With eroding perimeters, will software defend against cyber threats?
Are software-defined networks the solution to mitigating security risks in a digital world that knows no boundaries?
No, it’s not 1987, and President Regan isn’t calling for Mr. Gorbachev to “Tear down this wall!”
Rather, it is the age of cyber warfare, and if the enterprise security hopes to protect the crown jewels, they must tear down the proverbial wall because perimeter-based security is failing.
“Perimeter-based security technologies fail against today’s threats for one simple reason; the network perimeter no longer exists,” said Chris Day, chief cybersecurity officer, Cyxtera.
Cloud technologies, introduced over a decade ago, started to chip away at the concept of traditional network perimeter defense. Since then, Day said, the perimeter has continued to erode with the advent of API-driven IT.
The problem is, network security hasn’t kept pace with IT transformation. “The notion that you can protect the network through physical hardware constrained by endless rules and patches isn’t viable,” Day said.
As technology has changed, security has struggled to determine where best to build their defenses, particularly in a hybrid environment.
Where to build defense?
For those that are challenged with determining where they defend their networks — the perimeter, device, data, even application layers — technology offers no clear solution.
“The answer to the question ‘where’ is always moving. It’s moving away from perimeter and toward device, entity, and users,” said retired US Air Force officer and co-founder of Infocyte Chris Gerritz.
Traditional networks were designed much like an M&M candy, said Gerritz. “They had a hard candy shell with a soft center, and outside the shell was everything that was evil — the internet.”
In today’s expanding networks, there is no more hard shell. Now, every network is a mesh of so many threat vectors whether it’s cloud applications, data storing, tunnels, employees logging onto a Starbucks WiFi, or those who are working from home.
A shell no longer exists around the good you are trying to protect. There may be some smaller shells that can be protected with defense in depth, said Gerritz, but the main perimeter is porous.
How to protect anyone, anywhere and everywhere
Because the answer to where to protect is constantly moving, security strategies are shifting. “Instead of trying to protect an IP address, we need to shift our strategy to an identity-centric model that starts with the user,” Day said.
A software-defined perimeter where authenticated users are only given access to approved resources said Day, means that unauthorized resources are completely invisible, which dramatically reduces the attack surface.
As attentions have shifted away from defending the perimeter, more emphasis is being put on monitoring, detection, and incident response tools. The problem is that these tools require the collection of data and logs.
To protect users, Gerritz said, “You need to get a hold of all devices on the network, get logs from each device, and be able to centralize, monitor and detect.”
But reaching down to the device and user level presents challenges, particularly with BYOD because you don’t always have full visibility when you don’t have access to user devices.
Software-defined networks can help, Gerritz said. “If you can funnel the devices through the choke point artificially, you can capture the network traffic. Put those BYOD devices on a separate network, but it’s not going to correct all of these issues.”
The problem with software-defined networks is software
It is possible to simulate a perimeter, but that can be a losing battle said Gary McGraw, vice president of security technology, Synopsys, Software Integrity Group.
“We have to build software better in the first place, making it harder to attack. Design it intentionally so that it is expected to be attacked,” McGraw said.
While the concept of software security has been around for years, only about 10% of coding languages are built to help developers do a better job.
Modern programming languages allow the bugs to creep in, leaving the code susceptible to attack which means developers need to take the time to do analysis, code scanning, and look for bugs before the code is interpreted.
“Instead of protecting software that may or may not be broken by putting a thing in between software and the bad people, think about how to build the software to be much harder to attack in the first place,” McGraw said.
Software-defined networks can define perimeters and be used in harmony with other tools in the overall security ecosystem, but when security is not front of mind in creating the software, hackers will prevail.
“Do an architecture analysis of the design before you start writing code,” said McGraw. They can do that even in the software development lifecycles, using continuous integration so that the design does not have flaws.
One seemingly obvious but often ignored step that is hugely important is to look at the code of the software. “Make sure there are no common bugs that lead to issues,” McGraw said.
Again, there is no silver bullet that will eradicate all risks, but taking proactive — rather than reactive — measures to build security in means that across the industry security practitioners and developers alike will have to spend less time fixing broken stuff.