Reducing the Complexity of Securing SD-WAN Environments

In today’s remote-working world, many enterprises are transitioning to software-defined networking in their wide area networks, or SD-WAN, in place of traditional MPLS-based WANs. Is it any wonder network and IT professionals are fully embracing SD-WAN? Where they once had to deal with the challenges caused by an architecture overwhelmed by an ever-increasing load of data and devices, IT departments now are able to increase bandwidth, improve connectivity, and enable multicloud applications via a single, centrally managed WAN edge platform.

MPLS-based wide area networks allowed for centralized security policy and enforcement across the organization. While SD-WAN enables lower latency and faster access to cloud and SaaS applications, it also raises significant security issues. If a corporate enterprise has 200 locations, transitioning to an SD-WAN topology now expands the footprint of locations that must be secured, audited and monitored from a handful of data centers in the MPLS world to all 200 locations in an Internet-based SD-WAN architecture. That’s a tremendous burden for IT leaders to take into consideration as they are not only deploying a new WAN architecture, but they also must make sure it is properly secured. So as SD-WAN fosters tremendous transformation, it also increases the potential for major vulnerabilities within the organization.

SD-WAN topologies enable greater network visibility and centralized management of the distributed network This in turn allows IT personnel greater insight into the applications traversing the WAN between locations as well as to the Internet. When properly secured, SD-WAN enables “internal” network segmentation on an organization’s WAN without forcing all Internet-based traffic to flow through the headquarters location. However, it is imperative that additional security tools be implemented. Networking and security technology have come a long way, but still there is significant room for advancement. No cybersecurity infrastructure is perfect, and that fact is proven daily by the number of successful cyberattacks experienced by businesses worldwide.

As organizations increasingly move to the cloud, many have turned to a cloud access security broker (CASB) or one of the cloud-based caching, proxying, and security devices to confront data security and governance challenges. Secure access service edge (SASE) frameworks have been gaining traction as these are designed to connect and secure geographically dispersed branches and other endpoints to an enterprise’s data and application resources, whether internal, cloud-based, or Internet-based. Despite – or perhaps due to – this rapidly emerging technology, it is more important than ever for IT teams to come together to determine where to do the appropriate level of security introspection and inspection.

The Convergence of Security and Networking

Where security and network procurements were once handled separately, network and security decisions increasingly are being made at the same time and more often with the same solution, according to Gartner. It predicts that as part of a desire to minimize branch sprawl, more customers will look to partner with vendors that offer a combined security and networking solution or as part of a broader ecosystem.

Likewise, this convergence is prompting convergence of networking and security teams. Frequently the question is who owns the SASE product set? The answer: it doesn’t matter.

Securing SD-WAN can be a complex and overwhelming undertaking, and one that should not be initiated without networking and security teams joining forces long before the SD-WAN is deployed. The two teams must collaborate on how to take the organization’s architecture and security posture from its current state to where it needs to go for future growth and success. Three steps to get started include:

  1. Evaluate Your Services Chain
    Analyze your edge services chain to identify what network functions need to be supported and integrated into the SD-WAN. By analyzing what components need to be physical, virtualized or combined/collapsed, your organization can determine if a single SD-WAN appliance will meet the need or whether a more complex deployment model is needed. Be sure to look at it from the lens of security, including regulatory compliance.
  2. Identify Must-Have SD-WAN Security Capabilities
    Learn the different security features of various SD-WAN vendors and line them up against your organization’s requirements. Some must-have security capabilities include policies for on-demand security, encryption, distributed denial-of-service DDOS protection, unified threat management (UTM)/firewalls, and threat intelligence.
  3. Fill Security Gaps
    Address missing security needs with managed services. These services can range from Managed SD-WAN solutions to Managed Security Services that address security from the network’s edge all the way to the cloud, and incorporate automation, Zero Trust, and best practices for security and industry-specific compliance. The key is to make sure you work with a partner who understands clearly how to secure SD-WAN solutions effectively with clear KPIs that work well with your IT organization.

The Case for Outsourcing

As SD-WAN adoption expands, there is a surge in managed service providers augmenting the enterprise IT staff. Organizations are finding that they must refocus valuable internal IT resources to carry out their core goals. The software-defined nature of SD-WAN lends itself to leveraging third-party providers that can alleviate the burden on overworked IT staff. The smartest IT leaders will turn to a provider with expertise in network, security, and cloud to gain 360-degree visibility into network and security actions as well as cloud governance

 

 

The Maturity of Vulnerability Management Matters

If you work in cybersecurity at a typical mid-market company, you probably cringe when you hear the term “vulnerability management.” Let me see if I can guess how the workflow goes for you:

  1. Someone uses a scanning tool to scan as many assets across your network as you know about.
  2. The output gets exported to a spreadsheet.
  3. The spreadsheet is sorted by “criticality.”
  4. Various department or organization heads receive line-items they are responsible for patching with little context on why.
  5. You wait a week or so, then repeat the process.

