It’s Time for a New Generation of Security
September 12, 2019
Today we announced a new series of funding from an incredible group of investors and entrepreneurs who have built companies like Snowflake Computing and Pure Storage from the ground up. Like both Snowflake and Pure, we have built a new modern platform that is purpose fit for a new IT trend, Security for the Cloud and Cloud Native Technologies.
Like I have discussed in the past, in order to capture a large security shift, you need to time the trifecta of the following key areas:
- A transformative change in IT (IaaS/PaaS, Cloud Native, Containers, Kubernetes)
- A large, diverse, complex, and ever changing attack surface
- The beginnings of breaches, attacks, and exploited vulnerabilities
It’s clear we are in the midst of a MAJOR transformative shift in security technology with all three at full throttle.
That said, there is more at play here
There is a fourth aspect of change. This is not just about the change in the massive technological consumption and deployment methods, utilities as a service, and efficient development practices. It’s also a change in culture. A change so big and invisible that sometimes, it’s ignored, which leads to the inability to modernize your security culture and technology choices.
Not adapting our security culture is likely to be the largest security risk one can face today
With that, I have outlined six major aspects of change that we are observing from our vantage point across the perspective of both technology and culture. Each in its own has a major impact, but combined, we believe it’s time for a new description for this sea-change ahead of us.
Enter: “New Generation Security”
From Next Generation to New Generation Security
The proclaimed Next Generation (AKA NextGen) security solutions can be put into two major buckets: 1) Next Gen Firewalls, and 2) and Next Gen Endpoint. Both categories have done incredibly well over the years and have created literally billions of dollars of market cap in publicly traded companies. Each category was built as a new stair step that was better than the last providing unique functionality advancements in detection, visibility, and throughput.
However, neither of these very large categories have been purpose fit for modernized IT service consumption models; IaaS, PaaS, and cloud-native technologies such as container and Kubernetes. In fact, massive trends in IT such as infrastructure-as-code, ephemeral workloads, and CI/CD processes are not something that next-gen products are designed for.
The New Generation of Security products and process are designed specifically for this new era of highly popular modern development and deployment practices
1) From Security Products to Security Platforms
Despite marketing collateral and cyber-hype, the vast majority of security products are not built nor designed as platforms. The other unfortunate truth is that they continue to be duct taped acquisitions of product-based companies that are better served as features within a platform. This has led us down a path of companies touting platforms that in-reality are multiple products glued together or scenarios where the average company has dozens of disparate systems, none of which work together leading to inefficiencies in investments, labor, complexity, and efficacy.
New Generation Security is about leveraging an ever-increasing set of functionality over-time all built with the same principals, data-stores, interfaces, and all delivered in an easy to consume SaaS platform.
New Generation scales with a small number of platforms that can interoperate with both the CSP (Cloud-Service-Providers) your tools, and open-source
2) From Blockers to Builders
This new trend is primarily about culture and a little bit about technology. We are all familiar with the team “Default Deny or NO” in security where essentially the default rule/answer to any and all is “NO.” This is not new and it’s been going on for years. What is newer is security engineering. This trend is about rebalancing your capabilities within your teams and building more and blocking less.
Security engineers are critical in a services world where infrastructure is all defined in code. Certainly, organizations experience a continuing need for security people who understand threats, trends, and deep hacker knowledge. However, to scale, integrate, and triage your security events you will need builders who can codify these areas.
New Generation Security implies more Builders and less Blockers
3) From Conflict to Collaboration and 4) Centralized to Distributed
Have you ever heard a developer or infrastructure engineer say something like “Let’s engage the firewall team?” or “The endpoint folks need to get involved,” or “Can we convince the security team this is safe and that they can open a change control for us?” The answer is almost certainly yes.
As the modern infrastructure is built in the cloud, the dynamics are changed considerably within an organization. Developers are fully enabled to run their own infrastructure on-demand at scale likely without traditional IT. In early SaaS days people called this “Shadow IT.” I’m not a fan of that phrase or the thinking behind it, especially when it comes to new generation service models such as IaaS and PaaS. These models power key organizational initiatives such as; digitization, cloud-first, and cloud-native migration. They are frequently driven by top-level executives and play a strategic role in their company’s success.
