Security Experts:

Rapid Change is the New Normal

Change is the New Normal, and it is Coming at a Speed That Few Have Been Ready For

Over the past several weeks, threat researchers have been documenting a dramatic shift in the behavior of cybercriminals. March, for example, saw a 131% increase in viruses over the previous year, many of them attributed to the rise in phishing attacks – an average of about 600 new attacks per day – targeting remote workers. At the same time, traditional attacks have fallen off, with indicators like IPS triggers and botnets dropping by over 30%.

Of course, this shift mirrors the dramatic change in how organizations do business. With millions of companies and workers suddenly transitioning to a remote worker model, cybercriminals are eager to scan this new attack surface, looking for weaknesses and security gaps to exploit. And given the rapid pace at which these changes took place, their chances of success are very high.

Lessons Learned

As a result, there are a couple of takeaways that every organization should take into consideration, starting with making sure that they have a comprehensive BCDR (business continuity/disaster recovery) plan in place. Even organizations with plans in place may have been caught off-guard because they never imagined that they would have to move their entire workforce to teleworker status so rapidly. 

While nearly every organization has some percentage of their workforce – mostly road warriors – working remotely, the next biggest issue has been scalability. VPN aggregation tools at the network perimeter were swamped. And helpdesks were unprepared to address the volume of calls coming in from workers trying to use their personal laptops, desktops, and tablets to connect to the network. Novice remote workers not only needed additional hand-holding from IT, they have also been hotly targeted by cybercriminals looking for a weak link back into the network.

That’s because even the most challenging connectivity issues pale in comparison to the security issues that have arisen. Security is traditionally the most resistant to change. All of this new remote traffic needs to be encrypted, so every device needs a VPN client installed. But that's the easy part. That encrypted traffic also needs to be inspected, and most commercial firewalls are not up to the task. Inspecting encrypted traffic is the Achilles' heel of most firewalls, which means perimeter security has become a severe bottleneck for users needing access to critical resources stored on-premises.

Likewise, log files from all of these new remote connections need to be monitored and reviewed – and that process is overwhelming IT team members already overloaded with ensuring essential business continuity. And this doesn't even cover the issues associated with securing all of the personal endpoint devices joining the network, or the unsecured home networks they are connecting from 

The Need for Security-Driven Networking

This dramatic shift, both in this new network model and the latest attack strategies and tactics being used by the cybercriminal community, is a clear sign that organizations need to seriously rethink and reengineer their security model. The most significant change is to stop thinking about security as a framework that operates outside the network. The changes organizations are facing right now are only the tip of the iceberg in terms of network disruption. Edge computing, rich media streaming, and the launch of 5G will further compound the security challenges organizations are currently facing.

Instead, security needs to be reimagined not as sitting on top of the network, but as being fully integrated into it, and in many places, such as SD-WAN, security and networking need to actually be the same thing. This security-driven networking strategy is essential if an organization wants a scalable, flexible, and secure networking that can adapt and scale to network and connectivity changes in real-time – without sacrificing either performance or protection.

Three Critical Elements

This all starts with three critical elements: integrated platforms, automation, and management. 

An Integrated Security Platform

Having a “security platform” in place may have been a strategic security decision several years ago, but yesterday’s standard platform doesn't meet the challenges of today's networks. To be useful, platforms need to be more than just a collection of security devices running inside a single solution.  

• All of the elements of a security platform must be fully integrated into a cohesive security solution, ideally running on a single operating system. 

• The platform needs to be built on open standards and APIs so that it can be integrated with third-party security solutions. 

• Those open standards also need to enable the platform to work seamlessly with networking devices. 

• The platform also needs to be available in a variety of form factors, work natively in virtually any cloud provider environment, and provide consistent policy enforcement across and between every environment in which is it deployed for consistent functionality and policy enforcement

• In many cases, security and networking functionality need to actually be the exact same solution, especially in highly dynamic environments such as Secure SD-WAN and SD-Branch deployments and in Remote Worker environments for secure connectivity across multiple network environments.

AI and Automation

Platforms built on the principles of a security-driven network also need to include AI and automation to ensure that security can keep up with dynamic changes in the cybersecurity community. An AI system can do more than replace the mundane tasks of IT workers. It can collect and analyze massive amounts of threat intelligence, correlate the contents, identify threats, and then automatically respond without human intervention. And it can get better and better at this task over time, significantly reducing the overhead associated with securing highly dynamic network environments.

Centralized Visibility and Control

The final critical component is a single pane of glass management and orchestration to ensure a unified point of control for the entire integrated security platform fabric. Remote access, access points (both wired and wireless), network connectivity and traffic management, application recognition, and a full range of advanced security tools all need to be able to be configured, updated, and orchestrated through a single device. 

When a connection changes to maintain application reliability, the SD-WAN security functions built into the unified platform should already be included in that change. Likewise, when a remote user connects to the network, the endpoint agent should validate the security of the remote device. Access should be dynamically authorized. Connections should be assigned to the appropriate network segment, so access is restricted to only those assets necessary for the end-user or device to do their job. And the connection should be continuously monitored so anomalous behavior can be detected and countermeasures implemented.

Recent Changes are Not an Anomaly – They are the New Normal

The rate at which recent networking changes have had to occur, and the speed at which cybercriminals have been able to respond, teach us clearly what is needed going forward to ensure ongoing proactive cyber protection. While we may all hope to never face a similar crisis in the future, the reality is that these changes are simply a precursor to what is around the corner. Change is the new normal, and it is coming at a speed that few of us have been ready for. But if we learn our lessons well from the current crisis, we may be able to harness that change and turn it into success.

view counter
John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.