AT&T CYBERSECURITY INSIGHTS VOL 7

Cybersecurity for today's digital world

Cybersecurity Insights

Executive summary

Digital transformation is happening rapidly in every industry. As companies move toward software-defined infrastructures (SDI) connected to powerful cloud ecosystems, they can tap into the near-real-time intelligence from the data gathered from every edge of their business, helping to drive faster business decisions and changing the way they serve their customers.

Rapid transformation, however, without a solid plan, can produce cybersecurity vulnerabilities. As infrastructures go virtual, security models need to shift. To avoid serious risks and security management issues, companies need to identify challenges, strategize, collaborate, pilot, test, and evangelize.

In this report, we’ve outlined an approach for edge-to-edge security for companies to consider as they build their digital transformation roadmaps. Strengthening a company’s security posture in a world of SDI requires rethinking both the human and the infrastructure elements, leaving behind the idea of network-centric security and moving toward data-centric security.

Digitization brings new risk: It’s time to prepare

Our last report, Mind the Gap: Cybersecurity's Big Disconnect, highlighted gaps in companies' cybersecurity strategies that could be raising—rather than lowering—cyber risk. In fact, more than a quarter (28%) of organizations see cyber insurance as a substitute for cyberdefense investment, rather than as one component of a multi-layered cybersecurity strategy.1


Do companies have an over-reliance on insurance?

Cybersecurity budgets
Cybersecurity insurances

Organizations are not as worried about security vulnerabilities as they should be: 65% of companies believe they have appropriate in-house security measures in place, yet 80% had been victims of a successful cyberattack or breach in the previous year. These and other findings showed that companies need help determining how to migrate toward new technologies while protecting their legacy and future assets.

Where is the cognitive dissonance coming from?

Two-thirds of organizations say their in-house cybersecurity capabilities are adequate to protect against cyberthreats, yet 80% say they have been breached within the past year.

Cybersecurity breach

In early 2018, we interviewed more than a dozen experts to ask how companies can avoid costly mistakes and hidden vulnerabilities. This report offers practical advice on how to build an effective cybersecurity strategy covering key elements of digital transformation—from risk assessment and governance to rollout and maturity programs.

quote
The C-suite still has a significant lack of understanding of cybersecurity basics—the hygiene and the threats, the bad actors. And it's after the fact, after they've been breached, that the board actually does something about it—and that's true in even some of the largest companies."

Chuck Brooks, Adjunct Faculty, Georgetown University,
Graduate Applied Intelligence Program (Risk Management)

Create a strategy that's fit for purpose

Before shifting toward a software-defined infrastructure, it's important to understand its strengths and what it means for enterprise-wide security. Only then can businesses take control of their cybersecurity to try to get ahead of evolving risks.

“Companies must not blindly move to SDI," says Tom Aufiero, AT&T AVP, Security and Intelligent Edge Solutions. "Instead, in parallel, they should be evaluating a multi-layered security approach, including a holistic security framework that enables the correlation of threat intelligence across their legacy environments, the corresponding hybrid networks, and the next-generation SDI environment.”

Sophisticated systems need sophisticated protection

International Data Corporation (IDC) predicts that by 2020, 60% of all enterprises will have an organization-wide digital transformation strategy in place.2 Cloud IT infrastructure revenue, meanwhile, has almost tripled in the past four years.3

Many businesses are also adopting software-defined networks, which means they are leaping ahead in network visibility, scalability, and automation. Software-defined networks offer significant benefits for cybersecurity.

"If you can virtualize your security functions from the simple functions, such as firewalls, to more advanced functions, like web filtering and data loss prevention, it becomes a lot easier to deploy security capabilities, because you're not tied to a set of appliances," explains Josh Goodell, AT&T VP of Edge Solutions. "And instead of dealing with an infected appliance, you can quarantine a virtual network function and quickly isolate and remediate the problem.”

Sophisticated cyberattacks demand a sophisticated defense system that can evolve. Using software-defined networks, businesses can update their security programs within an SDI with the push of a button.

quote
SDN can create true service chain integration: IT functions are moved to a virtual software framework with underlying automation and best-of-breed network functions that enable next-generation applications. Our strategy is about providing our clients with a global IT platform that will enable market differentiation."