The shift here is for security to be integrated into the process, not isolated from it in the world of the “Next Generation.” Various ways to accomplish this from an organizational standpoint exist. The one we tend to see is a centralized security organization which provides governance, guidelines and tooling together with distributed security engineering within each dev team. Having security-engineering on scrum teams, and within the team, will build the appropriate collaboration to reduce friction and optimize for speed.
Call it DevSecOps, Secure DevOps, or SecDevOps, I just call it collaboration and teamwork in New Generation Security
5) From Guard Dogs to Guard Rails
We have seen it in the physical security world for years – a logo of a company with a big scary dog on it, designed to scare anyone into believing no one will ever intrude. Cybersecurity hasn’t been all that different. Pictures of walls and castles, scary hackers with hoodies, and locks have become standard tropes, all designed to scare the audience or portray the illusion of security. In the last generation of security process there were things like downtime for change control windows and very long approval processes to get things done. I have heard stories of IT people who literally had to wait a week for a change control window to open up in order to simply change a Next Generation Firewall rule.
Due to the flexibility, scale, and power of the cloud, the ability to make change across a large set of infrastructure is available in a few lines of code. This level of power, if not used responsibly, can lead to a myriad of security risks and one could argue is a vulnerability in itself.
All that said, one cannot simply go back to the old methods that add significant friction to the development process that’s supposed to add strategic value to the business. As mentioned above (#3, New Generation Security) is about collaboration and not conflict. With that the concept of Guardrails was born. This concept essentially implies that if there is a mistake, poor configuration, or ill-conceived design principal it should be limited through access controls and properly configured roles combined with logging and a deep understanding of who is doing what, when, and why.
>> Read more on DevOps Security for the Cloud
New Generation Security sets the path towards least-privileges
6) From Enforcement to Orchestration
Over the years, we have tended to use the network and our ability to stop threats. And for several years this approach has served us well: A new threat would come out and a new market of hardware appliances and desktop agents would be deployed to protect us. Over time we would stack the boxes inline or passively across the network, deploying more and more agents to better protect us.
The efficacy construct of these systems was largely premised on static signatures, simple patterns, and IP/ports and protocols – all of which have had diminishing returns. Enforcement generally equated to the ability to block something at the packet level or on a machine itself, at a low layer within the operating system (think kernel, etc.). When it came to the data center and traditional threats this was pretty static. While updates were delivered faster over-time, we never overcame a need for them – and new, unknown attack surfaces remained difficult to capture.
With modern IT in the cloud, everything changes. Constructs such as ephemeral workloads and autoscaling are far from static, IP addresses change frequently, you don’t own the network, and, even if you did, everything would still be encrypted across the wire. At the same time incredible projects like Kubernetes deliver resiliency and elastic scale. In non-modern IT worlds, unplugging a server was sacrilegious as auto-healing and scaling was unpredictable at best. In a modern IT world, it’s predictable chaos engineering, normal for nodes to come and go and it all just continues to work.
Furthermore, due to the programmability of it all one can do all of this automatically, and at scale. What this practically means is that instead of simply enforcing something at the network layer and continuing to have a machine on your network that is potentially infected you can orchestrate it offline. Additionally, when programmatic configuration mistakes happen in your infrastructure you can orchestrate them to be fixed, on the scale of one or one hundred with a software rollout.
When it comes to deploying an agent that uses enforcement you can run into several other issues. Not the least of which is the ability to operate in containers where updates can’t cause reboots and in managed containers where you don’t own the host OS.
New Generation Security adds the ability to fix root-cause problems without having to add complex systems outside that can alter the reliability and performance of the system
Not to oversimplify, but what it really comes down to creating the best of both worlds. Your strategic initiatives around cloud, cloud native, containers, and building incredible applications must move fast – yet also with safety and security in mind.
To accomplish this, organizations need to make the shift towards the New Generation of Security culture and platforms
Lacework embodies this New Generation approach, born in the cloud and fortunate to see a similar mindset in our customer base on a daily basis as they build and transform both their technology and Security/DevOps culture.
Understand your compliance misconfigurations, anomalies, or hidden threats by taking our Free Cloud Threat Assessment.
Photo by Jorge Vasconez on Unsplash