This article is more than 1 year old
Next Generation Security: No, Dorothy, there is no magic wand
Backup software – your best friend
Sysadmin blog Hardly a day passes without some kind of major security breach. The type of attack that was once considered staggering in scale has now become the norm.
When a Yahoo! breach was found to have lost a billion accounts, it seemed the only thing anyone found unusual about it was that Yahoo! had a billion accounts to lose.
Don’t become complacent. As the threats have evolved so the industry has coalesced around new product categories and definitions - next-generation security.
But go to any security conference and you'll find the same vendors promising to save the world, only this time using some AI-enhanced machine-learning proxycondom replete with coloured charts presented in smell-o-vision will spend half their keynotes banging on about "preventative best practices".
The truth is, that the next-generation security software that's out there really isn't that good and you're not nuts because you look at it and see nothing but holes.
Forewarned is forearmed. Here, then, is a quick run through how the vendors and their products have coalesced around next-generation security.
One area where hype is giving way to usable solutions is ID as a Service (IDaaS). Identity management technology has been around for ages, with Microsoft's Active Directory having dominated the identity and access control for more than 15 years. That's changing as identify management grows to encompass public cloud solutions and integrates directly into applications.
Microsoft is still a major player with Azure Active Directory, but all the big names are represented here. Google, Facebook and even Twitter increasingly are increasingly providing individuals' online identity and - in Google's case at least - that of organizational employees.
It is right and proper that of all the categories of security hype in 2017 IDaaS is the furthest along. Everything else in IT security hangs off of identity. Without secure, reliable ID, everything else is suspect. With so many different services, platforms and applications to integrate, "as a Service" is the only sane way to do it.
While the majority of IDaaS deployments seem to be centred around enabling identity and authentication for or across multiple SaaS applications, it's worth noting that this is slowly changing. Some organizations are using Google's IDaaS (though not, to my knowledge, Facebook or Twitter) for internal directory authentication, via services such as JumpCloud.
This is increasingly common in, for example, education. "Google Schools" are a really big thing in North America, and in many cases the Google-provided identity has more relevance than a Microsoft Active Directory provided one, leading some organizations to do away with it altogether.
Where Twitter, Facebook and the like are pushing outside of their traditional SaaS utilization is as customer-facing authentication services that then map back to an internal directory solution. This is used for situations where external-facing users (typically consumers) are to be granted limited access to internal resources.
Cloud Access Security Brokers (CASB) seek to prevent stupidity leaking from an organization's premises onto the wider internet. In a perfect world, they would monitor everything from social media to cloud storage and have a tantrum whenever idiocy was afoot.
Some CASB vendors have primitive solutions to the problem of people putting things into Dropbox that they really shouldn't. Others search Twitter for naughty words and most will sniff email for undesirables.
Despite there being huge feature gaps in these next-generation hybrid proxies, CASB startups sell for a lot of money. For example, veteran Symantec bought Bluecoat for $4.65bn last year.
CASB can reasonably be described as a must-have technology for businesses of all sizes at this point, but they should be consumed with a high dose of caveat emptor. It is likely that the CASB vendors will never truly catch up to the explosion of SaaS solutions, social media and cloud storage they must defend against, making this a category of solutions perpetually in development.
Security Information and Event Management (SIEM) is the younger, hipper name for monitoring software. As with all monitoring software SIEM solutions are miserable to use, even more miserable to configure, integrate poorly with a reasonable chunk of the things you need to monitor and aren't aware at all of the other things you want to monitor.
What sets SIEM apart from plain old monitoring is that some consideration has been given to concept of information overload. Apparently people with money cottoned on to the concept that simply flooding sysadmins with alerts about every minor hiccough from every subsystem of every application under management just leads to sysadmins ignoring their alerts inbox. Who knew?
SIEM ranges from Big Panda with Nagios to more full blown offerings from the likes of Solar Winds and from relative newcommers such as Splunk to more traditional enterprise players including HPE, IBM and Intel Security.
SIEM isn't so much a new security category as an old one that's being reborn. Everything here is about machine learning, newer more AI-enabled filters and analytics that come in flavours. As always, the solution you really want is three times the budget you actually have.
Malware, phishing and scams
Speaking of machine learning and AI, so-called Next Generation Anti-Virus (NGAV) promises to use the power of big data and slightly tweaked algorithms to usher in a new era in the battle against Malware, phishing and various email scams. Marking claims for this category elicit doubt.
NGAV solutions as a whole are better than signature-only based solutions. Of course, most of us haven't really been using signature-only based solutions for some time now. Claims that NGAV is better than traditional heuristic systems are still awaiting large scale independent verification, but there's no reason to think they won't be.
Much of the scepticism stems from the hard fact that no endpoint security system is 100 per cent effective. Vendors moved on from signatures to heuristics to public-cloud based machine learning and AI. This was promptly responded to by black hats employing machine learning and AI to defeat the NGAV being deployed by the vendors. It's the same cat-and-mouse game it's always been, only the tools have changed.
The real threat is the same as it has always been with endpoint security: that end users and organizations might actually believe that NGAV makes them secure. We all want to believe that we can simply install a security package and never think about the bad guys again. It's simply not true.
Technically a type of malware, ransomware has matured into its own category. Traditional malware tried simply to infect your computer in order to copy your data or turn your system into one of the millions of zombie bots clogging up the internet with spam. Ransomware, however, encrypts your data and holds it hostage until you pay a hefty fine to get it unlocked.
Peddlers of NGAV are trying to cash in on the ransomware with vague claims about being "better" than traditional antivirus systems. But even the best at detecting ransomware or its behaviours will eventually let some through. It's the nature of the beast.
The bad guys are still iterating far faster than the antivirus companies can keep up, next-generation or not. The best defence against ransomware is still proper backup software. This is true today and it will be true for all the foreseeable tomorrows.
Next-generation security is all being rolled into a category called Endpoint Detection and Response (EDR), even though many elements of EDR don't happen on the endpoint. According to Gartner, EDR consists of incident data search and investigation, suspicious activity detection, threat hunting or data exploration, stopping malicious activity and alert triage or suspicious activity validation. All of the various categories discussed above blur into EDR.
There are a lot of players seeking to claim a slice of the pie. A by-no-means comprehensive list includes Barracuda, Bit Defender, Carbon Black, Bromium, Cisco Systems, CounterTack, CrowdStrike, Cybereason, Cylance, enSilo, FireEye, ForeScout, Hexis, Invincea, Malwarebytes, Mandiant, McAfee, Microsoft, RSA Security, Palo Alto Networks, SentinelOne, Symantec, Tanium, Trend Micro, Triumfant, Webroot, and Ziften. Some are established players, many are startups.
EDR is about more than simply sending samples back to the mothership. It is the latest buzzword for defence in depth. At the edge, at the endpoint, tracking odd authentication behaviour and yes, bringing as much data – including application behaviour and malware samples – into public cloud-based machine learning analysis tools as possible. Then spitting it all back out into logs, dashboards and alerts that humans can cope with.
Security approaches are evolving, and a lot of data is being collected by next-generation offerings. What remains to be seen is if these vendors will spend the next product cycle trying to convince us that they and they alone have the solution to all our ills, or whether they'll pool their knowledge and resources for all our benefit. In the meantime, we have new tools to learn.