Tom Aufiero, AT&T AVP, Security and Intelligent Edge Solutions

Digitization is good, until security goes bad

Advances paint a positive picture for SDI-powered companies. But beneath the surface, businesses are struggling with unoptimized networks and ineffective migration strategies. This can lead to serious gaps in cyberdefense postures.

Most concerning, businesses are not putting risk assessment and risk management first. A recent survey by Accenture found that there has been a 27.4% increase in annual data breaches,4 despite businesses having more access than ever to cutting-edge methods of protecting networks and data. So what's causing these security failures?

Mixed mindsets

It's not uncommon for companies to rush to virtualize their architectures, only to feel out of control once their data centers and processes have moved. As Senthil Ramakrishnan, Lead Member of the Technical Staff for AT&T IoT explains, "Many companies have a very traditional IT background. Their cybersecurity solutions, policies, and controls are tailored very specifically to on-prem. The old model breaks once they start deploying IoT devices on networks outside of their four walls and applications on cloud infrastructure."

Disjointed deployment

The move to the cloud can be chaotic. There's often little or no consideration given to how legacy applications will be managed. Or there's little or no coordination between the C-suite and IT. Or, critically, there's no maturity program in place to keep the cybersecurity strategy optimized.

Short-term thinking

Too many enterprises are leaning on their cyber insurance policies to deal with the immediate financial fallout of a breach while ignoring long-term reputational damage. Their emphasis on the short term could do more damage to the business than loss of critical data.

Third-party providers promise too much

Even large corporations usually need to use specialist providers for their moves to the cloud. These providers often promote and provide 'one-stop-shop' services that include cybersecurity, but security specialists say this is unrealistic.

"There's not going to be any cloud provider that has an environment that's completely compatible with every cybersecurity risk profile," explains Todd Waskelis, AT&T AVP of Cybersecurity Solutions. "And there's not one that completely adheres to every standard or every control area that the enterprise requires or wants. It is up to the organization to determine what is required, and then perform validation of the controls to address any gaps."

Companies don’t do their due diligence

However, Kevin L. Jackson, founder of GovCloud Network, says the provider isn't the real problem; the real problem is the business itself. "Companies don't do proper due diligence with the service providers," he explains. "They haven't had the appropriate discussions about the shared security model. So when businesses start rolling into these infrastructures, problems occur almost immediately."

quote
A lot of the mistakes being made are based on the assumption that cybersecurity is just the role of the IT department, when increasingly it's a digital risk matter. Business leaders need to understand they play a very important role in mitigating digital risk and improving cybersecurity."

Bob Gourley, founder and CTO of Crucial Point LLC and author of the book, The Cyber Threat, 2014, 2017

The AT&T guide to edge-to-edge cybersecurity

It is common to run into cybersecurity roadblocks when deploying SDI or rolling out a hybrid cloud model. To transition without increasing exposure to cybersecurity risk, a business will need an edge-to-edge risk management strategy. A solid strategy will work to reduce risk across the company's endpoints, networks, and cloud services.

The most effective method for transition success is to split the process into two clearly defined parts. The first is the human element covering chain of command issues and responsibilities for effective risk management. The second is the planning and launch of the new infrastructure. Not having an edge-to-edge strategy in place can leave a business open to vulnerabilities.

cybersecurity responsibility

Responsibility for risk starts at the top and involves everyone

The first stage of the risk management process is to make sure everyone in the organization is involved and knows what their roles are. Lack of engagement causes disaffection, and gaps in responsibility can cause security risks.

Make the case

Migration is a transformative process, which means it needs the full backing of the C-suite. Kayne McGladrey, Director of Information Security Services for Integral Partners LLC, says it is vital to offer "an effective presentation to the board about the benefits and challenges associated with the migration, and it has to have a narrative. You have to find stories of success and failure inside of your industry in order to present the full picture to the board.”

