How to add security to digital transformation processes

In this Help Net Security podcast, Marco Rottigni, Chief Technical Security Officer for Qualys across EMEA, talks about adding security to digital transformation processes.

Here’s a transcript of the podcast for your convenience.

Hello everybody. My name is Marco Rottigni and I’m the Chief Technical Security Officer for Qualys across EMEA. I’m here today for a podcast of Help Net Security about how to add security or to build in security in digital transformation processes.

We all know that organizations are going through a digital transformation. In my humble opinion, this process started many years ago. Actually, Nick Negroponte from MIT, described this process in his book Being Digital, as the process from atom to bits being irrevocable and irreversible. I just believe that this is the moment in time when this hit the business side of things. So, why is digital transformation happening now? That’s the answer, kind of.

I believe that digital transformation has some distinctive traits, for example the cloud options: private or public. It has a high degree of user’s mobility which became enterprise mobility, because now the assets are corporately owned. The on prem data center remains valid and tangible because it got enriched maybe with more IIoT or IoT compared to the past, to make a hybrid landscape where on prem and cloud and extreme mobility are blending together. And of course, this is posing some challenges for security.

The number one that I see is that people don’t know any more what they have. And of course, you cannot protect, assess, remediate what you are not able to see or to understand that you have. Visibility remains one of the biggest and toughest challenges, number one for IT, number two from a security perspective. But more importantly, how to expose this situation in a tangible and consumable form to the C-level and executives that maybe are more concentrating on business processes versus IT processes, or even security processes.

This clash is representing by itself a challenge for CISOs that needs to be become more business-oriented and more in touch with the so-called dream team of digital transformations made by other C-levels.

If we think about cloud adoption projects, it’s more than its caused visibility, I would say that is a very much a fog environment. Not to mention for example containers, which is even adding dynamism, and agility, and velocity to this threatening environment from a security perspective. Because from an IT and business perspective the environment and the situation are indeed very exciting and very powerful, to enable even more business processes. I believe that companies should focus on this visibility as a first and foremost capability.

I just remembered a tweet that I saw some weeks ago, when a CISO asked how many Windows hosts do we have? And the answer came from the AV guy that said: 7864. And then the desktop management guy came in said: no, there are 6321. And then came the EDR team and said: look, there are 6722, or the CMDB team that were supposed to be the single source of truth in the company, said: look, it’s slightly under 5000. That is, to say the least, a messy situation and it depicts perfectly the lack of visibility that should be implemented across the digital landscape.

The second capability that organizations should strive to develop or strengthen, in case it’s not already there, is accuracy. When you have complete visibility of your environment, now you know that you have a problem and you know that your problem is geographically dispersed and cybernetically dispersed. Accuracy means getting few relevant high-quality information to action upon. If you don’t have this capability together with visibility you’re just overwhelmed, which is the situation that leads organizations to say “hey, there is a huge skill shortage” or “hey, our security operation team are constantly firefighting because they are under water by the number of events. We have a tsunamic number of security events to analyze and interpret.”

There has been a recent study, I believe it is from IDC, last year, that says every security incident, or every security event deserves an average of two hours from one or two people to be investigated and qualified. Without going into the thousands of events, but even sticking with the tens of events per day, which are relevant from a security perspective, if you do the math it’s easy to calculate and to understand why security operations centers are under water or firefighting constantly. Accuracy, measurable tangible accuracy in high quality information and context is crucial.

Because of the digital transformation and because it is business and power, and because it allows expanding and contracting a digital environment frantically and in a very short amount of time, scale is also important. Whatever solution you use to implement security as a built-in in the process, these solutions should cope perfectly with this velocity and agility. The scale by which, for example, a containerized application playground expands for two weeks or three weeks, your digital landscape adding 200 servers or 200 containers to prototype a new business application, it is crucially important to scale up because even in that moment you need to understand what is your risk exposure, what is your surface attack increase, how it is increasing, how critical it is from a compliance perspective, and how easy or hard or difficult is to remediate quickly these exposed attacks surface or vulnerable surface.

