Days of piecemeal security are over: Mark Anderson

The traditional strategy of defense in depth security is a fallacy, says Mark Anderson, President, Palo Alto Networks.

Security is a big nightmare for organizations globally. Palo Alto Networks is quite upbeat on its next generation security platform to keep the enterprises safe and sound. CSO India spoke to Mark Anderson, President, Palo Alto Networks on CISO concerns, company’s vision and the next big thing in security. The CISOs’ magical checklist of having more security boxes is out and dusted, and the security play has shifted to adoption of integrated platforms, said Anderson.

Edited Excerpts.

How murky will the security landscape turn in 2017 and what will continue to keep CISOs awake at night?  

Firstly, plenty of targeted and very scary rogue malware are out there. The bigger issue is the sheer volume of threats, and the relative ease with which the least funded adversary can attack and be successful. This is primarily because of lack of preparedness in several organizations across the globe when it comes to preventative infra.

We have to introspect on the sheer volume of vulnerabilities that can be exploited if a company’s infra is open to credential thefts. Attackers can lock your files and charge a ransom, or even steal something from your data to cover the tracks. At times, a business or government entity with the least defense becomes vulnerable to the simplest of malware attacks.

Does this imply that security companies are something wrong or have the hackers become smarter?

It’s both. I would not comment the hackers with a pat on the back. Not all of them are smart. Many are simply lazy as they try reused malware and they get lucky. The preparedness of the company’s security posture and possible hack varies by geographical location and industry vertical in across the globe.

Security pros are as good as the training they have been given and the infra they have been allowed to procure. The cyber criminals do a very good job as a community - if you will - on sharing attack strategies. The biggest problem is when a company gets lured into a false sense of security by purchasing everything. They are often advised by consultants or security vendors that they need to have solutions around firewall, IPS, APT, CASBY and the latest technology of the day. But, they are often not mindful on how difficult it is to manage and operate these elements together.

That’s why Palo Alto Networks has been successful as we built the platform from grounds up that allows customers to leverage much more. When you consolidate the multiple elements with automation, the security envelope improves.

Readily available internet and low cost of computing means anyone can launch an attack. If customers are not protected and they have not reduced the attack surface, hackers will be successful and they will attack those organizations repeatedly.

Has purchasing IT security moved from ‘a la carte’ of point products to a one-time buffet of best technologies packed into a single platform?

That’s a good analogy. Five years ago, there was this magical checklist to buy security solutions and products to be compliant. The industry associated the best practice of compliance (as the early driver) with having more boxes. About four to five years ago, the companies were mandated in the US to disclose public breaches. The 24-hour news culture reported the breaches so often that it resulted in embarrassment for the board.

It was then, the industry realized that disconnected legacy products were ineffective against modern attacks. Frankly, it led to funding and proliferation of companies like Palo Alto Networks and our emergence as a major provider of security infra. Our truly integrated platform with orchestration tools of datacenter vendors and now with public cloud and SaaS vendors provides consistent security. This protects data on premise branch office, SaaS or public cloud environment according to customers’ needs.

Several security vendors pitch prevention, detection or a mix of both. Can you demystify this approach and what does Palo Alto Networks believe in?

There are very few security vendors that talk about, and importantly, are able to prove their efficacy as a platform. That’s one thing we pride on with CISO, CIOs and CTOs of customers. Our ability to consolidate separate point products and show them how they work with our kit when connected to their infra is an eye opener. The management tools, dashboards and reports that we generate gives visibility, which enterprise and government organizations did not have access to. We show up, demonstrate, earn the customer trust, grow the relationship and expand that business.

Philosophically, we feel nobody can prevent everything including us. But a coordinated platform consolidating all areas of customers’ data, apps and infra can cover as much of an attack surface as possible. Other variables that impact security include well-trained operators. We suggest the customers should take 20 hours of minimal training a year to fully leverage our platform. CISOs should train each and every employee who has access to the system. The security culture needs to be baked into a company’s DNA. And those companies need to ensure their DNA incorporates the need for an ‘end-to-end’ security posture.

What does the board’s expectations from CISOs? What’s your bucket list for modern CISOs to evade hackers and damage to reputation?

The CISO role has become one of most important jobs for many companies. CISO has to certify and report back to the board that they have mitigated risks to the enterprise.

There are three ways of doing this. Firstly, have a best in class platform that consolidates as much as possible so that you can deliver automation. Every business doesn’t have knowledge workers who can manually chase down every alert. Automation helps to deal with the nastiest of problems. Secondly, educate your operators to manage the platform. And lastly, educate the entire extended company workforce that has access to the systems. At Palo Alto networks, we believe our customers and prospective customers need to be more knowledgeable as they will most likely understand our vision and become our partners.

Also, make sure that you properly vet the partners you engage with. Ideally, the security vendor should have an extensive set of platforms to connect to other pieces of puzzle like servers, switchers, routers load balancers, or other security elements. So that the vendor does not have the system working as one. The concept of layered security or defense in depth is a fallacy.

If you were to gaze into a crystal ball for top three security trends in 2017, what would they be and why?

There is a very real migration to public cloud as new and traditional companies and government departments move workloads. We have a strong story with a consistent policy, whether turning new App in SaaS like Office 365, or App in AWS or Azure with the same controls as on premise. For Palo Alto Networks, the public cloud is a very big tail wind.

Continued mobilization of the workforce is another big trend as the real estate becomes increasingly expensive. Companies are moving to the global resources to offer remote customer support. With more mission critical technology in hands of partners or remote employees, there is a need for consistent security coverage.

As we’ve learnt the hard way, IoT is turning out to be the internet of threats. In last year alone, there were two attacks including the biggest volumetric DDoS attack of thousands of internet connected cameras. Hence, a full blown architecture or platform of security will be the way forward for modern companies in a connected, digital era.