There must also be a focus on how the technology could optimize business capabilities through automation while helping to reduce costs and improve security. "With an SDI infrastructure especially, there is an opportunity to drive business innovation and dynamically control security capabilities," says Brian Rexroad, AT&T VP of Security Platforms. "It offers the ability to adapt to new business needs more quickly, while reducing attack surface and even blocking threats more quickly."

Create the team and allocate responsibilities

Traditionally, cybersecurity has been viewed as an IT issue. But in a digitized world, that attitude is dangerously outdated. Businesses need to instead tear down silos and prioritize collaboration, so that business operations are transformed and cybersecurity is placed front and center.

Today, it is increasingly the CFO that drives transition. This might seem counterintuitive for a technical project, but the CFO's compliance and risk management responsibilities and their budget-allocation powers make them an obvious leader. The CFO's traditional lack of technical expertise will be a weakness, however, so the knowledge gap will need to be plugged somehow.

To address the gap, bring together the CFO and a key tech figure such as the CTO, CIO or CISO. The former will learn valuable technical expertise, and the latter will receive training on business operations. But focusing on these two key players does not produce a connected business. Instead, the entire C-suite needs to work collaboratively. After all, every aspect of a digitized business has cyber threats that need to be managed.

Take the whole organization with you

Successful implementation needs every employee to feel invested in the transition to an SDI. This means establishing a training program and workshops that explain how the new infrastructure will affect day-to-day workflows and processes. Programs should be complemented by ongoing cybersecurity awareness training to drive home the importance of data protection.

edge-to-edge cybersecurity

"Also, introduce continuous measurement processes after any security awareness training," says Greg Hill, AT&T AVP of Emerging Security Solutions. "You have to be able to measure how well your employees grasp and retain the new security concepts, which is why we're adding scoring based on access level and role criticality to our security awareness product. It means we can score at the employee level based on our proprietary algorithm and aggregate to enterprise level to assign a security awareness score to the entire company."

cybersecurity strategy

Prepare, pilot, persevere: Creating your cybersecurity strategy

With responsibilities allocated and the change management program agreed upon, attention shifts to creating and rolling out the cybersecurity strategy itself.

Prepare for the transition

Risk assessment is crucial to effective security-focused preparation, which will range from asset management and application portfolio analysis to data discovery.

First, businesses must drop what Kevin L. Jackon, founder of GovCloud Network, calls the traditional 'wall and moat' mentality that allows only 'good people' into the company's network. In a digitized business where employees, third parties, and suppliers need near-real-time access to company data, and where social media, mobile workforces, and the Internet of Things (IoT) are prevalent, this approach is archaic and limiting.

Instead, the focus must shift from a solely infrastructure-centric mindset to a data-centric one.

What does this mean for data?

Previously, all data was structured and contained within relational databases built to mimic business processes. The new system sees old processes transformed, as businesses strive to become more agile and use disparate datasets such as social media and IoT to create business opportunities.

Data must be classified to determine the value of the data—and, based on that value, which security controls are necessary. This process is vital; in an era where volumes are increasing dramatically, companies can no longer use the same level of protection for all data.

Classification of data from a regulatory point of view is also critical. For example, healthcare records and financial transactions will have to be classified based on their importance to regulation in those sectors. Collection of data related to how things are behaving can provide added confidence the security controls are in place. Automated testing and audit can also help verify security controls are working.

It is important that the collected data and audit results be reported in a manner that can be interpreted by the various stakeholders (e.g., application owners, infrastructure operators, auditors, and executive management). This is an automation opportunity in the security orchestration function.

What does this mean for asset management?

The process of moving from physical to virtual assets can leave a company feeling out of control, as employees are no longer able to physically touch the tools that drive the business. Virtual assets should be tagged in the same way as physical assets.

Says Kevin L. Jackson, founder of GovCloud Network, "When you create a virtual machine, you need to tag that virtual machine with the business unit, the application it's related to, the cloud service provider it's running under, and the person who's responsible for it. These tags become your asset management baseline across your business environment.”

Without an effective asset management program, there will be virtual machine sprawl as non-standard implementations of virtual machines proliferate, which will damage the cybersecurity strategy. The business can't conduct testing consistently, which could eventually lead to enforcement standards failing.

