One of the perennial problems faced by IT managers across all sectors is that of security. From the days of the lone wolf hacker to today’s organized crime and even state-sponsored groups, security has become an arms race that most people don’t realize how badly they are losing. Network operators are now mobilizing new tools to help the cause however. With us today to discuss the subject and Level 3 Communications’s newest security offering is Chris Richter, SVP Global Security Services.
TR: Today Level 3 is launching a new security product, can you tell us a bit about it where it fits into your plans?
CR: We are announcing a major new product in our security services suite, Enterprise Security Gateway (ESG). It’s a network of next-generation firewalls we developed in virtual form on our backbone that are distributed around the globe. ESG allows organizations of any type to connect to these gateways to get to the internet. They are designed to replace physical next-generation firewall appliances at the customer premises.
TR: What problem are you trying to solve?
CR: Our customers have complained to us about the risingcosts of defending against escalating threats from hackers and sophisticated forms of malware. The equipment, , maintenance and staffing necessary to deploy equipment capable of handling these sort of attacks at every single location is driving up IT budgets. Security is now on average 20% of an IT budget and in some cases it's above 50%. That's not sustainable. Given the size of our network and our global reach, we saw an opportunity to help solve the problem by deploying next-generation (NG) firewalls in virtualized fashion at points around the globe on our network.
TR: Is this a full-blown NFV implementation?
CR: We don't consider it NFV yet, but NFV is on our roadmap. The gateways will be deployed on physical hardware, but the firewalls and other features within the hardware are virtualized on our network. Our definition of NFV is to truly virtualize the entire environment and introduce service chaining capabilities, which we will roll out in later phases of our service. That will give customers who subscribe to the gateway service the ability to add other types of virtualized security controls.
TR: Does it introduce any new features beyond what a firewall on the customer premises offers?
CR: In the first iteration, it will be a parity match for the features you get from a next-generation firewall plus access to a variety of access options. One of the key features is that these gateways can be connected to from any network, you don't have to use Level 3 internet or private networking -- you can bring your own flavor of network connectivity. But because all the gateways are connected onour private MPLS backbone, our customers will be able to create V-LANS between the gateways that are closest to their locations. They can, in essence, take advantage of our high-speed private network between gateway locations to get traffic moving internally between office and branch locations, for example, andmove the local area network up to our gateway infrastructure. It changes the definition of the perimeter and the LAN.
TR: Why are security costs going up so rapidly for IT departments?
CR: There is a myriad of reasons. To list a few, the attack surface is getting bigger because of IoT, more exposure of interconnected environments. SaaS applications are driving end users to go out to the internet rather than via local servers. Then, there's also a growing number of bad actors in the world. High-speed connectivity is reaching more and more parts of the world that had been blocked out before. There are smart people everywhere, and it's easier and easier to get into hacking for profit and to pull in very talented people into organized crime and nation-state hacking organizations. A lot of hackers are looking to exploit zero day vulnerabilities, and there are tons of new ones being rolled out every day. Finally, application development for legitimate purposes is happening at a rapid pace. When this happens, security is often an afterthought to revenue generation and feature improvement, leavein a number of products vulnerable. . All of these factors are increasing the risk for organizations.
TR: How does all that show up in the IT budget?
CR: Cyber security as an industry has a negative unemployment rate. You just can't find people to do the work, and even when you do they are getting increasingly expensive. The equipment that you need is also getting very expensive, and maintenance is also going up as a percentage of the purchase price. We're seeing in some cases maintenance costs on an NG firewall as high as 70% of the purchase price per year. That's almost like buying the equipment all over again, and you still have to train and staff people to monitor and configure it. One of the bigger problems then is information overload. There's so much information generated by this equipment. The equipment may be doing the job finding evidence of malware, but alerts may fall on deaf or overloaded ears and get missed. We knew there had to be a better way.
TR: How does switching to virtualized infrastructure like your ESG reduce costs?
CR: There is no hardware, no capital outlay on the part of the end-user, because Level 3 has absorbed the hardware costs. There are cost savings in that the customer does not have to staff as many security operations center professionals to monitor alerts coming from the platform. We have five SOCs around the globe that are monitoring alerts on their behalf, notifying them based on pre-established, customizable thresholds. There's no annual maintenance fee, and there's no capital refresh either, it's all built into the monthly service cost. If they were to buy an NG firewall today, it's likely in 3-5 years, they're going to have to do a forklift upgrade because it's out of date. Customers are still on the hook for developing and maintaining a security posture, policy, and governing framework on their own, but Level 3 can help them navigate the process.
TR: It sounds as if reducing complexity is just as important as reducing the cost footprint?
CR: There's nothing that makes an organization more vulnerable than complexity. Complexity is a hacker's friend. We must strive for simplicity. The more a company spends on security technology, the more they have to hire, the more background noise there is, the more panes of glass there are; it can get very complicated For example,. a major bank in the US with a half million dollar cyber-security budget, missed some alerts detected by security hardware infrastructure because it was drowned out by so many other alerts coming from elsewhere. Even though they were detected, they weren't elevated to the point of indicating a real threat, and it resulted in a significant breach.
Complexity also comes into play with companies doing mergers and acquisitions who have to integrate disparate firewall architectures and security profiles. In the process of doing that complex work, gaps are created that hackers can exploit. Hackers actually look for M&A activity that could indicate a company is taking its eye off of the ball.
Another common technique is to launch a DDoS attack at an organization because it knows that a company will throw its limited security resources at protecting its network infrastructure from volumetric attacks. While they are distracted, the attacker is on the side installing malware on vulnerable systems and beginning to move throughout the organization. Hackers thrive on chaos, which can be easily evoked in complex environments.
TR: How important is the human factor in keeping data secure?
CR: A successful security control is a combination of people, processes, and technology. One of the biggest problems companies face is that they rely too much on technology; they see it as a silver bullet and miss things. Humans have to stay involved with fighting attacks because humans are on the other end of the attacks. We see this with DDoS attacks we defend, and we see if the attacker is changing his/her technique, coming from different nations, geographies ornetworks, we see if they are using layer 7 attacks blended with layer 3/4 attacks, the list goes on They are humans making decisions on the fly to find out what will be successful. It's very difficult for technology on its own to keep up with that kind of maneuvering.
This is where governance comes into play. The weakest link in any security infrastructure is a human. But properly trained employees can be a huge asset in identifying phishing or social engineering attacks. . Humans have to be trained as part of an overall governance program.
TR: So, are we winning?
CR: No, as a society, absolutely not. We are outgunned simply because bad actors only have to be right one time, and we have to be right 24/7.
TR: Then how do we at least not lose?
CR: It needs to start at the top and be taken seriously. There are a lot of organizations out there that don't think they will ever be attacked or that their data is at risk. And those are the organizations that have probably already been breached and lost data. It amazes me every time I encounter a company with no governance framework whatsoever. There are many frameworks to choose from;youhave to start somewhere. For example, small businesses often think they are too small to be of interest to a bad guy. However, the dentist with 200 clients has a database full of rich healthcare data.Everybody is a target.
TR: Thank you for talking with Telecom Ramblings!