If there were two important takeaways from this year’s Qualys Security Conference year they would be how today’s complex hybrid environments are demanding security teams find ways to increase visibility into the state of their security posture and be able to quickly mitigate new risks as they arise.
With their respective keynotes, both CEO Philippe Courtot and Qualys chief product officer Sumedh Thakar showed just how sophisticated today’s environments have become. Today, all but the most straightforward environments consist of multiple cloud services, virtualized workloads, and traditional on-premises systems; and hundreds of application containers, microservices, and serverless functions.
All of this means the risks and vulnerabilities for business-technology systems change by the day, if not the hour. And it’s why In nearly every QSC18 presentation the focus was on increasing security visibility into business-technology systems. For instance, Peeyush Patel, VP of information security at Experian, explained how, following that organization’s data breach, the security realized they needed a “complete paradigm shift” when it came to how they approached cybersecurity.
Patel explained during his talk Using Real-Time Visibility to Unify Security Event Response, that one of the most important lessons the organization learned was that they’d have to change how they measured and defined cybersecurity visibility dramatically. “That, to me, was the biggest one,” said Patel. “Our security team’s goal was to make sure that we enabled the technology teams, and our CTOs, to be able to [more readily] address risk,” he said.
What does increased visibility mean? Patel told how their previous way, providing updates on risk every thirty or 7 days, is not adequate. “They need real-time visibility,” he said. Patel explained how teams need near real-time views into their systems and risks. And that these teams need to know that systems have been patched and the patch was successful. They need to know if there have been changes to their software libraries, or when other aspects of systems are updated. “You can no longer sit back and let things happen. You have to stay ahead of the curve,” he said.
Patel also shared how their application teams have increasingly integrated themselves into the technology teams. “I think the fact that a lot of my team has application security backgrounds has been a big benefit to us,” he said.
API security was another significant issue this year, especially when it came to visibility into API related risks. In his presentation, Gartner analyst Mark O’Neill explained how organizations need continuous visibility into the state of their APIs by first discovering what APIs are in use in their environment (a big challenge). Once the APIs in use are understood, enterprises should monitor them to know how they are being used and then develop the appropriate security policy.
Each organization has to look at API security in the context of their APIs and organizations. “Everyone is different,” O’Neill said. The critical thing to understand is that APIs are a severe risk vector, and they need to be monitored and secured with adequate security policies and technologies.
Charles Henderson, global head at IBM X-Force Red, provided solid advice for any security team that finds itself in an organization that lacks a sense of urgency at getting the right visibility and management process in place to more effectively handle risk. As Henderson made clear in his keynote, that real-time visibility itself isn’t enough. There has to be a commitment to change. “It’s important to understand that finding a vulnerability doesn’t make it any better. Fixing makes it better. Understanding the root cause and understanding how you can make your organization better: That is the point of all offensive security,” he said.
Watch all Qualys Security Conference videos.