"One of the things that I see often going wrong is when people take their traditional thinking and just port it into the cloud," says Pluralsight author and Microsoft Regional Director and MVP - Developer Security, Troy Hunt. "This is not the old days of saying we need to move everything and put it all together in one place. We can distribute in a much more componentized fashion."

What does this mean for application portfolio analysis?

To help protect a business throughout the SDI transition, departments should shift their applications into the new infrastructure one by one. Before transitioning, a business should analyze its entire application portfolio to find out which dependencies, relationships, and linkages are critical to the transition. This will help the business decide which applications should be migrated to the cloud first.

What does this mean for third parties?

Businesses must consider how third-party access will be managed within the new infrastructure:

Vendors

A company's evolution from physical to digital also applies to its vendors, which are likely to have different tools, technologies, and operating systems. This can cause conflicts where the company network intersects with a vendor's network within the new infrastructure. This can lead to an increase in data breaches. It's therefore essential that the company works closely with its vendors to explore how to resolve such conflicts quickly and successfully.

quote
What you're starting to see is business units, in addition to the CIO organization, influencing the technology investments and network topology for next generation digital transformation, not because they want to get into the business of managing networks, but because they have business outcomes to drive. Digital transformation dramatically expands the attack surface and puts businesses, people, and data at greater risk. You have to figure out how everyone comes together to achieve the business outcomes."

Danessa Lambdin, AT&T VP of Cybersecurity Solutions

The supply chain

Businesses will have to establish which suppliers can access particular datasets, at what level, and whether the suppliers have suitable security processes in place. It will need a contracted list of security expectations from the supplier and an initial and ongoing review of the protections that the supplier already has in place.

"Define what your third-party management program looks like," says Todd Waskelis, AT&T AVP of Cybersecurity Solutions. "Organizations should look at what data they're sharing with third parties and the risk associated with that data. Then they can establish and enforce what type of controls need to be in place to protect the data.”

The types of data and with whom it is shared can vary greatly. In some cases, an organization may develop a tiered program where the inspection or validation of the controls are commensurate with the risk. For example, a third party conducting a marketing mailing would have a much lower risk than a third party handling medical billing. A business may send the marketing firm a questionnaire, while sending a security team onsite to the medical billing firm. Approaches should vary by risk.

Cybersecurity standards

Ready to roll out

With planning complete, a business can move on to the rollout phase, knowing that it has strong foundations in place.

Pilot first

It will be tempting to implement the entire transitional plan immediately, but this can lead to unforeseen technical problems that affect business continuity, customer relations, and employee buy-in. Instead, conduct a pilot within one non-customer-facing department.

"For example, if you want to move to the cloud and you're a CIO and CISO, move yourself first," says Theresa Payton, President and CEO of Fortalice Solutions. "Then, pick the next executive sponsor that you know is excited about the transition.”

After each pilot, conduct polling to find out what's working and what isn't. That data should go to a steering group of key sponsors at the board level. This approach will create momentum and advocacy within the organization. If the pilot departments show that the new system is effective, enthusiasm will spread by word of mouth.

"There are many lessons that the enterprise will learn through piloting—whether it's identified security risks, user communication risks, or education risks—all of which provide future guidance," says Kayne McGladrey, Director of Information Security Services for Integral Partners LLC. "By the time you get to the harder transition elements, including full infrastructure rollout, you've already sorted through the main issues, thanks to your pilot-based learning journey."

Test the limits

Due diligence demands that businesses carry out a full risk assessment of the new infrastructure, including technical testing, configuration reviews, standards assessments, and people and process reviews.

Perimeter checks should be conducted edge to edge across everything connected to the network. Subsequently, if the SDI's cyber posture is deemed to be low, inside perimeter scans can be carried out using vulnerability and penetration tests.

"You need to set your cyber baseline," explains Greg Hill, AT&T AVP Emerging Security Solutions. "You should understand your current cybersecurity posture before you begin to address any issues with it," he says.

The findings should be pulled together into a technical report highlighting vulnerabilities, assigned risk ratings, and recommended fixes. To help solidify support of the C-suite, the report's executive summary should translate the results of all the testing activities into business goals.

