Rethink risk and enterprise security in a digital world

Security professionals need to be participating in DevOps/CD teams, bringing security aspects into the develop-to-deliver process and addressing built-in security capabilities and operational hooks to mitigate risk. Simultaneously, security operations teams gain access to more detailed logs, and deploy Machine Learning (ML) and Artificial Intelligence (AI) techniques to detect abnormal conditions. Overall, the newly integrated DevOps/CD/security processes, combined with new operational technologies, can make a material change in the enterprise’s risk posture. Ultimately, the business needs a single, converged view of technology risk across both operational and security domains.

Plan for business transformation and security together

As organizations continue their business transformations, the transformation of security and risk management must be an integral part of that journey. Rather than bolting-on security at the end, organizations should plan for business transformation and security together, simultaneously.

Watch biometric authentication in action.

In fact, the best way to defend against next-generation threats in the digital age is a structured, enterprise-wide risk management strategy with well-defined governance and policies. The ultimate goal is to have resilient systems that can not only withstand cyber attacks, but also carry out mission-critical business operations after an attack.

This is no easy task, as the risk environment is changing quickly. An effective strategy must now address:

• Identity. As the network’s physical perimeter fades, the ability to authenticate the identity of users and devices — and to determine their proper level of access to both systems and data — becomes essential. Exacerbating this challenge is the exponential growth of mobility, the internet of things (IoT), automated apps and robotic process automation (RPA), and the widening scope of information security to include operational technology (OT) systems. User analytics must now consider both human and machine-generated behavior.

• Continuous compliance. Data-protection and privacy policies such as the European Union’s General Data Protection Regulation (GDPR) are too often addressed with ad hoc solutions. A superior approach involves building a security and privacy infrastructure that will prepare your organization to meet the demands of evolving policies.

• Incident response. Enterprises are no longer judged simply by whether they get breached, but how they respond to that breach. The public and regulators recognize that risk is prevalent and breaches will happen. What the public and regulators will not accept is sub-optimum breach response. We need robust incident response capabilities that are consistently tested, ensuring that from the board to the legal department, all are prepared to execute professional incident response that minimizes damage.

• Information and asset governance. Data is increasingly mobile. Recent incidents have included not only hostile actors making internal breaches, but supposedly legitimate third parties circumventing protections to access and store bulk customer data. Enterprises need a security and privacy model that continually refreshes, moving with the data, and has appropriate self-destruct mechanisms when anomalies are detected.

• Federation. Third parties increasingly need access to corporate networks, creating a serious security challenge. How do you open your network to suppliers, partners and others while still protecting your systems and data?

People, process and technology

As organizations develop an enterprise risk management strategy along with their business transformation strategy, they can imagine the effort as a highway with three lanes: one for people, another for process, and a third for technology. (See Figure 1.)

Figure 1. Reducing risk with business transformation. Three paths — people, process and technology — are changing quickly.

People in an organization form its culture and are the first line of design and defense for security. For business transformation to succeed, many organizations will need to transform the culture around risk. Here are a few changes that most likely will be needed:

• DevOps/Continuous Delivery teams become security practitioners. In the near future, security will transition from being a niche skill practiced in near isolation, to being a core capability of developers. This will require a mind-set shift for both security professionals and developers, who have operated in silos for a generation. The first step is to integrate security expertise at the inception of development projects. This will allow skills to diffuse between the parties and will, over the next several years, enable security to be truly baked in rather than bolted on.

• New respect for customer data. Processing and holding customer data can no longer be seen as a business right, but rather as a privilege. Organizations must quickly learn to use customer data with appropriate care, protecting customer privacy and keeping personal data more secure.

• Start small, then go big. When building new systems, it’s best to conceive of them as modules, each with security designed in from day one. In the past, many organizations would instead build monolithic systems, then apply a security “wrapper” after the design or development. But in an environment with thousands of mobile and IoT devices, that’s no longer sufficient. The newer, more effective approach involves building loosely coupled components, wherever possible, on a stateless/shared-nothing architecture with a zero trust mentality between modules.

• Prepare for failure. With the further adoption of cloud computing, organizations no longer have total control over their computing or storage platforms. New risks are introduced, and some elements will fail. You can no longer try to design around these potential failures; instead, you must plan for them.

One powerful approach that requires a new cultural mind-set is known as resiliency engineering. This involves building systems so when one component goes down or is overwhelmed, its effect on the overall system is predictable.

