CSO Perspectives (Pro) 3.8.21
Ep 41 | 3.8.21

Pt 1 - Third party platforms and cloud security orchestration.

Transcript

Rick Howard: In this season, I have examined each of the big three cloud provider security solutions, Microsoft's Azure, Amazon's AWS and Google's GCP. After going through that exercise, security orchestration is the idea that emerges for me that is screaming for attention...

(SOUNDBITE OF WILHELM SCREAM) 

Rick Howard: ...So much so that I feel compelled to add it to the other four baseline first principle strategies that I've been discussing in essays and podcasts this past year - resilience, zero trust, intrusion kill chain prevention and risk forecasting. As a security executive, if you can't orchestrate these four strategies across all of the digital islands where your data resides, cloud networks included, you have no chance to reduce the probability of material impact to your organization due to a cyberattack. 

Rick Howard: In fact, adding additional security tools from the cloud providers might indeed increase your chances because of the added complexity to your environment. If that is the case, then cloud security tools don't help in this regard even if they are really good tools. They add complexity to your system because you have another tool set that you and your team have to master in addition to the tools you are already running back at the data center and at headquarters. 

Rick Howard: If you are looking to orchestrate your first principle strategies across everything, then the only viable alternative is to use a third-party tool set that covers all data islands. What I'm talking about here is inserting one of the big security platforms from companies like Fortinet, Cisco, Check Point or Palo Alto Networks. These companies are known as firewall companies. But over the last decade, they have turned themselves into security orchestration platforms. 

Rick Howard: My name is Rick Howard. You're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. To understand why these relatively new security platforms are a good choice, we need to understand how the cloud provider security solutions add complexity to your business and how the firewall that has been around since dinosaurs roamed the internet landscape evolved into security orchestration platforms. Let's start with the cloud providers. 

Rick Howard: All three cloud providers are very good at some first principle things and completely lacking in others. For example, they are all superb at providing a palette of ways to deploy resilient workloads that are probably better than the set of tools you have at your disposal back on prem and in the data center. Likewise, they all do well offering tools to build zero trust elements into your security posture, again, potentially exceeding what is available to you back at headquarters. 

Rick Howard: If I was just starting my cloud journey today, I would lean towards the GCP implementation of zero trust. BeyondCorp, Google's marketing name for it, is an implementation of something called a software-defined perimeter, or SDP, a concept invented by the U.S. military sometime in 2007. And it's light-years ahead of what Microsoft and Amazon offer. 

Rick Howard: At this point, though, there aren't too many organizations that are just beginning their cloud journey. I'm willing to bet that most of us are committed to one cloud provider or the other by now, the CyberWire included. We use AWS and an entire slate of third-party SaaS services. 

Rick Howard: On the downside, none of the three cloud providers offered even rudimentary capability for intrusion kill chain prevention, nor did they help their customers with any kind of a risk forecast. Most provide the means to collect mountains of telemetry from their products, but that's about it. They leave it to their customer's own ingenuity to follow those two strategies. 

Rick Howard: Further, none of the three recognize that most organizations don't keep their data in one cloud environment. If they have any size at all, they are quite likely to run different workloads and store different datasets in multiple cloud environments, as well as continuing to operate with their own data centers and headquarters back on prem. And since we're piling on here, most cloud security services don't include any kind of protection, first principles or otherwise, for all the remote employees working from home during the pandemic or who will eventually start traveling around the world when things get back to normal. The exception is Google's BeyondCorp since it's doing some preliminary checking of the client before it allows the client to connect to the cloud workload. 

Rick Howard: And lastly, there is nothing in the way of securing operational technology, or OT, and Internet of Things, or IoT. Now, I hear what you're saying. Why would they? They provide cloud services, not OT, IoT services. But I want to make a point here. The cloud provider security solution sets, even if you think they're the best security sets on the planet, mostly only work in the cloud provider's environments. They aren't a set of tools security executives can use to protect all of the data islands they're responsible for. They're an additional set designed to secure cloud environments, and they're relatively new compared to the on-prem tools most of us are used to. That means that they aren't mature. They might be in the future, but they aren't right now. 

Rick Howard: Now, you might be saying to yourself, duh, Rick. Isn't that completely obvious? 

