Given the events of COVID-19 and the need to support remote work, I had the chance to catch up with Andrew Miller, CEO at Cameyo about VPN alternatives. I remember deploying VPN 20+ years ago and while the technology was the right fit at the time, I question whether it is the ideal solution for remote work today. Listen to what Andrew and I have to say about VPN solutions and alternative means to help make remote work work.
Insight
-
-
About a month ago, I wrote a blog about how COVID-19 was driving rapid and dynamic changes for CISOs. I followed this up with a second blog, detailing a number of subsequent cybersecurity phases CISOs are now pursuing to assess and mitigate COVID-19-based cyber risks.
Both blogs describe some fundamental problems. Corporate cybersecurity now extends to home networks filled with insecure IP devices with little or no security protection whatsoever. Meanwhile, hackers are exploiting societal malaise with online scams, rogue websites, and phishing campaigns preying upon COVID-19 paranoia. A recent article in the Washington Post described research from Palo Alto Networks identifying more than 2,000 malicious COVID-19 web domains and another 40,000 it classifies as “high risk.”
So, work from home (WFH) initiatives have greatly expanded the attack surface AND pivoted traffic away from corporate networks instrumented with tried-and-true security controls. CISOs are struggling to figure out what’s out there and whether they are vulnerable to a growing barrage of COVID-19 cyber-attacks.
What can be done? Just like COVID-19 itself, one way to address this situation is through testing, testing, testing. Rather than novel coronaviruses and antibodies, however, WFH security vulnerabilities can be assessed through new types of continuous automated penetration and attack testing (CAPAT) tools.
These tools are provided as a SaaS offering so there’s no onsite hardware/software to install and operate. While CAPAT tools weren’t designed for WFH explicitly, I believe that CISOs may find them to be helpful for addressing current COVID-19 challenges by:
- Mapping the attack surface. Cybersecurity teams aren’t sure exactly what’s on the extended network right now. Old insecure PCs? Chatty gaming systems? Mirai botnet infected video cameras? Discovering what’s out there is an important step as experienced red teamers often find lots of assets that cybersecurity teams don’t know about but are still responsible for. Some CAPAT tools address this visibility gap by discovering and mapping the attack surface – a good starting point for risk assessment and mitigation.
- Testing security controls. Organizations spend millions of dollars on endpoint security software, firewalls, and a potpourri of security controls sitting between the two. Do these things work? This basic question is worth pursuing – according to research from ESG and the Information Systems Security Association (ISSA), 38% of cybersecurity pros say that one of the main implications of the global cybersecurity skills shortage is that their organization cannot fully learn or utilize their security technologies to their full potential. Thus, an overworked cybersecurity staff can lead to human error and misconfigured security controls languishing on the network. CAPAT tools can help CISOs assess whether their defenses work and whether they would know about it if they failed.
- Pinpointing cyber risks. Armed with an attack surface map and CAPAT reports, CISOs can identify and address specific weaknesses with the right training, processes, and countermeasures. Yes, they do this already with penetration testing and red teaming exercises, but these tend to be expensive third-party services conducted once or twice per year. CAPAT tools replace costly service engagement with automation, providing a continual closed-loop cycle for risk assessment and mitigation.
- Supplementing existing security programs and technologies. CAPAT tools tend to emulate cyber-adversaries by breaking attacks into kill chains over time. Each CAPAT automated tactics, techniques, and procedures (TTPs) can then be mapped into the MITRE ATT&CK framework – a popular taxonomy that aligns security programs and tools to an ‘outside-in’ hacker perspective and timeline. I’ve also witnessed CAPAT tools used in conjunction with security information and event management (SIEM) and security orchestration automation and response (SOAR) tools to fine-tune correlation rules and incident response runbooks. Finally, as CAPAT tools expose system configurations issues, these vulnerabilities can be programmed into deception technologies used to fool enemies and capture valuable threat intelligence.
To be clear, CAPAT tools aren’t a panacea but they can help expose WFH blind spots by increasing attack surface visibility – as the old management principle states, “you can’t manage (or in this case, secure) what you can’t measure.” Additionally, CAPAT tools can help security professionals “think like the enemy,” another fundamental tenet of cybersecurity. Finally, CAPAT tools have the potential to democratize penetration testing and red teaming. While most organizations can’t hire and retain experienced FTEs in these areas, CISOs should be able to find affordable SaaS options.
There are a host of innovative CAPAT vendors out there including AttackIQ, CyCognito, Cymulate, Randori, SafeBreach, Verodin (FireEye), and XM Cyber, amongst others. Some focus on attack surface discovery, some test controls, and some automate red teaming. I believe CAPAT tools will ultimately become a key technology in the SOC arsenal.