How close did I get?

The various pieces of your cybersecurity strategy are programs in themselves, which means we can measure them for maturity. The problem is that mid-market companies seldom have the time or resources, not to mention the capital, to execute a full-scale program. That approach ultimately leads to a “just-do-something” execution of cybersecurity, and things get complicated.

Some hallmarks help me determine what level of maturity an organization has attained. Here are just a few:

  1. Strategy: How an organization thinks about vulnerability management and whether it’s truly managing vulnerabilities or simply trying to play whack-a-mole is telling. Managing vulnerabilities means a lifecycle approach and understanding that once they’re discovered, vulnerabilities can have one of three fates:
    1. Remediate – simply put, apply the fix or patch.
    2. Defer – push the fix until a later point in time such as when the system is retired shortly.
    3. Accept – accept that the vulnerability will not be fixed, and alternative accommodation needs to be made.
  2. Execution Discipline: Understanding the discipline with which an organization executes the tasks of a vulnerability-management program says a lot. Are there change controls? Is the process well-documented and universally accepted across the organization? Does the program include all of the organization’s assets? These and more are important questions to consider. As an organization matures, execution will be more repeatable and predictable.
  3. Follow-through: Few things are more important than following through. It makes no sense to scan, notify, but then do nothing but wait for someone else to do something. As an organization matures it will learn to not only notify but report, and follow-through on impacting positive change.

All this said the important thing is to figure out how your organization ranks, and what your real level of maturity is. There is no universal answer to what maturity level your particular organization should be at. But knowing is a critical first step.

5 Things Your Breach Response Attorney Needs You to Know Before an Incident

It is now clear that every company is at risk of a cyber-attack and resulting data breach no matter how diligent and sophisticated they are at cybersecurity. Most recognize that such an attack requires a technical response but do not realize that there are legal and business issues that must be addressed as part of the incident response process. One of the most important factors in getting this right is to prepare for it ahead of time.

Shawn Tuma is an internationally recognized thought leader, subject matter expert in cybersecurity and data privacy, and breach response attorney who leads companies through this process every day. He will explain the five most important things he wishes his clients knew before their incident and what actionable steps you can take now to prepare your company for such an event.

Rafal Los, Lightstream’s vice president of security strategy, will moderate the discussion. Rafal is well known for his podcast, Down the Security Rabbithole, that has over 25K monthly listeners. He is a recognized thought leader, speaker and industry contributor on cybersecurity topics.

Please send your questions, comments and feedback to: cynthia.lawton@lightstream.tech

Lightstream Rescues Fortune 1000 Company from Security Disaster and Facilitates Digital Transformation

Organization is Future-Proofed with Cloud Managed Services to Promote Financial, Security, Operational and Technological Health

 Business Challenge

A Fortune 1000 company sought a digital transformation. A new chief marketing officer was hired, and the first order of business was to have a new website created. In order to save time, this rather large undertaking was outsourced to a third-party development agency instead of having the company’s internal IT department handle it. The multi-location developer expedited the design and construction of a new customer-facing website with a completely transformed customer interface.

Unfortunately, the development shop failed to communicate with the company’s internal IT team during the process of building the website. Two weeks before the site was scheduled to go live, the IT team performed an assessment and determined that live customer data had been transferred to the cloud without any security controls having been installed. The absence of security features made organizational assets and critical customer data vulnerable to attacks and theft. Frustrated and in need of skillful mitigation of this huge risk, the IT department quickly shut the site down and contacted Lightstream for help remedying the security breach.

Solution

The experts at Lightstream brought the two opposing parties together in order to discover exactly what was done. This all-in approach allowed them to devise a plan that everyone was on board with in order to make the application work within the company’s security environment.

Eight months later, the new website went live with strict security measures in place to protect customer and company data. While Lightstream was initially engaged to put out the fire of the unsecure website, the relationship grew and the provider now manages the company’s cloud environment. Their environment is optimized through Lightstream’s partnerships with Microsoft Azure and Palo Alto Networks, delivering consistent, automated protections with a variety of value-added resources. Moreover, the security, financial, technology and operational expertise offered by Lightstream’s Cloud Managed Services (CMS) solution is helping the manufacturer to improve the day-to-day administration and management of its cloud infrastructure.

Business Outcomes

The company now has a modern, customer-friendly website operating within a highly secure cloud environment. When new applications are desired, they can be implemented quickly and safely.

Previously, the company had its own data center which was fully managed by its internal IT department. Several months into the relationship with the web developer, huge inefficiencies were discovered which had caused the company’s invoice to increase by $40,000. With no security or financial controls in place, the company incurred significant budget and resource drains. Lightstream’s CMS now ensures that expensive mistakes like this will be avoided as cost variations will be detected early on.

