Hello and welcome to our discussion of the Ixia 2017 Security Report. Today, we will share the findings and observations seen by our ATI (Application Threat and Intelligence) Research Center across the whole of 2016. It covers the trends observed, the major incidents observed, original research findings, and ultimately recommendations and best practices to protect your organization.
Over 2016, one thing was crystal clear. We saw growth across the board. We saw growth in the number of organizations using the Cloud. We saw growth in the attack surface of most organizations, not just from cloud growth but also accompanying shadow IT growth.
We saw the attack surface also grow from increased IOT use and more personal and mobile devices being used for work. We experienced much of the same bad and ugly behavior from hackers who also grew not only from population growth but also the easy accessibility of hacking tools.
We also saw an increase in the speed of change of IT implementations. This lead to complexity in systems and structure and being able to see what breaks through and what is unnoticed. The CISO role became much more of an orchestrator across the different IT models – in-house, mobile devices, personal devices, private and public cloud use.
And ultimately, this complexity and speed of change highlighted the growth of human error be it from simple items like keeping up with passwords for new infrastructure to ensuring patching of vulnerabilities takes place.
We will focus on each of these—the leading contributor of growth, what we saw with complexity, the human element and what hacker attacks were seen.
The majority of the findings in our security report and this presentation are from the Ixia ATI Research Center. This is a group within the company that combines expertise in both threats and application behavior, and spans our test, visibility, and security products. The ATI Research Center with 20 years of expertise is considered a leader in the industry.
Lets first look at the the first major trend, growth, tied primarily to the cloud.
Cloud growth creates a larger and multi-dimensional attack surface. Three factors contribute to this. First is the tremendous growth seen in deployments, followed by the speed of change in a virtualized and container environment and last the new model of shared responsibility.
Each year, we continue to see increases in total data center traffic. Analysts predict that by 2020, we will have over 15.3 Zettabytes of data center traffic and 92% of the workloads will be cloud based. Already today, we have crossed the 50% mark of public cloud based workloads according to some studies and this is expected to increase.
http://www.cisco.com/c/dam/en/us/solutions/collateral/service-provider/global-cloud-index-gci/white-paper-c11-738085.pdf
The second factor to be aware of with cloud deployments is the speed of change. If we look back to traditional datacenters, servers were configured and left running for months or more. With the introduction of virtualization, a single physical server could now support many virtual machines, and the lifetimes of each could be measured in weeks. More recently, containers have been top-of-mind, with lifetimes measured in days or less. What this means is that a static visibility and security architecture no longer fits the bill. You need to be able to detect changes in your network immediately, and take appropriate action.
The third dimension of the cloud attack surface is the shared responsibility model, and this bears some discussion. If we look at the primary types of cloud services, we have Infrastructure as a Service, Platform as a Service, and Software as a Service. The first is where the cloud provider offers just the physical infrastructure, and the enterprise does all the rest. In a PaaS offering, some basic services such as database or web are offered, and with SaaS, you have access to actual applications. All three are popular and offered by the major cloud service providers like AWS, Microsoft Azure, and Google Cloud Platform.
Digging deeper, this chart from Gartner shows the elements of the three types of services, and more importantly, depicts what security responsibility the organization has—thus shared responsibility. For IaaS, the enterprise is responsible for pretty much everything, and needs to secure its operating system, applications, and data. It is just as if you were running your own datacenter. For PaaS, you are still responsible for locking down your applications and data. And for SaaS, although you only have control over your data, another important element comes to bear. Your SaaS provider needs to be secure. You need to ensure that the email, file storage, and other applications you consume are just as secure as if they were deployed by your own IT. Determining this is a key responsibility of IT moving forward.
Why is SaaS so critical to secure? You may have heard the term ‘Shadow IT.’ Well, there is also the ‘Shadow Cloud.’ This is the set of SaaS applications that your employees use but are not controlled or even known by IT. Employees may collaborate with suppliers, contractors, and each other, across geographies and platforms, many times unaware of potential security and regulatory risks.
