As I travel the world as the Unisys Chief Trust Officer, I get to meet a lot of executives from companies and governments around the world. To a person, they feel that they have fallen behind in security relative to the growing threats they face, and are struggling to keep up. The vast majority are still trying to keep up by adding more money to security budgets, and doing more of what didn’t work for them last year. It’s time for a change.
Most security budgets still focus on a failed concept of trying to keep malware out 100 percent of the time – while at the same time enterprises have morphed to include public clouds they don’t control, workers accessing from insecure homes and coffee shops, expanding use of mobile for a variety of core applications, and even suppliers that now need full access into your networks instead of just dropping boxes off on your loading dock.
We know now that a strategy like that can never work in today’s world. Employees will click on the wrong link, answer the wrong email, leave their laptop in a cab, make a mistake when coding or loading, or even be turned to the dark side with the promise of money or ideology. So we now KNOW that some malware will get in, regardless of how much money is spent. Enterprises require a new approach.
There are three new game-changing security strategies that can deliver on a new approach, that understands security must be effective without being perfect, that it must embrace modern technology like clouds and mobile and the Internet of Things, and must support the new business models of integrated supply chains and customer self-service. Not only can these new approaches deliver on this promise today, but they can do it while saving time, money, and precious security resources.
Step One: Segment the heck out of your enterprise. Segmenting your network—putting barriers between separate parts of your business like Finance, HR, and Marketing—is a tried and true security core concept. What’s new is that enterprises stopped doing that, because of the cost and complexity of trying to use old external firewall and vLAN devices on all the interior segments that needed protection. Switching to modern ‘micro-segmentation’ tools like Unisys Stealth® which are built for today’s enterprise, allows complete segmentation of your entire enterprise – clouds and mobile included – without cumbersome firewall rule sprawl, costly hardware, and armies of security maintenance folks. Micro-segmentation products like Stealth layer onto existing networks, quickly and easily separating out the most critical components, and stopping the lateral movement of malware (and pesky insiders) that are at the root of corporate catastrophe.
Step Two: Micro-virtualize web surfing. Allow your employees to surf the web and click on anything they want in their emails, but force them to do it in a micro-virtualized sandbox. Surfing in the sand looks and feels the same to your users, but in reality all the dangerous stuff they’re doing is in a remote and protected system, and the only thing actually on your systems are the images of their web browsing. Unlike early versions of this technology, it’s now neither clunky nor cumbersome, and most users don’t even know the difference. Our Unisys Managed Security Services can provision this for any enterprise in a highly transparent way. Users still click on an icon and launch a browser, it’s just now done in a way that can’t ever introduce malware into your systems.
Step Three: Go to War—with yourselves. Almost every major company that underwent a successful cyber attack, was also cyber compliant for a variety of audited groups like PCI and HIPAA. Compliance is important, but it’s not the same as testing and assuring your actual security. To do that, you need to bring in a team of wargame experts with proven tools and techniques to actually test (and penetrate) your systems as a bad guy would. With Unisys Security Consulting’s Wargame team, smart enterprises find out firsthand, and often employ both a ‘red team’ that finds ways in, and a ‘green team’ that shadows the reds but works to find ways to remediate these threats in the future. Both are worth their weight in gold, as they give you a real understanding of your risk, and allow you to make the most informed decisions as to how best to proceed.
No security is perfect, so expecting perfection is a failed approach. Keeping your enterprise well segmented turns catastrophes into manageable security events; surfing in the sand dramatically reduces malware access that typically comes from web surfing or email clicking; and wargaming lets you know exactly what your real risks are and how best to address them. Each of these three should be part of an overall security plan, that includes a strong perimeter, employee education, and efficient managed security services predicting and watching for problems in time to adjust.
While the threats are real, significant, and now aimed at successful enterprises everywhere, it is possible to be confident with a modern security strategy that meets the challenges of enhanced threat, revised business model, and advanced technology. Be safe…