It’s time to circle the wagons and defend the data and users
As the world reopens, the conference booths light with excitement and empty expo halls are once again filled with hustle and bustle. I thought it important to take a moment and look at what changed in the past two years and where the security industry has room for improvement. This was the first in-person RSA Conference, and likely the first major security conference at all for that matter, with large in-person attendance after the peak of the COVID-19 pandemic. While the conference looks very similar to conferences before the pandemic, the cybersecurity industry landscape has drastically changed.
The most obvious change worth mentioning is the rapid adoption of remote work and the security implications of this shift in how the world works. As a student of both history and technology I have found this shift not only exciting, but at times terrifying. Prior to the Industrial Revolution most people earned their pay through the “cottage industry,” in which they would manufacture goods or provide services on a small scale from their own homes. It wasn’t until the Industrial Revolution that the concept of requiring people to collectively travel to large facilities to manufacture goods or provide services was born, and when computers and the internet found their way into our daily lives this concept endured, with companies requiring employees to show up at the office daily. A common mindset of executives has always persisted that their employees couldn’t possibly be as productive working from home as they could be working in an office, and only the most senior and trusted employees could be granted the “privilege” of working remotely. Somewhere along the way, executives even got the idea that employees could be more productive not only working in an office, but working in offices with open floor plans, removing private office and cubicle walls so employees could more easily collaborate. As someone who worked in an office environment for 15 years with slowly disappearing cubicle walls, I can tell you that this is not the case. The modern office environment is distracting, with coworkers constantly interrupting whatever it is you are working on, sometimes for a quick question, sometimes just for a friendly chat, but typically with something that isn’t truly urgent enough to require interruption of work. Suddenly, we’ve found many workers back in the cottage industry, and while this has actually created a more productive environment with fewer interruptions, this rapid shift to a distributed workforce caught many organizations off guard. Instead of everyone being in a factory making widgets, we’ve found ourselves with each employee making their own part of the widget from their home, then shipping it off to other employees for the next step toward completion. Thanks to the power of the internet, many data-focused organizations were able to embrace this new work method, which was even looked at as “backwards” and “less productive” by executives prior to the pandemic. In fact, this was the next logical transition in the way we do business in the 21st century. Our data is no longer inside the castle, so why do the employees working with that data need to be inside?
Just as many companies at RSAC attempt to “disrupt” the industry, the biggest disruption of all was the forced shift to remote work due to the pandemic. While the pandemic was absolutely a terrible event that I hope we’ll never see again in our lifetimes, the forced workforce revolution has quite possibly been one of the most pivotal moments in the history of cybersecurity. Many organizations simply weren’t ready for this shift and for far too long focused on traditional “castle defense,” relying upon layers of security and expecting that if sufficient layers exist between data and the attackers, that data will be protected. After speaking with many vendors at RSAC, I have come to realize that the data security problem we saw for many years prior to the pandemic is due in part to attempts to maintain traditional castle defense strategies while data and users are sometimes no longer inside your castle. We as an industry have been failing for many years because we became too set in our ways, too focused on traditional security techniques that do not translate to cloud computing or a remote workforce. In the past, many of us referred to security as a “chain” with the user often being the weakest link. While we absolutely have room to improve for strengthening the human element, many of us have been ignoring the fact that the chain is no longer contained within the castle, and as a result, data and users are sometimes left outside, vulnerable and undefended.
While our corporate environments may still be looked at as our castles, I now look at cloud applications and data as frontier forts in the Wild West of the late 1800s. Building the forts was very dangerous, since you were likely to be attacked while still building the fort, or sometimes someone would forget to lock the back gate of the fort and adversaries could slip in, just as many data breaches have typically been caused by misconfiguration of cloud containers. There is still a need to transfer data between forts, so just like in the Wild West, we must treat our data, and our users, much like the stagecoaches and wagon trains that would travel between forts and towns. These stagecoaches and wagon trains required special protection while “in the wild” and outside the defenses of our forts, often through an armed escort riding on the stagecoaches, or a “strength in numbers” defense with wagon trains. This is the origin of the phrase “circle the wagons,” where wagon train members would place their wagons in a defensive circle against attacks while in the wild. Before the pandemic, we did an excellent job at protecting our castles and a pretty decent job at protecting out forts, but we never truly focused on the stagecoaches and wagon trains while outside traditional protection layers, leaving data and users vulnerable when travelling between castles and forts.
The two most popular buzzwords at RSAC were “zero trust” and “XDR.” But neither of these terms truly describes the challenge the industry was forced to address overnight – how to protect the stagecoaches when they’re outside of the protection of the castles or forts? Many data-driven organizations found during the pandemic that working remotely, or hybrid work between remote and office, resulted in a happier, more productive workforce, and organizations want to embrace that. As a result, more vendors are now focusing on user endpoint and cloud security. From an industry perspective, this was desperately needed. For some time now, adversaries have ignored the castles and focused on the forts and wagon trains, checking to see if they’re unlocked or undefended. Many of the vendors I spoke with discussed this new shift in protection dynamic and have exciting solutions, but some of these solutions are single-purpose. They work well to defend individual stagecoaches and sometimes may struggle to combine with other solutions to “circle the wagons.” Fortunately, most of the vendors I met with this week “get it” and see the need to integrate with other products, even their direct competitors and products outside their traditional wheelhouse. When an organization has purchased four separate products that offer a “single pane of glass” interface, but none of these products can talk with each other, that single pane of glass just became four separate windows, each with different lights, buzzers, alerts, and functionality. We must do better.
One of the common themes of this year’s keynotes was indeed coming together in defense of a common good. Far too often, the security industry focuses only on protecting castles and forts, and sometimes their own stagecoach, but doesn’t look for ways to integrate with the entire wagon train. While competition between security vendors can be good and spurs some fantastic innovations, what becomes challenging is when these innovations simply can’t connect with others. Without the ability to work together, we find ourselves looking at fractured interfaces protecting different pieces of the distributed environment, with no true means of viewing the full picture, or tracing when adversaries cross from one boundary to another. The fact of the matter is, our adversaries don’t care when they cross boundaries from one security interface to another and will likely do so often not only to find the best means of gaining access to sensitive data, but to intentionally make their intrusion difficult to trace. Competition can be healthy, but let’s make sure that during our competition to build the best XDR solution, or zero trust solution, or industrial security solution, or even people solution, that our solutions can work with the solutions of others. There is no security “silver bullet” and never will be. Only by circling the wagons and working together can we successfully defend against our common adversaries, who will always be very vendor-agnostic in this rapidly shifting and wild, wild frontier.