QSC Day 1 Recap
After a stressful two years of disruption and an uptick in damaging cyberattacks, security teams are overwhelmed and understaffed. As QSC 2021 kicks off in Las Vegas, Qualys President and CEO Sumedh Thakar explains how automation can relieve the burden and bolster companies’ defenses against attack.
Former CISA Director Chris Krebs spoke earlier about the challenges of security in an ever-connected world, one that is only going to get more complex and challenging. How can security teams catch up—or better yet get ahead of threats in this increasingly digital world?
Overall cybersecurity attacks are increasing multiple ways. And the only way you can really address this situation is through technology and automation. Security has always been challenging but add to that the fact that we have a serious shortage overall in the market of qualified people. And infrastructure continues to evolve rapidly. What used to be a server farm that you could visually see two years ago is now a multi-cloud environment with people working remotely. And, you don’t know what they’re doing. The only way we’re going to get the bad guys is by leveraging technology, leveraging automation.
You’ve said security needs to move faster, why is that?
What is the difference between an attacker and a cybersecurity team in a company? The only difference is who gets started first. And bad actors are moving faster. We can’t wait for traditional patching strategies to fix vulnerabilities. Typically, vulnerable devices are reported to one team that then sends it to another team and tickets are created. We lose days in that process, days that give bad actors plenty of time to exploit them. If you saw the Microsoft Exchange vulnerabilities that came out earlier this year, Chinese attackers compromised hundreds of thousands of Exchange servers in just two days. To combat that, our assets must be automatically patched.
The benefits of security automation seem obvious, so why is it met with such resistance?
It’s the fear of breaking something. If you suggest introducing automation, people often freak out about what if something breaks.
On the IT side of the house, automation is in full swing. How did they jump those same hurdles that security faces?
People moving to the cloud have embraced automation. And they have seen clear results—for instance, they’re able to use their resources more efficiently and save money. If a load goes up, the number of machines will increase automatically. When the load goes down, a bunch of machines are automatically killed. So, their costs are reduced. But remember, we always had an IT function where the operations people were deploying all this stuff. Developers wrote code and IT did the deployment. Then in development, things started going way faster than deployment. At some point, they decided to deal with it, understanding that business needed to move fast. So developers started writing automation into their code. And that revolution came about and so we have developers who basically write how things should work in production. That’s how DevOps came about.
What does it take to move security in the same direction…quickly?
Things break, but we learn from that along the way and how to mitigate the risk. We need to have that mental shift of more companies and more people saying, “just fix this thing.” It takes a few companies that are looking at their security problems and saying they want to leverage automation. And I’m willing to risk something breaking. Like one of ourcustomers, a very small company, whose owner has a very simple goal—running a medical company. He has the expertise inhouse needed to run the business, but his objective is not to build an empire of security people. He just wants to sell more medical products and services. So, he turned to Qualys to sort out what threats/activity are ransomware-related and automate that process.
The same impetus for automation can be seen at a large retail company that has gas stations and convenience stores all over the country. The CIO told me the company was sending out trucks to its many remote stores to deliver USB drives that the store plugs in and downloads patches. He wanted to figure out how he could leverage automation so that a patch is deployed and tested. So, now, a test system is automatically observed for an hour or two after a patch is made to ensure critical systems are not impacted. If there’s no impact, then the patch is rolled out across all stores. More organizations need to get to that point where they’re reducing the risk of breakage.
You said companies that have moved to the cloud are showing a greater willingness to automate anything, has the accelerated migration to cloud brought by the pandemic helped make the case for security automation as well?
We’ve seen that. In fact, one of our largest customers has 245,000 employees globally. It’s an IT services company and suddenly all its employees went remote. And this is a company based out of India, they have employees in India and Romania, working from their apartments and using home internet connections. As an IT services company, they have a requirement from their customers that they will maintain all their devices at a certain patch level. It was impossible for them to patch endpoints at home and their arguments against automation just went out of that door in a second when they moved to the cloud. At that point, they didn’t have any other choice but to basically say they needed a brand-new approach from scratch. It so happened that they had already deployed Qualys agents or vulnerability assessment on all their 245,000 devices. So, within two days, they check the box and all their machines are patching directly from the cloud, which is a fantastic because they are able to leverage automation. That’s where we are pushing the boundaries.
Does automation, then, helps put security in a more proactive stance rather than the reactive posture it’s known for?
Yes. If you’re patching things as soon as a patch comes out automatically, like you’re not being reactive to a vulnerability that was discovered.
What can help organizations have confidence that automation will fix more problems than it will cause—and that it will catch security threats?
You need a platform that is bringing all these data points together so that you know those can be analyzed. The question here is how do we trust the automation to make decisions based on many different factors. If you are making a decision based on one factor, confidence is low. But if the platform looks at several factors and sees, say, five signals together, that offers high confidence that an event or activity is malicious and action must be taken.
Security automation is a broad landscape with many issues to solve. Where does it make sense to start automating?
I think leveraging DevOps when a new infrastructure is being built is a great place to start. And automation can support zero trust initiatives. With automation, I’m automatically going to block access to a device based on some factor. If you want to move into the zero-trust environment, you need ways to leverage automation to have a continuous assessment of what is on the system. Automation of data collection and analysis is also a good place to start—figuring out what that role a machine plays and then applying security policy. As we move into the cloud and container, organizations have an opportunity to start to building systems and data collection and analysis combined with the appropriate responses.
If you missed the keynotes and want to know more about security automation, the threats organizations face and how to combat them, you can view them on-demand on the Qualys site beginning next week. https://www.qualys.com/qsc/2021/las-vegas/