For years cybersecurity vendors have announced new technologies that would transform the industry with artificial intelligence, cloud delivery, and automation. Everything would get better, cheaper, faster – and of course more secure. In practice, many of these technologies turned out to be limited, less effective than promised, and more difficult to use.
"I don't see a lot of the promised AI revolution happening," Forrester Research analyst Joseph Blankenship told DCK. People, not AIs, still make cybersecurity decisions. "I see some of those capabilities, but we have not yet seen the pure AI that is going to make all our decisions for us and put cybersecurity professionals out of business."
The improvements have been incremental, and vendor announcements haven't changed significantly over the past three years. We've seen a gradual evolution of technology combined with better training of cybersecurity professionals and better business processes.
"It's almost like the vendors are catching up and delivering the capabilities they've been promising for the past few years," Gartner analyst Gorka Sadowski told us. "The tag line should be, 'And this time it's real. This time it's working.’"
But this combination of improvements in people, processes, and technology is finally enabling data centers to do threat detection and response at scale, he told DCK. "The level of education about security in the industry is rising,” Sadowski said. “And processes are getting better, best practices have emerged that are robust."
So, where on the seemingly infinite continuum of cybersecurity tech has there been the most progress?
There's no better place to look for improvements than next-generation Security Information and Event Management platforms, or SIEMs. The SIEM is the beating heart of a data center's cybersecurity operations. Earlier SIEMs were limited in scope. They didn't collect all the relevant data, either because of technical barriers or because the pricing model made it cost prohibitive. Analysts would still have to do a lot of manual labor to follow up on security incidents.
That was the case at OpenText, an enterprise information management company. For example, a hardware problem (such as corrupted memory) can look like a malware attack, Jay Grant, the company's manager of digital forensics, said. Conversely, malware attacks can create hardware failures – as is the case with cryptojacking, which places heavy burdens on equipment. But data about hardware and data on malware infections are in two separate systems that don't talk to each other. "And the control over those systems are spread out over two teams," he told DCK.
OpenText has long known that this was a big security gap “that you just have to deal with” until there was a platform that could close it. Things changed last summer, when the company deployed a next-generation SIEM. It was finally able to pull together all the information its security analysts needed in one place, with all the relevant context that enabled them to make decisions in the shortest time possible.
The platform OpenText chose was Devo, and the entire integration process took about a week, said Kevin Golas, the company's director of security services. The connections to standard tools, like firewalls and proxies, took about half a day. But the company also brought in information from other sources, less well-known vendors, tools without APIs, and even an open-source tool that only had a command-line interface. "Volatility is one of the premiere memory forensics tools," said Grant. "But it has a command line interface and outputs just flat files – they're not by any means in any type of format."
Now, every part of what was previously a manual process has been streamlined and automated, he said. The platform also includes user-friendly data analytics. There is still one step that analysts have to do manually, but Devo can sift through hundreds or thousands of endpoints and quickly point the analysts to the one they need to focus on. “Anybody can set up a data lake and take in all the information," Grant said. "But how you actually go through the data is key – that's where I have to spend the money on the analysts."
Instead of having to look through multiple spreadsheets or write a custom script to create a dashboard, analysts now have a GUI where they can toggle through different kinds of information. "It allows you to take large volumes of data and makes sense of it within seconds," he said. "That's our major value in it."
Other areas where traditional SIEMs have been lacking are user behavior analytics and automation, functions usually found in separate platforms. "Now you don't have to buy the three different tools and integrate them yourself,” said Gartner's Sadowski. "Today, most of the modern SIEM tools have all three layers well architected."
Devo's next-gen SIEM platform is cloud-based, but the big cloud service providers are also getting in the game. Microsoft Azure, Amazon Web Services, and most recently Google Cloud Platform have all been rolling out cloud and hybrid security tools recently that offer the massive scalability and intelligence capabilities of their hyperscale cloud platforms and leverage their extensive knowledge about ongoing threats.
When an unfamiliar application enters a corporate environment, it is handled in three common ways: reject it and risk hurting operations in case it was spun up by a trusted user for a good reason; approve it (if it doesn't raise any anti-virus flags) and risk a potential attack; let it run in a controlled environment, referred to as a “sandbox.”