In fact, in an average enterprise there are up to 10x more applications than IT expects, equating to hundreds of individual services. Pretty scary. And, of the universe of SaaS offerings, thousands do not offer industry standard security assurances.
Reference: Skyhigh cloud adoption risk report, Q2 2015
What are the risks you must understand and combat?
Separate from cloud growth, which is inevitable, the speed of change, which we can monitor, and the shared responsibility model, which we can address, the shadow cloud is potentially the most damaging. Ask yourself – how many applications have you used unknown to your IT team?
If you are in a regulated industry, understand that your cloud exposure is even more critical.
And, above all, make sure your employees understand the risks that come with the benefits of the cloud. We look at the human element a bit later.
Moving on from growth which is at the center of it all, we now look at three interrelated areas that affect security and your increasing attack surface. The first being complexity. What do we mean by this?
Security complexity is a result of the different demands placed upon the IT department, spanning on-premises data centers, cloud deployments, and SaaS. One almost longs for a simpler time, and a term that we sometimes hear is ’the fog of security.’ What this means is that it is sometimes hard to tell what is real or not, what is a threat or not. What alarm from one of your different security platforms is to be believed or not. And how to avoid battle fatigue.
Reference: https://www.ixiacom.com/company/blog/virtualized-monitoring-public-cloud-dilemma
You’ve got to keep up with increasing complexities of virtualization, containers, the types of rules implemented, and the different vendors you use for perimeter, network, application, data, and xxx security not to mention policy enforcement and operations. We estimate that the average enterprise engages upwards of 15 vendors, and others have stated that this could be as many as 50. In any case, they all require management, understanding of their role, and how they relate to a breach.
References:
Workload density (workloads per physical server) for cloud data centers was 7.3 in 2015 and will grow to 11.9 by 2020. http://www.cisco.com/c/dam/en/us/solutions/collateral/service-provider/global-cloud-index-gci/white-paper-c11-738085.pdf
During the DockerCon keynote of Docker’s CEO Ben Golub the incredible growth of Docker already became clear. Some highlights from his presentation:
There are 460K Dockerized applications, a 3100% growth over 2 years
Over 4 billion containers have been pulled so far
500 rules – Ixia estimates.
Here we try to map the different aspects of security to industry terminology. We’re all familiar with hardware platforms and some of the better understood elements such as network, endpoint, application, and web. One of the fastest growing areas and one requiring additional expertise is highlighted in green. These relate more to the operational and less obvious aspects of security, but still incredibly important. Ultimately, the CISO can’t be an expert in all of these areas, so needs to train, to automate, and too offload where appropriate. The security footprint of the enterprise is more complex than ever, counter to what we probably all expected.
And some parting thoughts on complexity and the CISO. Prepare for attack. Every day, we read of another corporation or government hacked. You can only prepare. As we guided on the last slide, put in place whatever possible to allow you to take a more strategic view. If your day is spent on firefighting, you won’t prepare for the flood or the earthquake. The CISO must no longer be just a tactician… he or she must act strategically.
Next, we look at the human element, potentially the best understood in terms of cause and effect, but the most difficult to combat. The human element consists of both unintentional breaches, as well as those that are planned. Sometimes, it is difficult after the fact, to tell which is which.
As an example, all too many employees don’t receive the proper training to protect the enterprise against exposure. Better automation helps, but it cannot ever be foolproof as we saw with CloudFlare. Because of this, many believe that their cloud provider will experience a major breach, though current evidence is proving just the opposite. If you remember back to the shared responsibility model, if an enterprise’s data or applications are compromised, they may think it was due to their provider, but in fact it was due to their own neglect. Back to the human element.
References:
20% - http://www.smartbrief.com/poll/2016/11/do-you-feel-your-employees-are-adequately-trained-avoid-risky-behavior-could
44% - IBM - http://m.ibm.com/http/www-03.ibm.com/press/us/en/photo/45327.wss
This is further confirmed by changes in the sources of breaches. In the past, most focus and investment was on network and other infrastructure. We’ve made progress in these areas over the past decade, and the threat now is from the user and his or her device. This is the ‘soft underbelly’ of enterprise security and must be addressed.
