Organisations struggle to defend themselves against today’s clever cyberattacks. Often, it’s due to a combination of an overly complex web of security infrastructure with no common management platform and a lack of skills to make managing these technologies effective. It’s an orthodoxy repeated over and over, most vociferously by a horde of companies marketing the latest technology that earnestly promises to make it all go away.
It’s a description of the problem that FireMon’s new CEO, Satin H. Mirchandani, refuses to take at face value. At best, it states the obvious, he says, at worse it leads companies to completely misunderstand what they are up against and what they can do to secure themselves.
The first fallacy is that breached organisations can’t ‘see’ what’s happening to them when in fact they can. What they can’t discern is which alerts emerging from their expensive security infrastructure matter and which don’t. This is because there are often too many of them, a level of noise that drowns out the indicators of compromise. It’s a security model that can sometimes turn defence into a glorified form of forensics where the ‘gotcha’ happens days, weeks or months after the moment it might have been useful.
The second fallacy is simply that the above can be stopped by throwing enough money and expertise at defence.
“Assume that your network has been breached,” he responds, bluntly. “It’s a question of how quickly you can find it and how you respond.” The battle is always about shortening response times rather than pretending that attackers can be kept out indefinitely.
Time and again, when disaster visits, it’s as if companies are surprised by what is happening to them. According to Mirchandani, the problem at those moments is rarely one of technology so much as the security management, processes and mindset that ultimately divide the smart from the doomed. Cybersecurity should always be about rational knowledge and not blind hope.
Mirchandani arrived at FireMon in mid-2016 as the latest instalment in a career that started at McKinsey before taking in senior positions at healthcare supply chain outfit MD Buyline and pcOrder.com. However, the key to understanding his background is his 2002 co-founding of MessageOne, bought in 2008 by his next employer, Dell.
MessageOne wanted to take the pain out of email by turning it into something that could be consumed as a service. Years later, FireMon wants to perform a similar taming of that other business staple, the corporate firewall, a device that has in most organisations grown into a huge estate of virtual and physical devices spreading as far as most admins can see.
The complex evolution of the firewall is something Mirchandani alludes to a lot. Another way to understand this history is to see it as being about the changing notion of what constitutes an anomaly. Twenty years ago, it was about closing network ports and protocols. A decade later it had moved on to monitoring users and applications. Nowadays, the top systems function as the core of multi-sensor platforms that attempt to “triage” multiple indicators of compromise. If these systems and sensors are akin to a web, the firewall is still like the spider sitting in the middle, waiting for movement. It is the place where defenders try to make sense of what is going on.
“Systems are generating gigantic numbers of alerts – they are suffering from alert fatigue and it’s very difficult to figure out which ones deserve attention. And so you have this false positive problem,” says Mirchandani.
“But if you were able to triage down to the half a percent that were worth looking at the problem would get a lot more solvable.”
It sounds straightforward, but what does this tiny fraction of genuine anomalies actually look like?
“We don’t know what the anomalies look like. So (our tool) stitches together multiples sets of data and goes off and figures out which ones look anomalies.”
You could argue this is an ironic situation for a cybersecurity industry that has built its business models on the back of generating alerts almost as an end in itself. But like a fire alarm that goes off every time the temperature rises, at some point the sheer volume passes the level where they stop being useful.
FireMon’s philosophy isn’t to pass judgement of the alert-driven SIEM model, simply to filter this vast set of data into something more manageable. It’s an important new capability for FireMon, becoming part of its platform when it acquired startup Immediate Insight in early 2015.
Alerts themselves, of course, are simply a visible part of the larger issue of growing complexity. A recent solution to this is what is called ‘zero trust’ network, one in which no assumptions are made about devices, users, or where they are connecting from. On a zero trust network, everything is a risk, which delivers greater simplicity in terms of policy design.
“With cloud, Software Defined Networking and microservices, the complexity has gone up exponentially. The ability to automate firewall rule changes is really important but there’s a big caveat which is there has been a rush to automation. That can be dangerous.”
Mirchandani’s point seems to be that zero trust requires greater automation but that can morph into another kind of risk if it simply generates new assumptions of its own.
“Some activities will be fully automated and others will always require a human interface even if it’s someone looking at the results of a simulation.
“The risk isn’t that you do it too slowly but that you make some sort of unforced error and permit access that shouldn’t be permitted. Our focus is all around simulating and modelling what those changes would have on the environment,” he says.
“You must do the simulation before you hit the commit button.”
This is an important moment for the company. FireMon’s heritage is as a maker of tools for large organisations to manage firewall rules and policies across different brands of underlying equipment, known in the trade as ‘heterogeneous networks.’ The success of the concept was that it could overcome the risk that networks turn into silos built from different management consoles.
This is particularly important when installing a new firewall because it means re-assessing as well as migrating old policies and rules. It’s a golden chance for some fresh thinking, using a tool to help with the process.
“Our focus – what we call Intelligent Security Managment – is all about simulating and modelling ahead of time what changes would wreak on the environment.”
This will represent a culture change for security teams and their precious firewalls. Long gone are the days when an admin would define a policy and simply enact it through a series of rules. Increasingly, on a zero trust model, they will need to model complex policies, automating them where that is possible. This world will require work and a loss of innocence.
“What we have discovered through working with over 1,500 customers, there really is no easy button.”