Ongoing monitoring and monthly reports on the financial, security, operational and technological health of the environment provide full transparency to company executives. By exposing minor but frequently occurring inefficiencies, Lightstream consistently helps to keep costs down.

With its current cloud expenditures being nearly cost neutral, the company is looking to expand into Lightstream’s network services. A continuously growing depth and breadth of business-optimizing solutions ensures that Lightstream will be there to support the organization well into the future.

Customer Quote:

“In my 30 years in the technology industry, Lightstream has been one of the best partners I’ve ever worked with. Their ability to sit on the same side of the desk as us, partnering with us to develop customized solutions to our problems has been a game changer.”

– Director of IT at Fortune 1000 company

Top Security Predictions that WON’T (But Should) Happen in 2021

If you’re scoffing at the predictability of a trend-related blog post in January, we couldn’t agree more. In an effort to be slightly less predictable, we’re taking a different approach by letting you in on what the cyber security community predicts will not happen this year. Industry veteran and Vice President of Security Strategy at Lightstream, Rafal Los recently took to social media to ask, “What’s the thing that probably won’t happen in cyber security in 2021?” Some of the responses from his followers were expected, others, not so much. So, without further ado…let’s take a look at their anti-trends for the coming months.

Tied for #1: Password Elimination & Meaningful Asset Management

Let’s face it, passwords and asset management seem like they’ve been a thorn in the side of the security industry since the invention of the computer. In fact, the first computer password was developed in 1961 at the Massachusetts Institute of Technology, for use with the Compatible Time-Sharing System (CTSS). Yet 60 years later – long after CTSS has given way to the modern Windows and OSx systems in use today – the general consensus is that passwords won’t be going away anytime soon. What is driving this skepticism?

For starters, we still don’t have a better way to protect our personal and enterprise data. Thumb prints and facial recognition are promising, but they still haven’t proven themselves to be ironclad. Adding to that are the security challenges COVID-19 has forced enterprises to overcome. With many companies now operating in work-from-home (WFH) environments and the very real possibility that this will be an ongoing strategy in the post-pandemic economy, remote workers are at a huge risk for identity-related breaches. Corporate IT is struggling to maintain control of computer-related assets, including software, unauthorized devices and loss of security.

Knowing that passwords are here for the foreseeable future and that asset management has never been more challenging, 2021 presents an opportunity for IT leaders. This is a critical time to adopt new ways to improve the identification, tracking and management of employees, applications and devices that access resources.

#2: Widespread Zero Trust Adoption

It’s hard to argue that the adoption of Zero Trust principles is anything but required for cybersecurity to advance. So, despite Zero Trust being at the foundation of Lightstream’s offerings, and what analysts and professionals feel is the future of security, there appears to be a lack of confidence in it being widely adopted in the coming months. It could be that many see Zero Trust as a tool or a widget to be installed – when in fact it’s a rethinking of the way systems interact and behave. Zero Trust goes at the root of security – identity and data – oddly the two things cyber security understands the least. There is something of significance here, but we’ll save that for a future article.

Enterprises should widely embrace a model that shuns the assumption that everything behind the corporate firewall is safe, or that there is such a thing as “behind the corporate firewall” anymore. The security of every organization depends on a new way of thinking, and the Zero Trust model of “never trusting, always verifying” would be hugely beneficial in an environment where remote working is becoming the norm. Lightstream’s Managed Security Services platform incorporates automation, Zero Trust concepts, best practices and industry-specific compliance to help IT leaders manage costs effectively, reduce complexity and improve the efficiency and efficacy of data center, network and cloud security.

#3: Fully Patched Environments/Systems

“Patching. It was a problem in 1999, and the social media responses prove that it continues to be a problem in 2021. What makes this such a difficult task?” ponders Rafal Los. Patching is the process of applying ‘fixes’ to existing deployed software packages, most often from the vendor, when flaws are identified and resolved. Similar to applying a physical patch to a garden hose to prevent water from leaking out, the purpose of the cyber security patch is to cover the vulnerability, keeping attackers from exploiting the flaw. Much like how water usually finds a way to break through that patch in your garden hose, attackers are experts in finding ways to circumvent applied patches when the underlying cause is not fully remediated. Therefore, enterprises must ramp up their vulnerability management strategies in the coming year.

The process of identifying, categorizing, prioritizing, and resolving vulnerabilities in operating systems, enterprise applications (whether in the cloud or on-premises), browsers and end-user applications is no small feat. It’s an ongoing process that requires considerable time and resources, which makes it an initiative that enterprise IT might best consider outsourcing.

