Corporate networks are under attack from so many directions today. Cloud computing and the BYOD phenomenon are ramping up the complexity of networks, opening up vulnerabilities to a rapidly expanding array of threats. It's all enough to make security folks want to curl up in a network closet and hope it all goes away.
Sadly, the battlefield isn't going to get any simpler for information security professionals any time soon, which is why more than 200 of them filled every seat during the first of two "Network Security Smackdown" panel discussions at RSA Conference 2014 in San Francisco this week.
Quick polls of the audience indicated that large numbers of attendees are struggling to secure BYOD environments, aren't comfortable with automated assessment and response tools, and are confused about how -- or if -- software-defined networking can help.
Panelists weren't surprised by any of this, and they made it clear what's needed on all fronts: trust. Trust in emerging security technologies, devices, and networks. Even trust that security and network teams can work together in concert. Without that trust, the sheer volume of factors security teams can make the obstacles start to seem insurmountable.
"It's taking us a long time to get to the point where we trust," said Christofer Hoff, VP of strategy and planning for Juniper Networks' security business unit. "There's so much threat data that it's hard to tell what's a risk and what you don't have to worry about."
Many of the challenges IT security teams face can be traced to the proliferation of devices connecting to today's networks. Not only have they significantly increased the number of endpoints companies must monitor, they've also ramped up the amount of data traffic moving through their networks.
"It's especially messy because of the lack of control of these devices," said Bret Hartman, VP and security CTO at Cisco. "It's complete chaos."
Hartman pointed out that as soon as he gave his high school-age son an Android phone, the youngster had jailbroken it, which subsequently caused it to crash all the time. The implication was that many enterprise users can be expected to take actions that could compromise security.
That said, all of the panelists were in agreement that locking down devices is the wrong approach, in large part because users resist such measures, and doing so will ultimately undermine the business value of the devices in question. Instead, they suggested focusing security efforts on the data moving back and forth, and the decisions users make with that data.
"No one wants to manage the device," Hoff said. "I care about the user, the app, and the information."
Hartman said it would be much more effective to have visibility into the bits coming in and out of devices, especially when those devices are interacting with critical enterprise systems.
"You need to be a gatekeeper when devices are accessing sensitive resources," he said.
Along those lines, he said Google, Apple and Microsoft have a long way to go to make their devices more manageable from a security perspective, and that there are simply too many moving targets today to monitor and secure them all effectively.
[Read how software-defined networking presents new security challenges in "Beware SDN Risks, Experts Warn."]
In the meantime, security folks are left depending on relatively primitive strategies that often rankle users, especially when they leave the cocoon of the enterprise network.
Like Hartman, Martin Brown, chief security portfolio architect at BT offered up his teenage children as an example. Brown said he's locked down his home network so he can monitor their device behaviors, but that his network-level control ceases when his kids leave.
"When they're in the house, they have no choice but to endure the measures I've taken," Brown said. "When they're out of the house, I have to resort to more brutal measures of control, such as a proxy," which offers more control on the end device as opposed to the network.
Brown said he'd rather not take such approaches with BT users. Instead, he'd like to be able to rely on automated application-level decisions that would allow him to "scrub content so what comes out at the other end is drinkable."
Alas, he said, "doing that at scale is still a long way off."