Last week, I attended an excellent briefing given by Tom Gillis, Senior Vice President and General Manager of VMware’s Networking and Advanced Security Business Group, in which he discussed various important cybersecurity-related trends that he and his team have observed. Gillis shared how VMware’s customers’ attitudes towards security appear to be evolving in light of both recent developments within the cybersecurity industry and events going on in the world at large; among the developments that he discussed were indications of a shift in the attention of those responsible for ensuring organizational cybersecurity toward a greater focus on threat analysis.
Many of Gillis’s comments echoed those that I have heard in recent months from CISOs and others within the cybersecurity industry who witness developments from various vantage points quite different from those of a vendor of cybersecurity technologies. Additionally, while VMware’s customers obviously invest in areas of cybersecurity related to VMware’s fields of activity, many of Gillis’ observations were both clearly vendor neutral and not limited to VMware’s areas of activity, either applying or not applying to VMware’s competitors as much as they did to VMware.
As such, I thought I would share two particular points that Gillis covered during his presentation, both of which are similar in nature to comments that I have heard recently from other folks working in other areas of the cybersecurity field, and both of which I believe will be interesting for many of my readers to learn about:
Zero Trust Gaining Acceptance In Real-World Information Security Programs
While “zero trust” has been a buzzword for some time, the principle of zero trust, and expenditures toward getting organizational policies, procedures, and infrastructure closer to delivering it, is gaining acceptance as constituting a fundamental component of information security programs.
CISOs and others responsible for security have clearly shifted from a “defend the fort” approach to one in which they recognize that despite their valiant efforts to protect information and information systems, they must assume that their respective organizations have suffered cyber-breaches about which they are unaware. As a result, cybersecurity programs must be crafted and implemented not only to defend against lateral movement through data systems by so called “authorized users” but also to treat users on internal networks as if they were no more trustworthy than users accessing via Internet-based connections emanating from halfway around the work.
Today, cybersecurity professionals must deem all traffic – including traffic for communications occurring solely on internal networks under their purview – as potentially dangerous.
Sampling No Longer Works
As a result of the risk of attackers being present on internal networks and appearing to be authorized internal users, the approach taken in the past of examining small samples of traffic flowing laterally within organizational networks in order to maximize performance as well as to identify and stop any unauthorized activities (AKA “East-West Traffic”) is no longer appropriate; because most internal traffic is likely to be generated by legitimate users, or may appear to be coming from legitimate users, trying to extrapolate from a sample set of data in order to determine (or, more accurately, “to predict”) what should and should not be happening is likely to fail. In such situations, sampling may cause security systems to misunderstand what is legitimate behavior and what is not, as well as to miss various uncommon, yet extremely dangerous, unauthorized lateral movements.
Furthermore, sampling is unlikely to detect breaches that occur within a single computer – and a hacker who does breach a single system as such may wait before moving laterally in order to avoid detection. If compromising a single device can lead to a hacker eventually moving laterally and wreaking havoc, or is itself likely to adversely impact a business, relying on sampling may lead to seriously adverse consequences.
Furthermore, the proliferation of virtual-machine based implementations of computer systems means that, today, tapping network “wires” (including their air-based wireless equivalents) may miss significant amounts of lateral movement – this is true even if all captured network traffic is analyzed, and is even more problematic if only samples are taken.