(SOUNDBITE OF ARCHIVED RECORDING) 

Unidentified Person: Thanks, Captain Obvious. 

Rick Howard: Well, of course it is. But here's the thing. Before we all started in the 2010s to race towards the cloud, we already had too many security tools to manage. In the late 1990s through the 2000s, we had these two overriding best practices that we all followed - only install best-of-breed security tools, and never, ever use a single vendor for your entire security stack. We called that vendor-in-depth. 

Rick Howard: That all sounded great back in the 1990s when we only had three security tools to worry about - firewalls, intrusion detection systems and antivirus - but in today's environments, it's not uncommon to see as many as 15 security tools in small- to medium-sized organizations and over 300 security tools in some large organizations. That's a lot of tools. And that says nothing about all of the policy and procedures an organization will need to administer those tools in some coherent manner. 

Rick Howard: The other 1990s best practice that we all followed was to find ways to reduce complexity. You may have the very best security tools deployed, but the more you have, the more convoluted your environment is. At some point, it becomes so complicated to manage that you can't keep the tools updated with the latest threat information. The volume of alerts the security stack produces overwhelms your SOC, and you don't have time to deploy all of the bells and whistles that you wanted when you bought the best-of-breed tool in the first place. By 2010, many of us had crossed that threshold where the complexity risk was greater than the risk if we didn't have the exact best-of-breed tools. 

Rick Howard: And then we started deploying cloud services. This gave us even more tools to manage in our already tangled networks. The cloud providers don't alleviate that complexity. They add to it. To be fair, all of them say that we can reduce that complexity by automating everything in a DevSecOps kind of way. And that's probably true in the long run, but most of us are a long way from that nirvana vision. And even if we were close, that still only reduces the complexity of your cloud provider's network. It says nothing about our other data islands. 

Rick Howard: It's tough to pin down exactly when, but sometime around 2015, IT and security practitioners started complaining about how the vendors took no responsibility for the burden of orchestrating their tools with other vendor products. Soon, customers started seeing vendors trying to integrate their tool set with good matches maybe not from their direct competitors, but from competitor-adjacent vendors. 

Rick Howard: For example, when I was at Palo Alto Networks, the malware analysis product manager partnered with his Proofpoint peer so that if a mutual customer existed, the intelligence between the two products was automatically shared between the two companies without the customer having to do anything. 

Rick Howard: In that same vein, the security vendor community established their first ISAC, or Information Sharing and Analysis Center, in 2017 called the Cyber Threat Alliance. Paying members volunteered to share threat intelligence with each other automatically so that their mutual customers didn't have to manually put it all together themselves later. Since all of the vendors have means to automatically update their product with the latest prevention and detection controls based on new intelligence, the Cyber Threat Alliance became the mechanism to deliver protections for any newly discovered threats around the world in minutes to hours. Today, there are over 30 security vendors in the Cyber Threat Alliance, all automatically sharing threat intelligence every day. 

Rick Howard: Now, just as an aside, if one of your security vendors is not a member, you should ask them why they're hesitating. Perhaps you should even tell them that you will seek another vendor if they don't. By insisting that vendors cooperate in this manner, it makes the entire ecosystem safer and has the added benefit of costing you nothing. 

Rick Howard: But even these kinds of intelligence-sharing programs are only drops in the bucket. They don't provide a comprehensive orchestration capability across all of your data islands. So in 2018 or so, SOAR tools emerged to help SOC analysts sift through the volumes of alerts coming in from all of the IT and security tools from all the data islands. Now, SOAR stands for security orchestration, automation and response and provides a means for SOC analysts to automatically remediate those low-level alerts that come into all SOCs so that the analysts can spend their time on more important matters. 

Rick Howard: In my last CSO gig, we were processing some billion alerts every quarter. With the SOAR tool we installed, we reduced that down to 500 that humans actually had to look at. So that's better, but still not a comprehensive solution. The one tool that even comes close to providing what we need is the security platform. 

Rick Howard: I have said this in past essays and podcasts, but the first stateful inspection firewalls in the 1990s were nothing but fancy routers. They allowed us to block network traffic based on IP addresses, ports and protocols. In other words, they were big digital sledgehammers that we were all trying to use for cyber surgery. 