#4: Elimination of Phishing

It’s clear that no one expects phishing to go away, nor do we expect people to stop clicking on phishing lures – yes this includes you, security professionals. So, it’s not a huge shock that this is among the anti-trends predicted for 2021. Phishing scams are becoming more sophisticated every day, so it’s imperative that corporate IT do their best to stay one step ahead of attackers. This may involve taking a multi-faceted security approach to lessen the number of phishing attacks and reduce the impact when attacks do occur.

#5: Unification of C-Suite & Security Professionals

There are many cynics in the cyber security industry that see a lack of executive accountability (with the exception of the Chief Information Security Officer). This threatens to further deepen a dangerous rift between security professionals and the companies/boards they support. Therefore, there is a major opportunity for companies to develop strategies to ensure accountability “goes both ways,” as we like to say.

#6: Effective Use of Machine Learning

People are still broadly skeptical of Machine Learning in cyber security. This subset of artificial intelligence has been significantly hyped since its inception, yet it still hasn’t fully come to fruition. Rafal Los considers that while it sounds exciting, perhaps we might be a bit premature in the belief that systems can learn from data, identify patterns and make decisions without human intervention. Besides, we’ve all seen what happens when machines become “artificially intelligent” – and we’re pretty sure we don’t like the ending of that movie.

Other Notable Anti-Predictions

There were several other responses to Raf’s social media posts worth mentioning. While you’d be hard pressed to find someone that expects the number of breaches to go down or malware volume to decrease, they surprisingly didn’t make it into the top six predictions. Could that be due to industry optimism, or perhaps it’s just that we’re all tired of talking about these topics? On the flip side, the elimination of WindowsXP systems made the top 10, which is astonishing since it officially became unsupported way back in 2014 (seriously, what’s it going to take?).

Software-security-related items appear several times, making it obvious that there are some who still have little faith in software security. Rafal Los blames the contentious relationship between security professionals and developers. According to Raf, a typical security professional/developer exchange [still] goes something like this:

Security professional: “You’re doing it wrong.”

Developer: “You don’t know what you’re talking about. Show me.”

Security professional: “It’s not my problem. Fix it.”

Clearly, this is another area where there is major room for unification in 2021.

Contact Lightstream to find out how we can help you unify strategies to build secure, generational capabilities that can help your organization accomplish its goals for 2021 and beyond.

The Red Herrings of Cybersecurity Blog Series 3 of 4

Welcome to 2021.

I felt like I needed to write that we survived 2020 and are now well on our way to whatever things this year holds. In this series, I’m addressing the things that your vendors do or say that are “red herrings” – that is, they sound good but aren’t quite right.

In this installment, I’m going to address complexity. Having been involved in selling cybersecurity solutions since roughly 2007, I believe I know a few things about this.

I believe with all my heart the following statement to be true.

“The value of any security solution is inversely proportional to its complexity.”

Give that a think for a second.

The more pieces of a solution your vendor has to virtually duct-tape together for you, the less real security value the solution holds overall. I do not doubt in my mind this is true. The reason for that – I’ve seen it with my very own eyes. I’ve witnessed 100+ page solution specifications that were so complex I don’t think anyone truly understood what was happening. Forget about actually explaining it.

I think customers sometimes believe that because a solution they’re being presented is exceptionally complex that it is better. That has something to do with the level of knowledge of the buyer. I’ve seen opportunistic sales teams take advantage of this, and it’s unfortunate.

The truth of the matter is simplicity always wins. It is difficult to debate that rationally. The more steps there are in a process; the higher the chance that there will be a failure along that chain of events. As a buyer, you should be looking for the simplicity of the overall solution. Additionally, look for simplicity in the various technology components, processes, and outcomes.

Rejecting complexity and insisting on simplicity is critical in security. It is particularly critical when you’re dealing with managed services. Here are 3 of the most important pieces, when it comes to keeping it simple:

  1. Engagement process – the process by which a customer engages with the vendor for specific tasks, workflows, or requests; for example, requesting changes or working incidents
  2. Integrations – connecting technologies together, to maximize their effectiveness, must be simplified to keep the system from becoming brittle and incurring unexpected outages
  3. Technical solution – the various technical pieces of the solution should minimize complexity by limiting the number of specialized components, and the number of times that a workflow passes from one technical system to another

There you go, part 3 on complexity. In a nutshell – if you don’t understand the solution someone is trying to sell you because it’s uber-complex … it’s probably not right for you.

Got SD-WAN? Great! Now Let’s Talk About How to Secure It

SD-WAN is fueling the customer experience and transforming modern networking. It is also bringing the internet to all of your locations, which can introduce security vulnerabilities if not addressed properly. Lightstream’s Kurt Richter and Rafal Los combine their deep networking and security expertise into a powerful podcast on the intricacies of SD-WAN security and a 360-degree view of how to address it.

 On Apple 

 On Spotify