SECURITY FOR DIGITAL TRANSFORMATION Insights for every evolving organization
2
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Understand the Risks of Your Organization’s Digital Transformation For businesses, digital transformation represents both an opportunity and a threat.
The opportunity: Unlimited potential to optimize, connect, and innovate.
The threat: Every connection is a risk. Every platform, a new point of entry, with sensitive information flowing everywhere.
Stored customer data, analytics initiatives, connected operations, cloud computing— they all create security challenges. And as innovators explore new digital business models and technologies, attack methods also evolve.
<
PREVIOUS
NEXT
>
3
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
You Don’t Have to Secure Your Digital Transformation Alone This primer explores the security challenges of your organization’s digital transformation. FireEye strives to protect organizations and arm them with the insights they need to stay secure, even in uncharted territory.
This ebook helps answer the question:
“How do you securely achieve digital transformation goals in a connected world?” <
PREVIOUS
NEXT NEXT
>
4
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Security Essentials of Digital Transformation To enable a more detailed security conversation, we’ve sorted digital transformation activities into four core segments. These segments don’t represent a progression. Instead, think of them as guides to frame our expert insights.
Customer Experience Improvement
Page 6
Connected Operations
Page 8
How to securely use digital technology to improve the customer experience
How to mitigate risks as you streamline processes and connect devices
• In-store/online integration • Customer loyalty programs
• Internet of Things
• Real-time insight
• Experience personalization • Connection with third-party platforms
Growth, Acceleration and Agility
Page 10
Innovation and Disruption
Page 12
How to move quickly and grow rapidly—without compromising security
How digital transformation leaders can protect their position
• Analytics
• Protection principles for radical innovation
• DevOps
• Security as a differentiator
• Safer disruption
<
PREVIOUS
NEXT
>
5
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Cloud Security: Five Best Practices Executive Perspective Public, private, and hybrid clouds are essential elements to organizations’ digital transformation efforts. These solutions enable simpler and more efficient IT workflows.
But while the cloud simplifies some areas, it complicates others. Your attack surface expands dramatically, increasing the chance of a misconfiguration that compromises security.
Templates and automated processes streamline and enhance many operations—including security.
As you navigate your digital evolution, cloud computing will be a constant concern. Here are five things your organization can do to reduce risk.
1
2
3
4
5
Collaborate with providers
Implement strong authentication and access practices
Employ automation and orchestration to accelerate security
Understand where you’re forfeiting control
Ensure your team understands the business intent
Effective identity and access management is a necessity in any cloud model. Account compromise via weak protection is the root cause of many cloud security breaches.
Cloud computing enables users to rapidly provision and de-provision systems, services, and workloads. To keep up with the continually changing network, your security strategy needs to leverage automation and orchestration.
The loss of some access or capabilities is inevitable when working with cloud partners. Security teams need to be realistic about how this loss of control impacts their ability to protect assets and respond to security incidents.
With an increased amount of API interactions and other connections, your team needs to be able to clearly identify anomalies and suspicious behavior. They can only identify unusual activity if they have a clear understanding of the relevant business processes and user activities.
Protecting the cloud is a shared responsibility. To avoid gaps, you need to clearly delineate roles and duties between the two teams.
<
PREVIOUS
NEXT
>
6
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Customer Experience Improvement Core Activities
The Risks
• Storage and analysis of customer data for loyalty programs, personalized offers, and more
• Loss or theft of the information that customers trust you with
•
Connection of databases to third-party platforms to expand capabilities— omnichannel tools, open banking, supply chain, etc.
• Creation of potential entry points to your network (and business) with every third party platform added • Limited control and visibility of data on external infrastructure
EXECUTIVE GUIDANCE: ENSURE VISIBILITY ACROSS INTEGRATIONS Integration is critical to digital transformation. It’s required to build a modern customer experience, from cloud storage to omnichannel tools and CRM platforms to supply chain partners and analytics engines.
With every integration you add, your attack surface grows. Each third-party platform or solution you interface with can be targeted by attacks—and those same attackers can eventually find their way to you.
Digital services offered conveniently through open APIs help organizations increase competitive advantage and customer loyalty. However, making data more available and accessible also increases risk.
You need to have visibility into your extended platforms and partner systems. What you can’t see, you can’t protect. Work closely with cloud providers to implement the right security tools and extend your organization’s reach.
<
PREVIOUS
NEXT
>
7
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Customer Experience Improvement: Best Practices Assess and monitor your supply chain and supply chain partners
Embrace a zero-trust approach and extend visibility
Think of every step in your digital ecosystem as part of a supply chain—both those hosted on internal and third-party infrastructure. Each point along the path is another server, another data center, and another staff that is suddenly responsible for your sensitive data.
Historically, security professionals protect the perimeter and not necessarily the endpoint or application itself. The integration required to support a digital customer experience essentially does away with your perimeter. The endpoint or application level is where the battle is fought.
