IT security staff worry more about keeping jobs

newsmaker Mindset change key to making infrastructures more secure but unfortunately, most care about staying safe in their jobs than about the data they are supposed to protect, says Akamai's security chief.
Written by Tyler Thia, Contributor
Andy Ellis, Akamai Technologies

newsmaker A rework of current IT architectures and change in employee mindsets are crucial for companies to build a better security environment, but most IT professionals are more concerned about keeping their jobs safe.

Andy Ellis, chief security officer of Akamai Technologies, shared that the content network services provider actively reaches out to the security community to stress the need to rebuild IT work processes. And he said he is seeing positive results.

In an interview with ZDNet Asia, Ellis explained that one ideal way of beefing up security is to search for anomalies and build this capability into systems so such glitches can be plugged permanently.

While increasing signatures and chasing vulnerabilities may be good, he cautioned that such methods, if implemented alone, are not sufficient as a company's security architecture.

He also pointed to the Internet as the most significant change in the technology world since he entered the IT security industry in 1997.

Q: Last year saw DDoS (distributed denial-of-service) making several headlines. Today, hacking incidents are so common they no longer make us jump. How would you describe the change in the threat landscape in the time you've been part of it?
What we're seeing is an increase in high profile attacks across the board. Between 2005 and 2009 it was very quiet, hacks were happening but they were quickly settled. There were denial-of-service (DoS) attacks, but they sort of happened and disappeared.

Huge attacks started to ramp up from Jul. 4, 2009, with a huge number taking place in the fourth quarter of 2010. There were more attacks in that quarter than we've seen in the whole prior year, which were very coordinated dial-up service attacks on mid-tier e-retailers and commerce sites. Operation Payment by the Anonymous group made headlines afterward, followed by hacking group Lulzsec which targeted companies for the sake of compromising their security network. As part of this "Antisec" movement, they carried out "Google hacking" to compromise the companies' Web sites. Some of the attacks on Sony may have been from Lulzsec and the big Playstation hack was somebody who went in to extract value out of it... They were trying to prove a point.

So we're seeing the rise of "success begets success" hack incidents. This year we don't have any official numbers but we're certainly seeing the trend increasing. Many attacks are not profit-driven so you have to look at the motives and what the downstream impacts can be.

The attacks also highlight the rise of botnets which follow the adoption and penetration of high bandwidth services. One of the reasons is that uses aren't conditioned to good security practices. We think aggressors are looking at those countries with good broadband infrastructure and saying, for example, Singapore now has 1Gbps connection for every home, maybe that's a great place to recruit a botnet. Hence, we're seeing botnets increasingly recruited through downloads that will target an accept language.

How this works is that when URLs are being sent through phishing or a compromised Web server, bot masters can then choose to infect computers in Portugese, as they may be doing in Brazil without good security "spies". But if the target language is English, then they may avoid as there is a good presence of security researchers following the "English" computer systems.

In addition, mobile attacks will also continue to grow. When people see mobile attacks on the rise, they think criminals are compromising smartphones. What is really happening is that they are compromising laptops through a mobile broadband connection, either from a USB stick or Wi-Fi hotspot on a smartphone.

Do you think security architectures should be reworked?
Absolutely. For most people, when they think about security, it's mostly about checklists and whatever the person before us did. So as long as they have the list, they feel like they're diligent. On the downside, it is really a checklist that looks backward at what the environment and attacks were.

But this becomes a problem when you move to the cloud. You're going to take these systems and put them on a virtual machine and somebody else's data center, where some of these security controls don't even apply and cannot be implemented at the network layer.

Also, the way firewall is built with regard to the segregation of environment, you will not have that capacity in the cloud. Therefore, when building an IT architecture, people need to think about how to put security upfront to make security consistent across the entire infrastructure, and also incorporate the flexibility of going back to that tiered model when zone has its own controls and security.

That's a hard problem, I don't think it is an insoluble one but we really have to get people off this checklist mode. It is good enough to get us somewhere, but not good enough to get us all the way.

Similarly, the checking of logs should also be discouraged?
So you read the logfile, review it at least once a day, but can you really accomplish the same objective?

One of the things people aren't very good at is looking at security requirements that existed before and understanding why they have these in place. Question is why are you looking at your logs? Are you looking through your logs to look for anomaly behavior and if so, can you build that into your system today?

