive to understand not only where enterprise data may be going, but what effect attackers could have if they compromise such devices.
Supply chain threats and integrity
A topic he has been following since the passage of the U.S. Patriot Act in 2003, Pescatore said supply chain security has only increased in importance.
"In the global world we have, we must look at third-party equipment to determine what's dangerous," Pescatore said. "But what it really comes down to is we're not going to do that perfectly."
To that end, he strongly advocated for organizations to build the capability to evaluate the security of new IT equipment before putting it into production.
He cited a 2010 project in which controversial Chinese networking vendor Huawei won a BT Group bid to upgrade the equipment on the U.K. government's network. Because the government was skeptical about the integrity of Huawei's products, BT helped the U.K. set up a testing center in which every piece of equipment was evaluated to determine if it was safe.
"That's supply chain integrity at work," Pescatore said. "It's part of the cost of being in the global economy."
An added benefit, he added, is that such test beds will often determine when a product isn't all it's cracked up to be.
"When the U.K. first started analyzing Huawei code, they realized it's really crappy!" Pescatore said. "By looking at our supply chains and doing what we can to eliminate vulnerable software from getting into our environments, we're also cutting down the incident response time in seeing where external connections are coming in."