CLOUD PARTNERS — A new study from privacy and information-security research firm Ponemon Institute reveals that 75 percent of U.S. organizations are not prepared to respond to cyberattacks; that’s according to more than 600 IT and security executives across verticals including financial services, healthcare, government, technology and manufacturing. Just 32 percent feel that they can properly recover from a cyberattack.
Meanwhile, you likely have customers saying security is a deal-breaker for cloud software and infrastructure, even though providers have worked hard to lock down their services and add resiliency. At last week’s Cloud Partners, security expert Bill Brenner of Akamai Technologies, along with Andy Daudelin, VP of cloud networking for AT&T; Mike Davis, CTO of security firm CounterTack; and Bernie McGroder, VP of sales engineering for GTT Communications, provided some ammunition for partners to explain how cloud services may actually protect against cyberattacks while helping with recovery.
In fact, said CounterTack’s Davis, cloud providers’ security practices are typically far superior to those of their customers. Some factors: PCI-compliant networks, like GTT’s; integrated unified threat-management services so devices are automatically updated with new signatures as soon as they become available; and data-loss detection.
“Catching and responding to ‘low and slow’ breaches is as important as the big ones,” said AT&T’s Daudelin.
Panelists shared some common security mistakes that companies they work with make. A top example: Neglecting to educate employees can cost you. Relying on appliances and automation alone won’t work.
“Your employees must be taught: You are the firewall,” Daudelin said. “Another is feeling invulnerable because you ‘don’t have sensitive data.’ That’s why hackers have turned to ransom attacks.”
Too many people have too much access, said Davis, especially admin rights. It’s not just that attackers could destroy or delete data, they may create fake data. CISOs also fail to run simulations.
“You need to have some fire drills in the event of a breach, so everyone knows where to go,” he says. “I like the approach of treating it as a disaster. Whether you’re shut down by ‘Snowmageddon’ or a hacker, the effect is the same: You can’t process sales, you can’t make money.”
His mantra: Security is not an event.
“I see companies throw security at a person who already …
… does telecom and many other things,” he said. As a trusted adviser, when you see this happen, it’s time to make some recommendations. “Buy the service along with the box; most outsourced providers can do it better than the small company,” he said. One caveat: You must have the right process on the business side to deal with the service you bought. Ensure contact lists stay current.
Daudelin points out that many small companies make the mistake of thinking that they can’t afford security.
“Network-based firewalls can be a very inexpensive way to build in some protection,” he says. “You can get a fairly low-cost threat monitoring service.” CISOs also make a mistake when they assume that “compliant” equals “secure.”
“People who are just looking to check the boxes might as well not bother,” said Daudelin. “Audits, on the other hand, are great if you use them properly. We have a consulting practice, for example, that does penetration testing. Security is a spectrum, it’s not binary. Compliance is one tool, but it shouldn’t be the only one.”
AT&T itself monitors 100,000 petabytes of data daily.
“We have 50 patents on alerting technology that pares that down to a manageable 50 alerts,” said Daudelin. “Companies need to seek help in paring down data.”
Speaking of paring down, it can be a struggle to convince customers to scrap old technology that is still working well for the business.
“Sometimes I go into a mom and pop and I see the PC behind the desk, and they’re running XP Professional,” said Akamai’s Brenner. If you can’t get them to donate the PC to a museum, at least insist on a supported OS.
“On end systems, make sure you’re getting service patches,” said McGroder. “Stay within the revision that’s supported by your vendor. That’s a critical element.”
Davis’ recommendation is to get rid of computers and go mobile wherever practical. Issue a tablet with a credit-card reader and service like Square. “Move everything you can to the cloud; there’s less opportunity to screw up,” he said.
AT&T’s Daudelin agrees, with caveats.
“There’s also the opportunity to make that [mobile-plus-cloud setup] less secure, say, if folks are using their mobile for personal and for work,” he said. “In the cloud it’s very important to have encryption, but also to make sure your network connectivity is secure all the way into your cloud environment.”
That’s not to say he’s against BYOD.
“I work with doctors who also work for two hospitals …
… as well as their own practices,” he said. “It makes sense to have just one device. But deploy the technology that helps you separate and secure the environments.
Akamai’s Brenner asked panelists about the five questions partners should ask customers before recommending a security solution.
Daudelin: Do I have basic filtering in place? Buying boxes can be expensive and difficult to properly size. Look into cloud and network security services that provide email, network filtering, and app filtering. Do have monitoring in place to know whether I’m breached? If I got an alert, how quickly could I respond?
Do I have compliance? Do I know what’s going on across environments? If my company is playing in multiple clouds, how quickly could I shut down across multiple clouds?
Davis: Ask what happens after hackers get in. Whom do you call? Did you sign any legal contracts that require you to tell a vendor? How do you communicate this? Do you have to inform your own people? What else do you need to stay resilient during the attack? For the next two weeks?
McGroder: The questions depend on the responsibility of the buyer. Is it budgetary? That’s a checkbox mentality. It is security? That’s someone who’s more apt to listen to why you need to follow these policies and procedures. Are there multiple failed login attempts?
“We provide services around PCI compliance,” he said. “We often notify customers before they notify us, especially when it comes to daily log reviews.”
Brenner sums it up this way: Hacker groups never sleep. “There’s a misconception that an attack happens, it stops. It happens, it stops.” He said. “There’s a spinning globe at the Akamai NOC that shows the level of attack activity. It’s constant.” Unless customers can maintain the same level of vigilance, consider cloud.
Ellen Muraskin contributed reporting. Follow editor in chief @LornaGarey on Twitter.