Reference:
Verizon 2016 Data Breach Investigations Report -www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf
The human element also translates to the cloud, and Gartner has been bold enough to make the statement that the vast majority of cloud breaches will be due to the enterprise and not to the cloud provider itself. What this goes to show is that, though enterprise may move their workloads to the cloud, security training and implementation doesn’t end. As Churchill said, it is not the beginning of the end, but the end of the beginning.
However, some good news. Over 50% are not due to malicious intent. They are due to error or process failures. I didn’t really mean it is good news - still an ‘F’ in my book but it’s not malicious.
References:
80% - Gartner, Best Practices for Securing Workloads in AWS. https://www.gartner.com/document/3030318
48% - 2016 Ponemon Cost of Data Breach Study
The most damaging part of both innocent, if we can call it that, and planned attacks, is the time to react. Though this has improved, once an intruder has breached the perimeters and accessed the soft underbelly, anything goes. Sort of like termites in a house where you don’t have an exterminator. They have plenty of time to take their next steps and exfiltrate on their own timeline. Thus the requirement for monitoring and automated response.
Reference:
2016 Ponemon Cost of Data Breach Study.
Now onto the hackers, the third influencer and of course, the most visible due to impact. They have not gone away. On the contrary, the threat is greater now than ever, as we shall see.
Probably the most disturbing trend is what we’ll call democratization and commoditization of hacking, the spread of tools and techniques previously limited to the more sophisticated hackers and even governments into the ‘mass market.’
This is actually very dangerous, since a more sophisticated hacker may have had control of a given exploit, while a newbie may just press the button and hope for the best. Or worst.
And it should be obvious that, although government actors receive the publicity, the typical enterprise has more mundane threats to worry about such as targeting just plain sloppy behavior. Way too many organizations don’t patch and don’t follow basic password hygiene.
In essence, hackers are looking for the low hanging fruit… those systems that are easily exploited. Much like going down the street at night and looking for an open window or unlocked door. If the window is closed and the door is locked, on to the next house.
And this applies to both systems and people. Remember what we mentioned earlier about training and the human element. You’ve got to be vigilant 24x7. The hackers are and have all the time in the world!
On the commoditization front, face it, you aren’t worth too much! Just look at the asking price for the compromised Yahoo records, $300,000 for the lot. Maybe that is at the low end, but we see the same trends for credit card data, and more damaging, social security numbers and health records. Credit card numbers can be replaced in a matter of minutes. Your medical history? Not so fast.
How many of you have had to replace at least one credit card over the last year or two? It is almost becoming commonplace, and I keep a small file listing the accounts that are under autopay for each… sort of like a credit card bug-out bag. Sad.
Reference:
https://thenextweb.com/security/2016/12/16/yahoos-billion-user-database-reportedly-sold-on-the-dark-web-for-just-300000
If we look at the types of attacks and their origins, nothing new. We have malware, exploits, and phishing attacks, and their volume roughly equates to Internet use. We always think of China, Russia, and North Korea, but the source of many of the attacks is staring us in the face, as reported by Ixia ATI.
Maybe mapping to expertise, although malware and phishing attacks were primarily US-driven, exploits were more balanced between the US, China, and other countries.
Reference:
Ixia ATI Research Center 2016
Looking at some of the attacks in greater detail, also with data from Ixia ATI, we see that social networks, many common cloud-based offerings, and of course financial sites are the most vulnerable. Here you must be doubly on-guard.
How many of you have received an email that looked perfectly reasonable at first glance, but then seemed a little bit off when compared to what you normally receive from your bank or favorite chain store? We’ve gotten to the point that many filtering systems are ineffective and you’ve got to review each and every email. Exhausting.
As we mentioned earlier, the tried-and-true still works, and at the heart of this is poor password hygiene. If you use one of these, consider yourself open to attack. Much like putting a code lock on your front door, and then taping the number under the mat.