To build on the initial vulnerability testing, businesses should use ongoing testing to identify which hygiene and scanning paths should be created at both the application and network levels. This would include, for example, scanning on a rolling basis, quarterly checkpoints for monitoring cleanliness, and annual penetration tests.

Persevere with a multi-year maturity program

As a company continues to shift operations and applications into the new infrastructure, it will need a multi-year maturity program that looks at how the network and cybersecurity strategy will keep up. According to Fortalice's Theresa Payton, the company should hold risk mitigation meetings at least once a quarter to present the board with 'the good, the bad, and the ugly’:

The good
Security issues that were successfully dealt with during the previous quarter.

The bad
Any ongoing issues that have arisen and are being resolved.

The ugly
What has happened to others in the industry whose security strategies have been compromised, and what can be learned from their failures.

This approach will highlight how the board's ongoing investment is helping to safeguard the company's operations. It will go a long way to positioning the risk management effort positively in future budgeting conversations.

"There is a sense of urgency when transforming legacy technology systems and processes," says Danessa Lambdin, AT&T VP of Cybersecurity Solutions. "The underlying IT Services strategy and framework needs to evolve as you chart your course towards next generation transformation whether it be virtualization, cloud, or SDN. One of the big challenges we always see is a business attempts to do some planning up front, but their technology planning framework gets old and stale. They start out with a plan, but they don't keep it alive and evolving with the organization, so it quickly becomes stale. That framework must be part of the tapestry and evolve with the organization as the network topology changes to stay aligned with the goals of the company."

Collaborate with security providers for a strategy that lasts

There are substantial challenges associated with going virtual, so companies of all sizes should consider aligning themselves with a dedicated security provider or security consultant. They can offer guidance on, for example, establishing a baseline focused exclusively on a company's industry, analyzing a cloud provider's security offering, and seeing to it that effective governance programs are established and adhered to.

"We would recommend bringing in an external security consultancy team that can discuss the right strategic fit for the company's unique environment—and what security measures are being promised by the cloud provider," says Stephen Roderick, AT&T Director of Technology Security, Technology and Operations. "The key is collaboration. It may require a couple of meetings every week between the consultant's security team and the cloud provider's security team.”

Roderick recommends that businesses continue collaborating once the service is up and running. It will need constant tuning and upgrades, so communication between the two parties on a continual basis will help keep the platform optimized and protected from evolving threats.

"Not to take advantage of a provider or consultant from the very start is almost negligence," says Chuck Brooks, Adjunct Faculty, Georgetown University, Graduate Applied Intelligence Program (Risk Management). "You'll come across issues that will be after the fact—and you'll be doing reputation repair instead of focusing on cybersecurity."

U.S. companies must face up to in-house knowledge gaps

Companies in the United States are the least confident with in-house security, yet they are the most likely to keep managing security in house.

In-house security

From SMB to blue chip: How security providers help

No matter the size of an organization, security providers and consultants play key roles in security management:

Small businesses
Small businesses don't usually have access to the resources they need to create and maintain a cohesive cybersecurity strategy. Instead, they should rely on a provider that can plan and roll out the strategy affordably and efficiently.

Medium-sized businesses
Often boasting an in-house security team, these businesses don't expect to manage all their security processes, and they often offload their response capabilities and monitoring management to a security provider. Through this hybrid model, the company and the provider can work together to formulate a response when a breach occurs and can find ways to stop it from happening again.

Large businesses
While large enterprises typically have the funding and resources to implement a full cybersecurity program, a security provider can offer access to data and information that are outside their networks. Another benefit is the provider's ability to offer a baseline against other industry players, so that the business can see where it stands in relation to its peers.

quote
Because of the talent shortages in the cybersecurity field, not every company will find a strong set of security personnel (in house) to help build strong controls and policies. These companies should rely on a provider that has a greater breadth of knowledge that they can apply to the enterprise's overall security."

Exa Whiteman, AT&T AVP Global Security Services

Are you ready for the software-defined world?

