“If you know yourself, but not the enemy, for every victory gained you will also suffer a defeat.”
― Sun Tzu, The Art of War
There has never been a better time in history to work in cybersecurity. Crypto-currencies are becoming more and more common. Official zero-day exploit markets are offering up to $1,500,000 per submission. State-sponsored attacks and large-scale breaches are becoming a daily reality, with large enterprises being targeted by professional teams of hackers. Ransomware opened new roads to consumer and small business markets. Large networks of barely secured IoT devices have provided welcome new members to an ever growing family of botnets. With a massive influx of capital, cybersecurity industry is more professional than ever. Life is great — if you are wearing a black hat…
“If he sends reinforcements everywhere, he will everywhere be weak.”
― Sun Tzu, The Art of War
Attackers are all riled up, but let’s have a look at the opposite corner of the boxing ring. Most companies are well prepared — but for the last war, using tools and strategies that were sufficient against lone attackers, hacktivists, and insiders. The good news is that due to recent high-profile breaches, the ability to severely damage the brand name and the bottom line, security is now considered a business problem rather than simply an IT problem. Budgets are increased, with 70% of employers around the world planning to increase the size of their cybersecurity teams.
That sounds like a really good news, but unfortunately there is one problem: we don’t have people. The widely cited number is that in the next 5 years, there will be 1.5 million unfilled positions, however if you look at the latest revision of the study, this estimate has already been increased to 1.8 million. It’s not surprising that (according to the same study), the median salary in cybersecurity has reached $124,000 USD, while some salaries for cybersecurity experts have exceeded $200,000 USD per year. The gap in skills is even more alarming, with only 23% of IT managers saying their security team is well-trained and up-to-date and only 14% of organizations saying there are “plenty” of skilled security professionals available on the market.
I have attended a wide range of security conferences this year and it is clear that the attackers are preparing for different type of war than defenders. Building a moat around your castle is not going to help you if attackers are launching nuclear warheads.
“Therefore, just as water retains no constant shape, so in warfare there are no constant conditions.”
― Sun Tzu, The Art of War
Unfortunately, this problem doesn’t really have simple solutions. When demand outweighs supply by so much, the best approach is a combination of different short- and long-term initiatives and hoping that the gap will be closed before it’s too late.
Education will be a critical component, with 87% cybersecurity experts today saying that their first career was not in cybersecurity (I’m guilty of this, too; I studied accounting at school). Getting more women in cybersecurity could prove to be a life-saver, not unlike how they helped to revive the accounting industry in the 1950s. The current gender disparity is alarmingly high – about 90% of cybersecurity experts are men, while conferences, such as DEFCON, show us that women are more than capable and don’t lack the required skills.
Unfortunately, even if we focus our resources and attention on education right now, it will take years to close the talent gap. So, which options are available in the next few years?
Given my background, I see automation as one of the solutions. Python/PowerShell skills are quickly becoming among the most important that you can have. With a limited pool of security experts, you want to amplify and multiply their impact and productivity. The challenge is finding people with both security and automation skills.
The lack of qualified human resources also explain why IT security industry is trying to get more help from our (not yet sentient) silicone friends – with the rise of Machine Learning/Artificial Intelligence and Analytics solutions in the market. Well, at least in the marketing materials and lingo now – it remains to be seen which companies can truly deliver on their promises in these areas. Don’t forget that ML/AI can be also used by attackers. And if there is one lesson all of us should learn, it’s that cyber attackers are much better at recognizing which technologies work and which ones are only providing a false sense of security.
Want to know another common practice when companies need skills and knowledge that is hard to find? Outsourcing or using managed services. This is certainly a valid strategy, but it has its limitations. The fact that you can outsource almost every single security position does not mean that it’s a good idea, it’s definitely a good idea to keep certain security functions left in-house.
Orientation towards more cloud and *-as-a-Service solutions is certainly one of the most common approaches – and it is highly effective at solving the problem. However, the ability to find the right partner and proper preparation is increasingly important for companies, as cloud providers are morphing into concentrated hubs of data with back-end channels into company networks. It’s hard to imagine more attractive target for attackers; it’s going to be interesting to see what this move towards the cloud will mean for IT security over the long term.
“Great results can be achieved with small forces.”
― Sun Tzu, The Art of War
Cloud, machine learning, artificial intelligence… these are terms that are nice and fancy and these will certainly help in the future, but they are not solving the problem that we have right now. Building a brand-new, cloud-first company is different than holding an enterprise behemoth on your shoulders, with thousands of applications, many of them brought through acquisitions.
According to Gartner, by 2023, 90% of current applications will still be in use. That means there are going to be tens of thousands of applications that enterprise IT will need to assess, understand and secure. This is one of the biggest advantages of attackers against defenders – while defenders need to secure every available asset, attackers often need to find only a single weak application to topple all the IT dominoes. The whole concept of lateral movement of attackers and graph theory is a huge topic on its own and deserves a separate blog post.
I’ve met many self-taught programmers in business units – people that tried to improve business processes by writing few small scripts or VBA macros that suddenly became critical components of day-to-day operations and ended up being used by thousands of employees. These kinds of applications and data sources are often ignored – IT doesn’t want to touch them, there is no budget to get them fixed/secured, and they’re ultimately get replaced by another, more professional application “very soon” (and this excuse is often repeated for many years). Using a powerful analytics engine and artificial intelligence to protect your critical database of customers is great, but that protection is worthless if the same data is available from a Microsoft Access database that is hosted on a Windows Server 2003 file server.
To meet this challenge head on, companies need to look for solutions that will allow them to secure large quantities of applications and data running on various systems, and accessed from different devices and networks. You want to provide your limited pool of security experts with proven tools that enable simple, repeatable, and generally applicable methods to secure applications and data.
Citrix XenApp and XenDesktop provides exactly this functionality. It allows you to centralize any Windows- or Linux-based application, monitor and record access to this application and apply a wide range of security features, from multi-factor authentication to context-aware policies. Combine this with operational advantages – from the initial security assessment of the application by AppDNA security module, through the rapid patching capabilities provided by Application Layering, which makes it possible to use single image management and control collections of machines through centralized management consoles.
Citrix NetScaler is playing a major role in this architecture. Passwords have been identified as one of the weakest link of our current security models and NetScaler is the right solution to solve this problem, whether it’s using context-aware policies, support for a wide range of multi-factor authentication options (with nFactor allowing you to implement advanced logic and processing), support for various identity providers to provide centralize authentication points or support for federation to completely avoid dealing with passwords.
Citrix XenMobile can help to secure mobile users, their devices, and their applications. Mobile Application Management (MAM) is focused on securing and managing applications as individual components through application micro-VPNs, encrypted sandbox containers, and policy-based controls. Again, these security features can be centrally managed and deployed to any mobile application that is developed internally.
Finally, Citrix ShareFile and Podio can help to secure files and documents, but it also provides quick and secure replacement for some legacy processes. ShareFile custom workflows and Podio web forms can replace the most common data repositories in enterprises: email systems and spreadsheets. Data exchange through email is becoming more controversial with the next-generation of data privacy laws, such as GDPR, as you’ll need to be able to support on-demand removal of personal data and all copies (including disaster recovery, backups and physical copies). Both ShareFile and Podio provide easy-to-use interfaces for these custom forms, making it simple for business users to adapt it to their needs.
To fight against the next generation of hackers, companies need to be well prepared, with expert teams of highly skilled and properly trained professionals. Making them as effective as possible and giving them the right tools to secure company assets will make them much likelier to succeed.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
― Sun Tzu, The Art of War
Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Want specific TechBytes? Let us know! firstname.lastname@example.org