Rick Howard: When next-generation firewalls emerged in 2007, they allowed us to move up the IP stack to create rules based on applications tied to the authenticated user. This gave security practitioners a way to logically segment their networks at the firewall and became a way to implement some zero trust architecture within existing infrastructure. You can make rules that allow the development team access to the software code repository, but the marketing team couldn't. Zero trust rules like that help reduce the attack surface and lower the probability of adversary lateral movement. 

Rick Howard: It had the added benefit that it didn't need any additional hardware. All firewalls had next-generation capabilities at this point. All you had to do was deploy some rules on a device you already owned and operated. This is still not surgical, but at least we were using kitchen knives now and not sledgehammers. 

Rick Howard: But the firewalls were still big iron boxes that we deployed in our data centers and back at headquarters. The big security executive problem was that they weren't cheap. It was tough to justify the spin for additional firewalls to create protection zones within the same data center. People did it, but it hurt, and that meant that other security projects didn't get funded. 

Rick Howard: Eventually, the firewall vendors started adding SaaS services that their hardware boxes could plug into. Customers would pay for big iron and then subscribe to services delivered from the cloud, like malware detection, intrusion prevention and anti-command-and-control. In other words, they started adding the ability to install preventions across the intrusion kill chain. 

Rick Howard: As a result, all of the firewall vendors became giant adversary intelligence collectors. The firewall as a boundary enforcer basically sees all the customers' network traffic and is specifically looking for malicious behavior or anything that might look malicious, like, you know, files, potential malware, for example, command-and-control traffic, lateral movement, phishing, you name it. 

Rick Howard: For this specific data collection effort, cyber-adversaries' tactics, techniques and procedures, each individual firewall vendor's data lake rivals the NSA's in terms of volume. Since all of them can automatically update their product sets with the latest preventions based on newly discovered intelligence, their ability to protect their customers is light-years ahead of what the Department of Homeland Security can accomplish with their written and manually crafted security alerts. 

Rick Howard: You know, and by the way, since you're talking to your vendors anyway about joining the Cyber Threat Alliance, if you get the opportunity, you should also try to convince DHS to do so, too. The best way to get protections deployed to the world for any new threat is to get that intelligence to the security vendors. This shouldn't be a manual process either that takes weeks to months to never to get new protections in place for the latest threats. It should be automatic. If DHS sends their intelligence to the Cyber Threat Alliance in a DevSecOps kind of way, then it's just a matter of minutes to hours before the CTA's members deliver new prevention controls to their customers. But I digress. 

Rick Howard: Since the cloud providers don't really pay attention to intrusion kill chain prevention, their tools don't even compete here. And since most firewall vendors are paying members to the Cyber Threat Alliance, that combined intelligence is probably the most comprehensive open-source collection on the planet. All you have to do to access it is to deploy a product from one of the members, which you likely already have and, probably, you have more than one. 

Rick Howard: The firewall vendor goal then became to eventually replace all of the individual point product, best-of-breed tools that the security community had been deploying in droves for the past 20 years, those 15 to 300 tools I was talking about before. But they experienced some heavy resistance because the aforementioned vendor-in-depth best practice. Salespeople had trouble convincing customers to replace all of their best-of-breed tools with a single vendor. But that was about to change. 

Rick Howard: As soon as a security practitioner deploys more than one firewall, it becomes useful to have a management platform where administrators can configure baseline rules and configuration options in one place, push a button and then have all of that information passed to the firewalls in the management constellation. You can do it manually, but it's error-prone and soul-crushing work. The more firewalls you have, the more errors your operators are likely to inject, too. All the major firewall vendors offer this kind of functionality either in a hardware device designed to live on prem or in a SaaS application living on the internet somewhere. 

Rick Howard: Before security vendors offered virtual firewalls designed for cloud environments, this management option was a time-saving device that might fall just short of being essential. But after they had virtual firewalls that could deploy inside of AWS, Azure and GCP, this management plane elevated the firewall to a security orchestration platform. In other words, you could still deploy big iron boxes in your data centers and your remote office bases around the world, but now you could also deploy the same firewall, this time a virtual firewall, in your cloud environments, and you controlled all of them from the centralized management platform. 

