The way in which IT departments have been approaching information security is flawed, according to Juniper Networks senior director and security architect Christopher Hoff, who said that security departments need to adopt automation to free up their time to think outside the box.
(Credit: Michael Lee/ZDNet Australia)
Speaking to ZDNet Australia, and presenting at AusCERT 2012 earlier this week, Hoff said that security experts tend to only set up reactive plans on how they think systems might break, without taking into account the unpredictable ways in which complex systems of today actually do fail.
"Every once in a while, we test certain things, but we test them as though you hit the first domino and every other domino hits the other one, and there's this linear sequence of events that happens," he said.
"What normally happens is chaos ensures people don't respond the same way, technology doesn't respond the same way you expect it to and so what ends up happening in complex distributed systems is you end up with complex distributed outcomes that aren't always predictable."
Rather than being a reactive force, focusing on threats and vulnerabilities as they become public, security teams should be trying to break their own systems, so that they can manage their risk, he said.
But security experts haven't been able to do this, because they have been treading water for years, Hoff said. This is because it's difficult, if not impossible, to keep up with new technologies and their associated threats, which are being rolled out at an increasingly faster pace. The only way to be able to experiment with systems in that way is to use automation to do basic security jobs that steal the team's time.
Such automation measures can include setting up systems so that they automatically notify each other that they are under attack, even when they are on completely separate layers.
"It's amazing to me that infrastructure can be under attack, and the apps don't know about it and vice versa. We have the capabilities ... we know how to exchange information about vulnerability and threat. It's silly that we don't."
Although automation seems like quite a logical step, it isn't as simple to execute. Hoff said that many chief information security officers (CISOs) and CIOs are struggling with the "technical debt" that they have inherited, and are weighed down by the need to maintain what are now considered as being legacy platforms. Newer platforms running over the cloud are more suitable for automation, he said.
"Large enterprises with tons of applications and legacy infrastructure have a more difficult chore. [Enterprise customers] kind of get mad at me, or at least upset and grumpy about the fact that I keep pointing out [new infrastructure models]. What their frustration stems from is just being saddled with all of this stuff that in many cases, if they could, they would just move off their plate."
As someone who has worked on both sides of the fence, and also in start-ups and large enterprise environments, Hoff is sympathetic to the frustrated CISO. However, he promised that the benefit of taking the time to set up automated procedures is worth the pain.
"I've been in the trenches, I've been a CISO, I know what it's like. It took me three years to, across the entire company, establish a risk-management program that folded in IT and all of the business and audit, and it's a tremendous amount of work, but it moved us forward and to the point of really making a difference," he said.
"A lot of that was stopping doing simple routine tasks and automating as much as we possibly could, and testing the heck out of the domain and [other] areas [for] impacts that a failure would produce."