It used to be that dairy farmers relied on whatever was growing in the area to feed their cattle. They filled the trough with vegetation grown right on the farm. They probably relied heavily on whatever grasses grew naturally and perhaps added some high-value grains like barley and corn. Today, with better technology and knowledge, dairy farmers work with nutritionists to develop a personalized concentrate of carbohydrates, proteins, fats, minerals, and vitamins that gets added to the natural feed. The result is much healthier cattle and more predictable growth.
We’re going through a similar enlightenment in the security space. To get the best results, we need to fill the trough that our Machine Learning will eat from with high-value data feeds from our existing security products (whatever happens to be growing in the area) but also (and more precisely for this discussion) from beyond what we typically consider security products to be.
In the post, I make the case that "we shouldn’t limit our security data to what has traditionally been in-scope for security discussions" and how understanding Application Topology (and feeding that knowledge into the security trough) can help reduce risk and improve security.
Here's an excerpt:
We’re all guilty of thinking myopically at times. It’s easy to get caught up thinking about the objects in our foreground and to lose our sense of depth. We forget about the environment and the context and we focus too narrowly on some singular subject. It’s not always a bad thing. Often, we need to focus very specifically to take on challenges that would otherwise be too big to address. For example, security professionals spend a lot of time thinking about specific attack vectors (or security product categories). And each one perhaps necessarily requires a deep level of focus and expertise. I’m not arguing against that. But I’d like to suggest that someone on the team should expand their focus to think about the broader environment in which cyberattacks and security breaches take place. When you do, I suspect that you’ll find that there are data points from outside of the typical security realm that, if leveraged correctly, will dramatically improve your ability to respond to threats within that realm.
I posted recently about the importance of convergence (of security functionality). I noted that “Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms.” I went on to suggest that forward-looking security platforms are autonomous and operate with minimal human intervention. I believe that’s where we’re heading. But to better enable machine learning and autonomous security, we need to feed as much relevant data as possible into the system. We need to feed the machine from an expanding trough of data. And with Internet scale as an enabler, we shouldn’t limit our security data to what has traditionally been in-scope for security discussions.
As an example, I’m going to talk about how understanding Application Topology (and feeding that knowledge into the security trough) can help reduce risk and improve your security posture.
What is Application Topology?
As you likely know, modern applications are typically architected into logical layers or tiers. With web and mobile applications, we’ve traditionally seen a presentation layer, an application or middleware tier, and a backend data tier. With serverless compute and cloud microservice architectures, an application’s workload may be even more widely distributed. It’s even common to see core application functions being outsourced to third parties via the use of APIs and open standards. Application Topology understands all the various parts of an application and how they’re interrelated. Understanding the App Topology means that you can track and correlate activity across components that may reside in several different clouds.
How does Application Topology impact security?
Consider an application that serves a package delivery service. It has web, mobile, and API interfaces that serve business line owners, delivery drivers, corporate accounts, and consumer customers. It’s core application logic runs on one popular cloud platform while the data storage backend runs on another. The application leverages an identity cloud service using several authentication techniques for the several audiences. It calls out to a third-party service that feeds traffic & weather information and interacts with other internal applications and databases that provide data points such as current pricing based on regional gas prices, capacity planning, and more. Think about what it means to secure an application like this.
Many popular security tools focus only on one layer or one component. A tool may scan the web application or the mobile app but probably not both. An app like this might have a few different security products that focus on securing APIs and a few others that focus on securing databases. Even if all components feed their security events into a common stream, there’s not likely a unified view of the risk posture for the application as a whole. None of the security tools are likely to understand the full application topology. If the app owner asked for a security report for the entire application, would you be able to provide it? How many different security products would you need to leverage? Would you be able to quantify the impact of a single security configuration issue on the application as a whole?
If a security solution fully understands the application topology and incorporates that knowledge, here are a few of the benefits: You can generate a holistic report on the application to the app owner that covers all components whether on-premises, in the cloud, or via third-parties. You can monitor user activity at one tier and understand how that impacts your risk posture across other tiers. You can monitor for security configuration changes at all components via a unified service and automatically adjust risk scores accordingly. In other words, a deep understanding of the IT infrastructure underneath the application yields a more robust understanding of security issues and an increased ability to respond quickly and automatically.
Challenge yourself to expand the scope of which data points might be useful for improving security. Are security appliance event logs and threat feeds enough? As we enter an era dominated by AI and Machine Learning, we need to add as much high-value data as possible into the security trough. ML performs better as it incorporates more information. And as Larry Ellison famously said, the threats are becoming increasingly more sophisticated. “It can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers.” We must rely on Machine Learning and we have to feed it with as much intelligence from as many sources as possible.