CounterFlow AI’s “Lessons Learned: Network Security” Series – Bill Cantrell

As we continue our “Lessons Learned: Network Security” blog series, we explore the biggest issues, factors and milestones from the past two decades. These milestones changed the way we look at network security and how we need to approach it in 2020 and beyond. This week’s insights come from our Chief Product Officer, Bill Cantrell. As VP of Product Management at FireEye, Bill collaborated with teams across the company to introduce next-generation network security solutions to the cybersecurity marketplace. At CounterFlow, Bill is charged with accelerating the company’s next phase of growth and scaling its portfolio capabilities.

Q: Over the past two decades, what was the biggest mistake you saw organizations make when it came to network security?

A: In the early 2000s, there was no focus on user-education, patching or ensuring practices met business requirements. Organizations relied too heavily on perimeter defense. They trusted that the “latest tech” or “next-gen firewall” would detect everything – we now know better.  In addition to that there was a lack of focus on forensics technology and capabilities. Few organizations were ready to deal with a major breach and investigate the incidents to remediate quickly. 

Q: What was the biggest turning point for network security in these last two decades?

A: The biggest turning point has been the shift from centralized enterprise infrastructure to more disaggregated infrastructure and BYOD. It’s created significant network visibility challenges for IT and security teams who now operate on a distributed access model. Mobile devices and cloud computing have changed the network landscape and encrypted data is now the norm not the exception. This is not going away. In fact, Gartner estimates that at the end of this year, 80 percent of enterprises’ web traffic will be encrypted. 

Q: What was the biggest lesson learned by organizations that should inform the way they approach network security in the 2020s? 

A: A good lesson learned is that signature-based approaches generated a lot of noise, missed a lot of stuff they couldn’t see (like encrypted traffic), and were easy to evade. This created a lot of false positives; as network data increased and security professionals struggled to identify malicious activities and anomalies in network traffic early on. Security teams are now leveraging newer technologies to only view relevant alerts and anomalies, which is helping to identify threats sooner. Security teams also learned over the past two decades that perimeter defense and building a “castle wall” around assets is no longer feasible in this cloud-everything era. 

Q: How have security analytics evolved and improved over the last two decades? 

A: Security analytics have evolved significantly over the last two decades. Specifically, the ways analysts can model data, access higher performing databases and use tools to visualize and understand interactions between data is incredible. There is now the ability to do complex aggregations and to pivot around multiple aggregations quickly, such as top/bottom IPs by total bandwidth, destination address, protocol and user agent. This was far more difficult to do on older databases and SIEMs. 

The focus going forward is more on being able to apply streaming analytics and machine learning (ML) – we didn’t have the resources to do it twenty years ago. Now there is more computing power to do advanced statistical analysis and behavioral analytics. With the proliferation of data encryption, endpoints and IoT devices this ability will become critical in providing visibility into the activity on today’s hybrid encrypted network environments.

Q: What are some of the old network security risks from the early 2000s that are now obsolete? What are the new risks?

A: In my opinion, you can’t totally toss an “old” risk out; hacker groups will keep exploits from 10 years ago around. While several security tools are obsolete due to their visibility limitations, there’s almost no security risk that is obsolete. There are still older operating systems, phishing emails, password misuse, network holes and poor practices for which we always need to account. Today, there is a larger attack surface that security professionals need to be mindful of – things are mobile and systems are more exposed than they used to be. Devices can go in and out of corporate networks, CISOs are being asked to secure cloud environments and investigate a whole new realm of cloud-based solutions and vulnerabilities. On top of that most all traffic from these systems is now being encrypted rendering older security and visibility tools obsolete.

Q: What is fundamentally different for the individual entering the network security workforce in 2020 compared to 2000? 

A: For an individual entering the network security workforce in 2020, an understanding of cloud-based computing environments is imperative. Networks are not silos with well-defined perimeters any longer, and our security professionals need to understand how solutions like CASB fit in the overall security picture. Additionally, relying on traditional Deep Packet Inspection (DPI) tools like IDS/IPS, Sandboxes, and DLP, is no longer a viable practice as newer encryption standards like TLS 1.3 are rendering them useless.  As the network landscape evolves, security teams need to continuously evaluate risks and their practices. 

From the last twenty years, we’ve learned that there’s not going to be one tool that is going to cover/detect everything. Effective security requires utilizing a combination of solid preventative tools, embracing good security hygiene and enabling more visibility. Forensics and visualization have historically taken a backseat, but we’ve learned that it’s essential to have a good understanding of who your users are, what they’re doing and what’s going on in the network.  A new generation of visibility tools that will work with today’s encrypted traffic and hybrid cloud networks is needed.

For more “Lessons Learned” insights, check out Dr. Andrew Fast’s blog post