Every organization, no matter your size or scale, is undergoing a transformation. While cybersecurity has traditionally been regarded as an expensive but necessary evil, it can no longer be seen as a cost center that eats into time, budgets, and resources. Instead, effective cybersecurity is a win for the enterprise, and a loss both for bad actors and for security-naive competitors that are held back by archaic infrastructures and outdated mindsets.

In summary, this report demonstrates that with the right roadmap in place, an edge-to-edge cybersecurity strategy is within reach of all businesses through six defined steps:

  1. Get the C-suite on your side, focus on collaboration, assign risk management responsibilities, and see to it that your company and its stakeholders—including third parties—buy in and adhere to the strategy.
  2. Carry out a full data discovery and prioritization program to identify your most important assets, and put procedures in place to protect them.
  3. Tag all of your company's assets—physical and virtual—to avoid cognitive dissonance, and analyze your application portfolio so you can manage data relationships effectively throughout the transition.
  4. Test the transition within a single non-customer-facing department to identify blind spots. Test your infrastructure in the short term before putting in place a long-term testing strategy.
  5. Realize that the SDI journey is ongoing, and that the continued support of the C-suite and other stakeholders is essential for the infrastructure to evolve with the company.
  6. Recognize that security providers and consultants are invaluable as the threat landscape and bad actors evolve.

Methodology

As companies undergo digital transformation, security is becoming a shared responsibility between the CFO, CIO, and CISO organizations. This change in the status quo requires individuals on these teams to better understand how cybersecurity works in a software-defined world.

This report is based on interviews with 15 cybersecurity experts, both from within AT&T as well as external thought leaders. The recommendations in this report are a roadmap for collaborating on and achieving shared cybersecurity goals.

Theresa Payton

Theresa Payton

President and CEO of Fortalice Solutions

@TrackerPayton

Bob Gourley

Bob Gourley

Founder and CTO of Crucial Point LLC and author of The Cyber Threat

@bobgourley

Chuck Brooks

Chuck Brooks

Adjunct Faculty, Georgetown University, Graduate Applied Intelligence Program (Risk Management)

@ChuckDBrooks

Kevin Jackson

Kevin L. Jackson

Founder of GovCloud Network

@Kevin_Jackson

Troy Hunt

Troy Hunt

Pluralsight Author and Microsoft Regional Director and MVP -Developer Security

@troyhunt

Kayne McGladrey

Kayne McGladrey

Director of Information Security Services, Integral Partners LLC

@kaynemcgladrey

Todd Waskelis

Todd Waskelis

AVP, AT&T Cybersecurity Solutions

Brian Rexroad

Brian Rexroad

VP, AT&T Security Platforms

@BrianRexroad

Greg Hill

Greg Hill

AVP, AT&T Emerging Security Solutions

Senthil Ramakrishnan

Senthil Ramakrishnan

Lead Member of Technical Staff, AT&T IoT Solutions

@senthil_rn

Stephen Roderick

Stephen Roderick

Director of Technology Security, AT&T Technology and Operations

Tom Aufiero

Tom Aufiero

AVP, AT&T Security and Intelligent Edge Solutions

Exa Whiteman

Exa Whiteman

AVP, AT&T Global Security Services

@ewhite11

Josh Goodell

Josh Goodell

VP, AT&T Edge Solutions

Exa Whiteman

Danessa Lambdin

VP, AT&T Cybersecurity Solutions

@DanessaLambdin


1AT&T 2017 Global State of Cybersecurity, Mind the Gap: Cybersecurity's Big Disconnect.

2IDC FutureScape: Worldwide Digital Transformation 2018 Predictions (Doc #US43154617), October 2017

3Worldwide Cloud IT Infrastructure Revenues Grow 25.8% in the Second Quarter of 2017

42017 Cost of Cybercrime Study, Accenture

Connect and engage

Contact Us

Call us to discuss purchasing or to talk about the possibilities of Cybersecurity Services.

877-542-8666

Check here for other contact numbers or to find your representative.

Get help & support

Find answers to your payment, billing, repair or account questions.

Your feedback will help us to improve AT&T Enterprise so you continue to have a great experience when visiting us!

This survey is conducted by an independent company ForeSee for AT&T.
Connect