As organizations improve their posture and perimeter defenses, attackers focus on third-party vendors, customers, and partners to gain network access. To protect against this, due diligence is required: • Make security a center point of your discussions as you choose partners • Conduct thorough research into any previous breaches at potential and current partners • Maintain a detailed inventory of your entire supply chain: vendors, products, software libraries, and third-party access privileges • Ensure your suppliers are obligated to inform you if their network is compromised • Impose tight controls over third-party access to your network and data • Validate supplier controls through audits, joint teams, and internal testing • Leverage third-party tools to assess the risk of each partner and chart changes over time
Your posture can no longer be “anything within the network can be trusted.” There are too many entry points and too many ways to sneak past defenses. Everything must be verified. Trust nothing. Then confirm identities with multi-factor authentication.
Don’t lose sight of security in the connection complexity Most organizations opt for a hybrid cloud approach to store and manage customer data. Many see the move to cloud as a simplification. But while automation and templated deployments help increase consistency, the overall monitoring workload still increases.
7
The number of significant software supply chain attacks that were made public in 2018. ATTACKER TACTICS:
Embedded backdoors in legitimate software
Stolen certificates to bypass detection or subvert update processes
Authentication, authorization, and communication combined with comprehensive logging and monitoring are crucial to protecting customer data exposed through API. Keep an eye on complexity as your digital transformation develops. It’s possible to accidentally leave openings for attack. A strong understanding of the threat models that apply to your evolving attack surface is critical.
<
PREVIOUS
NEXT NEXT
>
8
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Connected Operations Core Activities
The Risks
• Extension of connectivity to geographically distributed physical devices to capture real-time information for your business
• Unclear security processes for intra-departmental projects • Every network-connected device is another entryway for attackers
EXECUTIVE GUIDANCE: CLEARLY DEFINE OWNERSHIP As you add more and more devices to the network— particularly ones that are geographically distributed—it’s important to identify who is ultimately responsible for securing them and responding to incidents. These devices are accessible to attackers through any number of means, including simply walking up to them and inserting a USB thumb drive. When a security issue occurs, you need a swift and accurate response. Problems arise because securing connected operations involves stakeholders from many disciplines: facilities, physical security, cyber security, compliance, and legal. Swift reactions can be prevented by the sheer number of people in the room.
Everyone needs to understand what they’re responsible for, and how the connected operations impact the business. What’s essential to operations and what’s not? Which assets necessitate what kind of responses? If a sensor that’s 100 miles away from the nearest IT staff member—or from anyone at all—gets attacked, what’s the procedure to address it? As you build your strategy for connected operations, remember to clearly define roles and processes. Identify who will lead the way and who will address what parts of the issue. Only by positioning the diverse stakeholders appropriately can you respond effectively.
<
PREVIOUS
NEXT
>
9
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Connected Operations: Best Practices Use the traditional IT security tools that are still relevant
Maintain an inventory of all IoT devices
Many IoT devices lack the compute resources to run traditional security tools. Controls such as endpoint detection and response, logging, and monitoring are not viable.
Keep an inventory of all connected endpoints by requiring all users to register their devices before connection.
Your team will need to assess and apply the traditional cyber security tactics that are still relevant—such as patching and update management, network segmentation, and access management.
Examine your vendor’s security sophistication Many IoT devices are made by new companies that may lack the security practices of legacy providers. Products are being released without comprehensive knowledge of the security threats that impact them, and with a lack of adequate built-in safety protocols to defend against those threats. In many cases, the manufacturers of these components prioritize being first to market over security.
Likewise, leverage an asset management solution that allows for remote access to all IoT devices, including asset discovery, tracking, patching, and incident response.
REAL-WORLD EXAMPLE
In 2016, the Mirai botnet infected more than
600,000
IoT devices
across 164 countries and took down major websites. HOW? Many of the impacted devices were operating with easily bypassed default settings.
Utilize a defense-in-depth approach Because IoT vulnerabilities can be exploited before the vendor even releases a patch, a defense-in-depth approach is needed when architecting IoT strategies. Appropriate network segmentation and identity, password, and certificate management solutions, and effective logging and monitoring help minimize risk.
Vulnerabilities can go overlooked—and these vendors could lack the processes to identify them later. Be sure to assess your vendor’s security weak points before you add devices to your network. Critical security vulnerability patching on these systems should be implemented automatically and as soon as the update is available.
<
PREVIOUS
NEXT NEXT
>
10
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Growth, Acceleration and Agility Core Activities
The Risks
• Use of analytics to uncover hidden opportunities in your data
• The aggregation of data required for analytics initiatives creates complicated access questions
• Application of DevOps approach to deliver solutions to market faster and more efficiently
• DevOps requires security to move faster to keep up with the accelerated pace
EXECUTIVE GUIDANCE: SECURITY CAN NO LONGER BE A GATE As organizations adopt and expand DevOps practices, finding the right balance of security and speed is an important concern. DevOps practices allow for significantly shortened development cycles. But the application of traditional security practices to DevOps can slow down workflows. Similarly, identify and access management practices often cannot be implemented without hindering a big data effort. But unfettered access puts sensitive and valuable data at risk. Over-privileged accounts increase risk, too. Meanwhile, malicious attacks at the application layer are increasing. Data breaches due to misconfigurations during deployment or because of application vulnerabilities have become common. Enterprises realize that while DevOps tools and processes help them stay innovative within tight release timelines, there are significant security concerns to address.
