SAN FRANCISCO – After the warnings about the cloud and its potential threats to security, it seems counter-intuitive to say the cloud can actually help businesses shore up the security of their data.
But that was the message from Philippe Courtot, chairman and CEO of cloud security provider Qualys Inc. at the RSA conference in San Francisco on Thursday.
“2014 is a pivotal year for the industry,” he said. “It gives us an opportunity to define security to protect our assets … Consumers expect service providers to bring security into their services, and they expect secure end-to-end solutions. It’s a profound shift in responsibilities.”
To be quick enough to respond to the market and to customers’ needs, as well as to stay competitive, businesses have been forced to take on more risk than in the past, Courtot said.
He cited the high-profile data breach at Target Corp. in December 2013, which saw the names and credit card numbers of as many 110 million customers exposed. The breach cost Target about 46 per cent of its profits in the fourth quarter of 2013, a recent Forbes story reported.
“The points of entry have multiplied,” Courtot said, adding on top of that, many organizations are using outdated architecture. For example, many retailers still accept credit cards and signatures, while much of the rest of the world has moved onto the chip and PIN method.
If Target had invested in credit card chip and PIN technology, it might have only spent $100 million updating systems – but the cost of the data breach is exponentially more than that, Courtot said. Target still isn’t sure how much the breach will cost it this year, the Forbes story said.
That’s where harnessing the cloud for security comes in, Courtot said. He listed three principles for using the cloud to improve security posture – looking externally at an organization’s IT environment, as a hacker might do; looking internally to see where an organization can improve its processes; and identifying whether there’s already been a breach.
First, businesses need to get into the same mindset as a hacker looking to break through their defenses, he said. While talking about perimeters may sound a little outdated, Courtot said today’s perimeters have been extended. Essentially, anything Internet-facing is now part of an organization’s perimeters, he added.
“It’s not difficult to imagine scanners in the cloud continuing to look at, and scan, our perimeters,” he said, adding the cloud could identify threats and then create a solution with an automated incident response system.
The cloud would also be able to analyze traffic coming in and out, Courtot said. The next generation of firewalls could become endpoint and cloud-aware, with endpoints continuously beaming up data to a Cloud Echo database of sorts. Having that data on hand would make it easier for IT administrators to identify suspicious activity in real time, he said.
IT administrators could also use the cloud to monitor social networks in the same way hackers do. Right now, hackers are constantly watching their targets’ social activity on LinkedIn, Facebook, Twitter, and Google+. But many of today’s startups are offering social monitoring services to show when hackers might be trying to ensnare a target in a phishing scheme, Courtot said.
Courtot also said IT administrators could use the cloud to simplify and harden their networks.
“We need to redefine vulnerability management,” he said. “It’s not at a high enough level today.”
What needs to happen, he said, is the security industry must prioritize vulnerabilities and ensure they can identify them in real time. Security professionals could bring in cloud agents to make sure they catch any signs of vulnerabilities, malware, or other suspicious traffic.
Finally, one of the key things businesses must do is recognize if a hacker has already breached their systems. That means relying on a new frontier – indicators of compromise (IOC), Courtot said.
These can come from many different sources, whether that’s sandboxing or through forensics, but the point here is to recognize a hacker’s unique fingerprint and be able to match it against a possible compromise within an organization.
“Today, IOCs are too complex. We need to make a community effort to standardize them to build detection tools for networks,” Courtot said. “This is the year, the opportunity for all of us to redefine security. I believe we can take the upper hand.”
The RSA conference ends Friday.