For large corporations that are attractive targets for well-funded criminals the possibility of customized malware designed to slip through corporate defenses is always a threat. Companies hire teams of analysts to manually investigate these potential attacks. Sandboxing streamlines this process, allowing an application to run safely while being closely watched.
But attackers are getting better at spotting sandboxing, and it takes human expertise to analyze behavior of the sandboxed application. AI can make sandboxes seem more realistic to attackers while also helping analyze the applications’ behavior.
One company adding intelligence to sandboxes is Securonix, and it's helping detection engineers and threat hunters at AmerisourceBergen, a wholesale drug company with $180 billion in annual revenue.
Securonix "helps reduce burden on our SOC analysts and incident responders who otherwise have to manually sort through new untuned alerts," Umesh Yarram, AmerisourceBergen's VP and chief data protection officer, told DCK.
The sandbox can also be used by data center security operations teams to test new use cases at scale before pushing them to production, said Nitin Agale, VP of products and strategy at Securonix.
Smarter Honey Pots
There's another way to detect the most determined attackers, one that doesn't involve sifting through a ton of false negatives. Data centers can set up tempting honey pots, such as fake databases that may contain customer payment information for example. No legitimate traffic needs to access them, but hackers that have somehow made their way into a network will head straight for them.
At least that’s what they used to do. The newest approach is to create deception grids. A deception grid is basically a second, virtual layer of servers and users and networks visible only to attackers and not to legitimate users. AI is used to both create realistic deception grids and to monitor them for attacks.
So, does this technology really work?
"Sometimes," said Gartner's Sadowski. But it is for real, he added. "The new deception tools have several use cases that are pragmatic and have realizable value. And they're usually not as hard to operate as the old honey pots."
Deception can help identify both low-level, routine threats and advanced attacks, he said.
Intelligence is also helping make zero-trust a viable security technology. Also referred to as micro-segmentation, the idea is to divide a network into tiny zones, each virtually firewalled from all others, with only approved users and traffic passing through.
The traditional approach to firewalls – which was extremely labor-intensive – made zero-trust difficult to pull off. But that's changing, said Forrester's Blankenship. "The biggest thing we've seen with zero-trust is that there's a move to make it practical,” he said.
Goulston & Storrs, a law firm with about 125 virtual servers in its data center, was worried about intruders getting access to its systems and then making their way laterally throughout the network. Chopping up the network into walled-off areas could stop such movement.
“That's the promise of it," John Arsneault, the law firm’s CIO, told us. The firm decided to go with Edgewise Networks for an automated, intelligent approach to both creating the segments and managing them in the future. "You can deploy the tool in a fairly short period of time with a minimum of human interaction through the AI component," he said.
These new network security strategies do more than limit the potential damage of a breach, said Leo Taddeo, CISO at Cyxtera, a Florida-based data center operator. Taddeo was previously the special agent in charge of the Special Operations Cyber Division of the FBI’s New York Office.
Security tools that use software to define a perimeter – the heart of zero trust – also give data center technicians remote access to critical data center management systems in a secure way. That's always been a major advantage, but in recent weeks, when the COVID-19 pandemic has led most data center operators to drastically cut the amount of staff they keep at each site, it's become a feature that could save lives while helping critical infrastructure keep running.
"This means that there's no need fr a technician to travel to the physical site and risk infection," Taddeo told DCK.
Smarter Penetration Tests
At the end of the day, data center operators can't have confidence in any security strategy if it doesn't stand up to a real-world test – or as close to a real-world test as they can get without getting breached. To do this, they typically use penetration testing and attack simulations. But these tests are time consuming and difficult, and few companies can afford to do them frequently.
But data center environments can change quickly. A data center that was highly secure one day could have unexpected security holes the next. Intelligence is coming to the rescue here, too, with new AI-powered, automated penetration tests.
"This method of continuous testing overcomes the barriers posed by traditional testing, such as time and cost," said Marcus Carey, enterprise architect at ReliaQuest, a Florida-based cybersecurity company. "Attack simulations can span many more processes and security controls without disrupting day-to-day business operations." With continuous tests, security teams can get insight into the day-to-day performance of their security models.