Now you view what you have, now you see what you have, you need to be able to interrogate and get responses in a timely fashion. Responses in a timely fashion means mainly supporting processes. It’s not per se a functional task of a point product or a point application. It’s more delivering answers to every business and IT process that deserves this answer. It can be incident investigation, it can be post breach dot connecting activity, to understand where the attacker came from or what data leak you have suffered. It could be procurement-oriented processes to understand maintenance renewal and into which environment of the digital transformation should they fit.

It could be compliance questions like “are we still complying with the NIST framework, or with a top 20 CIS Security Control, or with GDPR, not only in our on prem datacenter but also in the AWS cloud accounts that we are consuming, or in the Azure new infrastructure that we are building, or in the containerized playground that I mentioned few minutes ago?” Keeping compliance into digital transformation or assuring compliance into digital transformation, that is a challenge by its own that requires immediacy in answers.

And last but not least, because everybody is definitely looking into that, is what we call transparent orchestration. Transparent orchestration is all about connecting platforms and technologies that companies have invested in, to create information flows. Instead of crunching data on a single appliance or in a single user interface to get that single answer about a point problem, let’s create information flow, let’s go from threat to patch, let’s go from new adoption of a business line that converts into a new set of servers or platforms to be deployed, to understand instantly how they comply with GDPR. If they are pertinent to any framework or mandates that the company is about to be subject with.

There are many business nuances into this. Think about mergers and acquisition processes or acquisition processes by company with respect to another company. How often issues are clashing IT silos, or clashing security silos, or privileging that or that other business needs. All these capabilities implemented fundamentally at a business and IT and security level are supporting greatly this capability, these needs. If we take just one process, for example, which is very dear to Qualys because of the whole history, it’s the process of understanding the vulnerable surface.

Discover forgotten devices and organize your host assets

So many customers are still considering a vulnerability assessment (VA) as a tactical process like “I need a tool, maybe the cheapest on the market, to just scan every now and then and understand how vulnerable I am.” Scan and understand how vulnerable I am, requires two different level of maturity. First, it should not be any more a tactical process. It must be at least operational if not strategic. And there is a subtle difference between the two. Operational means that I am able not only to assess, but I am able to prioritize, and I am able to instruct about how to intervene in remediating the vulnerable surface in the shortest time possible.

Strategic is going all the way to threat and vulnerability management like combining the two needs to understand number one, how vulnerable I am, number two, how attackable I am, number three, how compromisable I am, and number four, how can I reduce this compromise surface in the shortest time possible.

This is done using cyber threat intelligence, using expertise, using data, using context. When I deploy a new container, as excited the DevOps cycle should be or as excited the IT people should be, if I efficiently build security in, I will get an immediate understanding of how easy is to exploit that vulnerability, and if the vulnerability is there, and how to support with this information other processes like security operations in case they need to understand a suspicious event. This is the context that flows in information flows, thanks to transparent information or transparent orchestration.

I see Qualys as a particular or specific company with elective affinity in this purpose is in developing these capabilities, because we built the cloud when cloud wasn’t sexy or wasn’t cool. We started building the cloud platform back in last century and we always decoupled the moment in time and space where data are collected, from the moment in time and space where data are processed, offering SaaS or, as our CEO likes to call it, on demand computing, which is so delivering the key message in that to process that data uniquely and centrally, despite all this data are collected across all the digital nuances of the digital landscape with specialized eyes.

So, the brain is our secret, what we call Qualys cloud platform, that can be public or private, but essentially is a place where data are received with a high performance streaming reception system, processed, sliced, diced, re-aggregated, and then processed again by a number of functional applications that the customer can choose to get the data in a most consumable format by IT security and operation and compliance teams. That’s why, in a nutshell, Qualys helps digital transformation by harmonizing the needs of IT security and compliance.

We would be delighted to see you on our web site to understand in better details how our combination of 20 security applications can help you achieving this harmonization, and you may want to follow our Twitter and LinkedIn accounts too to even foster and continue this conversation.