A related approach, refined for distributed solutions by Netflix, is known as chaos engineering. Here, IT employees experiment against a working system daily by pushing unknown conditions, including shutting down on different assumptions, in the system to make sure continuous operations are possible. If not, the test group can see where the gaps are, and then improve the recovery automation.

Chaos engineering generally delivers better results than traditional site-oriented business-continuity testing. The latter is done under specific conditions, thereby failing to accurately mimic unexpected challenges.

Process is the second lane on the enterprise risk highway, relating to how an organization approaches its business processes. This might involve moving from ITIL to DevOps or other automation-friendly approaches. It could also mean integrating cloud providers that have security and privacy features built in.

That becomes especially important if the shift to cloud involves use of “serverless” computing environments. Moving workloads to the public cloud still requires you to manage the underlying cloud infrastructure. But with serverless, when you switch on a web service, you no longer have to worry about that infrastructure; that becomes the responsibility of the cloud provider, making it more important to select the right vendor.

Many cloud suppliers today offer highly resilient environments, but some risk will remain. Risk that evades even the best attempts at detection and prevention is known as “residual risk.” Fortunately, organizations have a new way to hedge their residual risk: cyber insurance.

When all else fails, cyber insurance can act as an organization’s final safety net, addressing residual risk. Payments from a cyber insurance policy could go to IT for restoring systems, to finance for reimbursing affected customers and to public relations for repairing the organization’s reputation.

Still, cyber insurance should not be considered a panacea. Like most insurance policies, it is part of the overall resiliency that organizations need. Traditional insurers enjoy sophisticated and time-proven tools, including actuarial tables, to help them assign and manage risk profitably. Cyber insurers are still gathering insights, adjusting offerings and introducing more tools to best assign risk and manage it.

Also, while an organization can transfer some risk with cyber insurance, it still can’t transfer responsibility. Diligence and simulation remain vital.

Technology is the third lane on the risk highway. Emerging technologies can present new risks, but they can also help address risk. Many top technology companies, for example, are using technologies to automate processes in a way that’s secure. Their best practices will become the common practices of organizations in all industries.

Machine learning, a subset of artificial intelligence (AI), has become a viable tool for threat detection because it can detect anomalies. For example, if an executive most often logs in from her office in London, then that’s her norm. But if one night that same executive logs in from Tokyo, that’s an anomaly. It could be harmless, but what if a cyber criminal is impersonating the executive and attempting to gain access to the network? Either way, it’s something to detect, check out and, if warranted, take action against.

Machine learning is critical because it addresses scalability. If you have a handful of mobile users and internet of things (IoT) and operational technology (OT) devices to monitor, you could handle the work with current staff. But it is more likely you have thousands of mobile users — each with their own working patterns and locations (e.g., office workers, contractors, field workers, teleworkers) and each owning multiple devices — and even more IoT and OT devices.

Suddenly, the task of establishing a norm for each user and device, watching for anomalies and then deciding which ones require preventive action moves beyond human capabilities. Machine learning can automate this process and keep a much tighter watch on who — and what — is allowed onto the network.

Indeed, one of the most important areas to address with technology best practices is identity management. In a world of hybrid clouds, proliferating devices and highly mobile users, the network becomes a “zero trust” environment where the identity of every user and device must be verified before access is granted. That’s because countless IoT devices, RPA software, bots and other automated devices are already banging on network doors, with many more coming soon.

A new vision for managed risk

Few organizations have achieved a fully transformed environment for enterprise risk. Yet the contour of this new environment is already becoming clear.

As noted, machine learning will play a central new role. This technology can automate an organization’s end-to-end response to security threats, from detection to response. Speed is important because early detection reduces the likelihood of further attacks. By orchestrating the organization’s responses to new vulnerabilities with automation, systems can recover from breaches quickly.

Security threats are growing faster than organizations are able to add specialists to thwart them, so organizations continue to find themselves shorthanded when attempting to manage this explosion of security incidents. Compounded by the widened scope of cyber-physical risks through the inclusion of IoT and OT systems, most organizations will feel deluged by the risk management activity of these concerns. The solution? Leveraging technology and services, including the cloud and automation tools along with managed security services.

Ultimately, the business needs a single, converged view of technology risk across both operational and security domains. Whether an application is taken down as a result of a failed cooler in a server farm or a criminal action, the impact on the business is similar. The incident response process is almost identical until the point at which an adversary is detected. With security skills becoming part of the wider IT skillset, and the dearth of pure-play security specialists, enterprises must employ a wider array of multi-skilled people to address this challenge. It’s the only viable way forward.