Enterprises realize that while DevOps tools and processes help them stay innovative within tight release timelines, there are significant security concerns to address.
To reduce risk and provide protection without slowing progress, security needs to be embedded into DevOps processes. It can no longer bring operations to a standstill. Big data requires careful policy and access governance to ensure that only those who require access are granted it. Tightly controlling user privileges and understanding user activity can help you build a strong security posture without impeding analytics initiatives. Of course, protection remains critical. But for both DevOps and analytics, it can’t slow down those who need to press forward.
<
PREVIOUS
NEXT
>
11
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Growth, Acceleration and Agility: Best Practices Be mindful of data lake access
Security automation is critical to DevOps
The creation of a data lake for analytics initiatives requires a strategic approach that carefully assigns access to internal and external resources.
DevOps requires security to become closer than ever to the development process. Collaboration between security and DevOps teams enables effective security integration across the entire development lifecycle. Security staff need to be embedded in operations as consultants and sometimes even as coders.
Security teams need to understand the goals and workflows of data scientists and find ways to protect them without interfering. Cloud integration to support the sheer mass and volume of an analytics initiative only complicates questions of access and control. Only users with a clear business need should have powerful access. Least-privilege access should be standard. Since access requirements may not be known at first, iterative review and recertification processes are effective ways to tighten control over time. Privileged access to the data lake needs to be hardened via multi-factor authentication. Administrator access should be limited to the specific actions and commands needed. Extensive auditing and monitoring practices are critical to protecting big data platforms. They enable the security team to discover abnormal access activities—such as large data exports—before the data leaves the network. Lastly, compensatory data leak protection controls, such as limited access from hardened devices with disabled USB ports, restricted network connectivity and increased auditing can help minimize the risk of data leakage.
In DevOps, restrictions and roadblocks are counterproductive because the goal is rapid innovation. Automated deployment of security solutions and policies is critical to support continuous integration and the day-to-day pipeline. The integration of security tools into the development environment can identify risky code and help developers learn best practices for software security on the job—without slowing down the process. Continuous vulnerability assessments and penetration testing should be done throughout the development lifecycle so that issues are identified and addressed as early as possible. The DevOps security approach called DevSecOps emphasizes hardened container configurations and visibility into containers as critical needs. Continuous automatic scans to identify and remediate misconfigurations, unprotected secrets, insufficient access controls, and potential errors is another essential DevSecOps element.
<
PREVIOUS
NEXT
>
12
EBOOK | SECURITY FOR DIGITAL TRANSFORMATION
Innovation and Disruption Core Activities
The Risks
• Radically changing traditional marketplaces with new technology- based solutions
• With new territory comes new, unknown risks
• Developing forward-thinking products that break previous paradigms
• Security becomes a differentiator— without a cutting-edge strategy, your organization can be displaced
• Exploring new business possibilities or inventing new customer experiences
Innovation and Disruption: Best Practices REMEMBER THE FUNDAMENTALS Organizations on the cusp of digital transformation will face new challenges and unanswered questions. In these scenarios, it’s best to rely on the security fundamentals. Access. Visibility. Segmentation.
EXECUTIVE GUIDANCE: SECURITY IS A VALUE PROPOSITION Modern consumers want to know their data is safe. They’re concerned about privacy and identity theft. For radical innovative and disruptive organizations, a strong security foundation can help set your organization apart from competitors and give your customers confidence. As you enable new possibilities for your customers, they need assurance that the new innovations are a sound, secure investment—and that their sensitive data will be protected.
The core building blocks of security can help you identify and assess risks, and build thoughtful plans to address them, even in untested areas.
For organizations that have radically transformed the way they do business, or dramatically disrupted traditional markets, security is important to long-term success and adoption.
<
PREVIOUS
NEXT
>
Securing Digital Transformation is Complex, but Not Impossible What protects organizations throughout digital transformation? Approach. Technology. Diligence. And partnering with the right security vendor. You need a partner who can help you see the entire picture, all the way down to the make-or-break details.
Let’s talk soon about your digital transformation At FireEye, we help organizations across all industries stay protected as they explore new possibilities.
To learn more about FireEye, visit: www.FireEye.com FireEye, Inc.
About FireEye, Inc.
601 McCarthy Blvd. Milpitas, CA 95035 408.321.6300/877.FIREEYE (347.3393)
[email protected]
FireEye is the intelligence-led security company. Working as a seamless, scalable extension of customer security operations, FireEye offers a single platform that blends innovative security technologies, nation-state grade threat intelligence and world-renowned Mandiant® consulting. With this approach, FireEye eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent and respond to cyber attacks.
© 2019 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. F-EXT-EB-US-EN-000213-01