Rick Howard: The genius of the virtual firewalls is that as you spin up additional workloads to meet demand or to accommodate some new cloud infrastructure change, the systems would automatically reach back to the management platform to get the latest rule sets and configurations as it boots. The hardware boxes do that, too, but in the dynamic environments that cloud platforms provide, this is a game-changer. 

Rick Howard: Today's firewalls, or security orchestration platforms, can do many things. Because of that versatility, I am making the argument here that they are potentially the most complete tool set available to security executives who are pursuing first principle strategies not just in cloud environments, but everywhere the organization stores and processes data. 

Rick Howard: Zero trust - their next-generation design from over a decade ago facilitates the deployment of logical segmentation of virtual workloads and big iron servers based on identified and authenticated users, devices and applications. 

Rick Howard: Resiliency - they easily plug into the big three cloud providers' resiliency architecture to protect east-west traffic between availability zones and north-south traffic from availability zones to the internet. They have already performed that function for on-prem systems since the internet was young. 

Rick Howard: Intrusion kill chain prevention - with their subscription model, practitioners can easily install prevention mechanisms for every phase of the attack sequence. If they don't have the resources to do that themselves, they can rely on the vendor to do that for them, knowing that their intelligence collection is excellent and their ability to automatically craft fresh prevention controls from newly discovered intelligence is really good. 

Rick Howard: Risk forecasting - this is their shortfall. That said, they are all able to produce copious amounts of telemetry similar to the cloud providers to feed your own risk forecasting models. This is not a selling point, but it's also no worse than it has been for years, both in cloud environments and on prem. 

Rick Howard: Orchestration - their management platform allows practitioners to have a single overriding first principle policy that is dynamically and automatically applied to all of their data islands in real time - endpoints at home, on the road and back at headquarters, cloud environments, data centers, OT and IoT networks. The result is that security executives can orchestrate a consistent first principle security policy across all their data islands and, at the same time, reduce the environment's complexity in the process. 

Rick Howard: Orchestration is a key baseline first principle strategy. When I first started this series on first principle thinking, I knew that orchestration was going to be important. I just didn't have it on the same level as the first four strategies. 

Rick Howard: But after going through this thought process and covering new security architectures, like SASE, or secure access service edge, and discussing security team skill sets, like cyber intelligence, security operation centers, incident response, red team/blue team operations and DevSecOps, and learning about technologies, like DLP, identity management, SD-WANs, containers, SOAR, SDP and cloud environments, and worrying about how to manage all of it from all of our data islands, like on-prem, data centers, endpoints, SaaS applications, cloud environments, OT and IoT networks - phew, that's a lot - it's clear to me that we can't collect all of that into one bag with any efficiency or consistency unless we give orchestration that same level of attention that we are giving the other four strategies - resilience, zero trust, intrusion kill chain prevention and risk forecasting. 

Rick Howard: Orchestration may be the most important of all. If that is the case, then the tool that we need is the security orchestration platform from the likes of Fortinet, Cisco, Check Point and Palo Alto Networks. 

Rick Howard: And that's a wrap. I've also written a companion essay on this topic that has an extensive reading list. If you're looking for more information written by way smarter people than me, check out that essay on the CyberWire Pro website. And if you agreed or disagreed with anything I have said about the need for security orchestration platforms as part of our first principle strategy, hit me up on LinkedIn, and we can continue the conversation there. 

Rick Howard: Next week, I have invited experts to the CyberWire Hash Table to discuss these various security orchestration platforms. You don't want to miss that. And keep an eye out this Wednesday, the 10th of March. We will be releasing our CyberWire Pro survey. You can win a hundred-dollar Amazon gift card for completing it and sharing your thoughts with us and also our forever gratitude for helping us out. So be on the lookout for the announcement in your email or on the Pro website. 

Rick Howard: Oh, and one more thing - just a reminder, we have a fantastic big deal for our monthly Pro subscribers if they upgrade to the annual subscription. It's set to expire soon, though, so if you're looking to save a buck or two, do yourself a favor and check it out. Just go to thecyberwire.com and select the upgrade option under your profile. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, and the mix of the episode and the remix of the theme song was done by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.