In fact, many of these are also endemic to cloud deployments not just within the enterprise. Though a typical enterprise end-user wouldn’t select ’ubnt’, that is short for Ubuntu, one of the more popular Linux distributions, we found that it was still an often used password for the cloud.
So with what we’ve covered – cloud growth, user risk, hackers, and complexity – do you just give up, or is there a way out? We’d not be here if it was the former. How can you protect your network, your applications, and your data?
First-off, take a step back and evaluate what you have, what you need, and your gaps. Speak with colleagues in the industry and develop a game plan. Spend intelligently.
As we mentioned earlier, a typical enterprise may have upwards of 15 different security solutions. Just think if you worked with 15 storage or server vendors. Chaos. So take a measured approach to fixing the highest priority issues, and make sure that what you deploy helps to re-enforce your security posture by providing consistent guidance.
References:
Cloud security service market (Infonetics, 2013) - 2017 - $9.2B
The global cybersecurity market should reach $85.3 billion and $187.1 billion in 2016 and 2021, respectively, reflecting a five-year compound annual growth rate (CAGR) of 17 percent. The American market, the largest segment, should grow from $39.5 billion in 2016 to $78 billion by 2021, a projected five-year CAGR of 14.6 percent.
That’s according to BCC Research’s new report, "Cyber Security: Technologies and Global Markets." For purposes of the report, the cybersecurity market includes companies that provide products and services to improve security measures for IT assets, data and privacy across different domains such as the IT, telecom and industrial sectors.
A major step in this direction is deployment of a common set of tools spanning on-premises, hybrid, and public clouds. You don’t want separate solutions providing different guidance for each. As your workloads migrate from one domain to another, visibility needs to follow. And as multi-cloud deployments take hold, your tools must handle this as well.
Unfortunately, most enterprises don’t have this unified view and have tools that leave parts of their network unmonitored – essentially keeping the door unlocked while you are on vacation. In fact, across enterprises, almost half the networks have less than 2/3 visibility coverage.
This is the visibility gap, where the typical visibility solutions can’t keep up with network growth. It is a blind spot, leaving the door open for intrusion.
The way to close the gap is to look closely at any solution as to packet drop at corner cases, performance under feature load, and ease of configuration. A true visibility architecture will close all these gap. At Ixia, we are proud that our visibility architecture has the highest performance in the industry with an easy to use GUI that helps eliminate potential configuration errors.
With a visibility architecture in place, you can take a more strategic view to really address today’s threats. Our security report looks at these in depth.
At a high level, they include:
Security is an ongoing process. A journey and not a destination. A verb and not a noun. You don’t implement a set of controls and rest on your laurels.
You need to be sophisticated, in understanding hackers and your employees. And also challenge them.
Think like the hacker, and you can call upon plenty of industry guidance for this. The more regulated or critical your business, the more vigilant you must be.
Look at where you are most vulnerable, and re-enforce that area. Remember the Trojan Horse. The highest and thickest wall in the world won’t protect you if the back gate is left unlocked, or if the attacker social engineers his or her way in.
One area of increasing scrutiny is the supply chain, as this has been the source of many breaches. Know your suppliers, and hold them to the same high standards.
We don’t all need to be Navy SEALs, but keep your team on-guard and avoid fatigue. Deploy tools that minimize false positives. Make it interesting and engaging.
Finally, and the simplest, fix what is broken. You have plenty of guidance and automation at your disposal.
At Ixia, we provide you the tools to challenge your network, validate it and ensure you have a scalable visibility architecture that lets you see inside what is happening in your network. We strongly recommend that you test often to ensure that you have not introduced configuration errors. We also recommend that you check for dropped packets from your visibility architecture as security tools are only as good as the data they see. We are happy to also provide cyber range training to ensure your teams are properly prepared in case of an attack.
In conclusion, constantly question, challenge, and most importantly test your network’s ability to withstand attacks.
Thank you.