As we factor in all of the principles discussed, we then have to think about how to bring together our IT operations centers and security operations centers. We will start to generate joint risk management frameworks that give the business a single assessment of risk and associated levers to pull in reducing this risk.

How to get started

Ready to start protecting your organization against the new security risks? The journey starts with four important steps:

1. Create both business transformation and enterprise security roadmaps. These two journeys are separate yet parallel.

2. Create a security team for business transformation. Security team members need to be a part of the business transformation process and be able to articulate the security risks this journey will likely entail. Consider working with a trusted security partner who has broader expertise and experience to understand the risks and accelerate delivery of results while adhering to the enterprise’s risk appetite.

3. Reengineer processes to enforce proactive security. The combination of new privacy laws and new technologies will require most organizations to change the way they operate. Robust security will need to be proactively designed and built in from the start.

4. Ensure that you have the right technologies. To achieve the desired transformation outcomes, you probably don’t have the right technology installed today. If that’s the case, your organization will need to bring in new tools designed to complement or replace existing technology.

In this way, organizations can implement a new approach to enterprise risk, one that ensures they have robust security from the very start. It’s also an approach that can protect against whatever new risks emerge — whether that’s today, tomorrow or beyond.

How DXC and its partners can help

Managing enterprise risk in a fast-changing environment isn’t easy. But you can do it with help from DXC Technology and our extensive network of industry-leading security partners, including CA Technologies, F5, Micro Focus, Microsoft, Palo Alto Networks, ServiceNow and Symantec.

DXC has deep experience with machine learning and cyber security. We offer services including analytics and artificial intelligence (AI), managed business intelligence, and internet of things (IoT) analytics. We also offer security advisory services, intelligent security operations, identity access and management, data protection, cloud security and other security products and services.

To help you manage risk, DXC has developed a unique, structured approach to cyber resilience. Called the DXC Cyber Reference Architecture (CRA), it contains nearly 350 discrete security capabilities to ensure that all operational functions are clearly defined.

DXC Cyber Reference Architecture

DXC’s Cyber Reference Architecture provides a structured way of ensuring that all areas of IT security are taken into consideration for resilience and for determining the appropriate balance between protect, detect and respond.

Based on our work with some of the world’s largest organizations, CRA describes the most effective ways to manage risk. It also describes ways your organization can detect and respond to cyber attacks — and recover your data and restore normal operations.

CRA can also help you comply with the European Union’s General Data Protection Regulation (GDPR) and other industry or country regulations. CRA does this by developing “security blueprints,” plans that accelerate the development of GDPR and compliance programs.

In addition, we offer a new approach to intelligent security orchestration, automation and response known as DXC Intelligent Security Operations (ISecOps) Solutions. ISecOps can help you modernize traditional delivery of security services. ISecOps will transform your existing offerings and provide innovative new solutions that address enterprise security risk. ISecOps together with DXC Bionix — our digital-generation services delivery model — combine security-incident response, threat intelligence, analytics, lean development and automation. Underpinned by our new digital generation platform for delivering and managing services, Platform DXC, ISecOps and Bionix are game-changing solutions to help organizations transform at scale.

Now is the time to act. Don’t be disrupted — be the disruptor. Let us help you innovate and transform to differentiate with speed and quality.

Learn more at dxc.technology/security

About the authors

TM Ching is chief technology officer for Security at DXC Technology. TM is responsible for security strategy, focusing on the development of innovative capabilities to address the evolving threat landscape. He works closely with customers and internal teams to identify future technological evolutions and disruptions, and develop strategy roadmaps that help both customers and DXC achieve service-readiness to meet the technological changes of today and tomorrow.

Simon Arnell is a security chief technologist, Office of the CTO, at DXC Technology. He has a background in applied security research and development, and in running customer proofs of concept. Previously, Simon led the commercialization of the DXC DNS monitoring service, and pioneered the use of software-defined networks for rapid incident response, as well as the application of stochastic process modeling and simulation for strategic security-policy decision support. Simon is also the lead author of DXC’s “Annual Cyber Security Predictions” report, a risk-oriented horizon scan of the industry and threat landscapes.

Contributor

Jerry Overton, data scientist and industrialized AI lead, DXC Technology, and DXC Fellow