Because if you scale to be in the cloud, doing your multi terabits per second to direct traffic, you can't have a human reading the log files. No human will be able to sit still that long and be able to read the log files and still be creative enough to notice a weird anomaly. You have to build software to do the detection for you. Human brains won't do that and that's a big piece of what we would like to encourage our customers to do.

Think about what your security objectives are not in terms of the type of technology you use today, but why you pick that technology, what was your objective and how you can implement that in the real world.

There have been a lot of debates about beefing up signatures and chasing vulnerabilities. Is there a better alternative?
You have to do both--look for new things and fix the vulnerabilities. What I really like to do is to look for anomalies. We're trying to fix vulnerabilities and we're trying to better signatures, but what we're really doing is look at something weird. Great example of that is that we have a Web application firewall  where we run a software-as-a-service which is full of signatures, and we use that to protect people's vulnerabilities.

The problem here is we are only as good as our signatures. And while we can be very good, what about the new attacks? A new vulnerability can be hiding in the system, something which we have no idea or signature on it, so how can we stop those?

One of the features we are adding in is an "error rated counting". If a request becomes a process, and it gets an error from our customer, that's interesting. If we see a lot of errors, that's a problem so we should look at it, discover the anomaly and stop the vulnerability.

I'm a firm believer of searching for anomalies and try to provide a robust capability from within.

IT departments are often short of manpower and budget. To change "legacy" work processes takes more than just determination. How should things be improved?
As they say, you never get fired for buying IBM, and what that means is that no one ever gets fired for doing the same thing as the person before you did. So as long as they're moving with the pack, people feel they're safe. The problem is we worry too much our own jobs and not enough about the data we try to protect.

Part of what Akamai tries to do is to get people to think a little bit further and remember they have some "ethical" areas of responsibility, which is what they are hired for--to provide better security.

If all they're trying to do is not to get fired, means the IT staff are getting the wrong incentives. It's a hard problem. We need to do a lot of education within the security community on outreach, and try to help people move to the next step.

We engage with the community, both within conferences and on the periphery, and help folks get to a new model. We see more people understanding the chapter "security" is not the be-all-end-all to the problem, and we have to think of new things. I'm very encouraged by that progress. We're not there yet but we're in the right direction.

Do you think we need for greater attacks to be catalysts for change?
I don't think we've yet seen the attacks that can change people's mindsets. I think it's too soon for that--people have to internalize that data set. That said, I think the Black Hat security conference next month will definitely be sort of a catalyst for change.

For enterprises yet to migrate to the cloud, what are some of considerations they need to look at?
The first thing is to understand what you're doing in the cloud. Most people are moving to the cloud because that's the "cool" thing. Question the purpose.

Are you doing it for agility, cost savings and security? If so, you should think about what you're actually getting. Then, take the opportunity to re-architect everything within your infrastructure so you only move things that you need out into the cloud.

Also, understand how you're going to take advantage of cloud services as opposed to the cloud infrastructure. People need to focus on not just the short term on cost savings, but also how the migration can actually make the business more agile and get stronger capabilities out of the cloud.

Has the state of cloud security improved?
In the infrastructure-as-a-service market, I think people aren't moving as fast as they should. They are moving and I am encouraged by some of the signs, but we still see a lot of the predictable problems. One of those is shared facilities, where if one party gets attacked then everyone next to them suffers. Until people get burned, I don't think they are going to make significant changes.

In the capabilities space, vendors like Salesforce.com and others really understand the value of what they're providing, and the protection capabilities they're responsible for. Most of them are taking their services very seriously, or at least, those that are targeting enterprises as customers.

The consumer-type services is the sector where there's a big gap, and that's partly because consumers aren't really informed buyers. Consumers have been conditioned to click and accept any license agreement which really doesn't give any them any rights at all.

You jointed the IT security industry in 1997 and did information workfare for the United States Airforce before that. What would you say is the biggest change in the technology world in your time here?
Biggest significance is really the Internet. When we first started the idea that people would live their lives on the Internet, I think most people just didn't grasp it. Back then, it was a tool not really as a lifestyle, that's been the biggest change.

Some 15 years ago, if you told someone you are conducting staff training over Internet and uploading pictures of your kids and pets, people will look at you and think you're crazy.

The fact that Twitter has brought down some of the some of the governments last year, that's something I don't think anyone predicted. I also think that our perception of security hasn't caught up to that reality yet, in some good ways and bad ways. I don't think we yet grasped but there really isn't much privacy anymore. That's really a fiction because the level of privacy that we think exist doesn't, since everybody knows a lot of things about a lot of people.

Editorial standards