-
In a time where nearly every business is searching for some good news, IBM’s storage systems business impresses with strong growth. In IBM’s recent earnings announcement this week, the company reports that its enterprise storage systems revenue grew by 18%, for the second consecutive quarter of growth for IBM Storage.This high growth rate is on par with some of IBM’s other high growth businesses such as its cloud business, up 19%, and Red Hat, which also grew 18%.
-
I recently had the chance to speak with James Stickland, CEO at Veridium, to hear firsthand how our Enterprise Strategy Group research regarding usernames and passwords from the Digital Work Survey maps to what James is seeing with businesses today.
In the video, I share research regarding an end-user perspective on:
- What technology challenge has the biggest negative impact on productivity at work?
- What improvements would you like to see in terms of the technology experience IT provides?
Watch the video to see more and learn how passwordless helps WFH work.
-
Digital transformation initiatives have been well documented over the last few years and result in significant changes to an organization’s people (skills), process, and technology. The top goals of these initiatives, as reported in ESG’s 2020 Technology Spending Intentions survey, are to drive greater operational efficiencies and deliver differentiated customer experiences. To accomplish these goals, organizations are actively modernizing their application environments. -
Last week, I wrote a blog describing 3 ways that COVID-19 is changing CISO priorities for 2020. COVID-19 drove large scale work from home (WFH) initiatives where the priority was getting users up and running as quickly as possible. Security leaders were then forced into an unanticipated follow on sprint to deliver elementary security safeguards for remote employees (i.e., VPNs, endpoint security controls, network security controls, etc.).
This is the new reality and it’s an ongoing scramble, but what comes next?
Let’s call the current situation phase 1, which is about employee access, network communications confidentiality/integrity, and basic endpoint security.
Since posting my last blog, I’ve heard of additional IT efforts to address network performance and user productivity (phase 1A). Some organizations are implementing split tunneling so key employees can access VPNs and the internet simultaneously. Some are paying to upgrade employee bandwidth, especially for executives spending their days on Zoom/WebEx meetings while their children use the same networks for home schooling. My colleague Bob Laliberte also tells me about companies instrumenting key employee systems with WAN optimization software. Back at corporate, there’s also lots of load balancing and SD-WAN activity.
From a security perspective, forward-thinking CISOs are now on to phase 2 focused on situational awareness and risk assessment. This is directly related to the fact that a lot of LAN traffic has been rerouted to WANs and internet connections. The goal? Scope out the new realities of usage patterns and the attack surface.
To gain this level of visibility, organizations are deploying endpoint security agents to assess device posture and system level activities. Think Tanium agents and EDR software from vendors like Carbon Black, CrowdStrike, and Cybereason. Security pros also recognize that employee home networks may be populated with insecure IoT devices, out-of-date family PCs, etc., so I’ve heard of instances where security teams are doing home network scans here as well. Finally, there is an increased focus on network traffic monitoring travelling back and forth on VPNs or directly out to SaaS providers and the public cloud.
Leading organizations are also ramping up monitoring of cyber-adversaries and threat intelligence, looking for targeted attacks, COVID-19 tactics, techniques, and procedures (TTPs), IoCs, etc. I’ve also heard that threat analysts are more actively sharing intelligence and participating in ISACs. In other words, I’m seeing an increase in collaboration within the cybersecurity community.
In about 4 weeks, organizations will have visibility and enough historical data to proceed to phase 3, a full risk assessment and a board-level report. These reports will examine the WFH infrastructure, new traffic patterns, perceived vulnerabilities, rising threats, etc. They will also dig into a more thorough look at emerging WFH issues like insider threats, expansive privileges, data security exposures, insecure cloud application configurations, and others. The goal? Quantify risk and then work with executives to prioritize actions.
This leads to phase 4, which is all about risk mitigation. Based upon my conversations, the goal is to address this by mid-May at the latest. During the risk mitigation phase, organizations will likely employ controls for data privacy/security, assign least privilege to networks and applications, and segment home network traffic to protect WFH assets from gaming systems, smart refrigerators, security cameras, and the like. We’ll see more deployment of technologies like multi-factor authentication (MFA), zero trust networking tools, privileged account management, and DLP/eRM at that point. Process automation will also be added during this period.
At the end of phase 4, WFH should be set up for threat prevention, detection, and response at scale.
A few final things I’ve heard:
- While the four phases are a general project plan, CISOs are also busy patching tactical holes like blocking Zoom bombing by using meeting IDs and issuing passwords. Issues like this come up daily.
- Another issue I’m hearing about is securing “shotgun” applications, developed and deployed quickly to support remote workers, business partners, and customers.
- Security will continue to play catch-up, with IT leading on network performance and service availability. User support and productivity is paramount while security remains behind the scenes.
- The need for speed is causing CISOs to have a “SaaS first” mentality.
- CISOs are taking a long-term approach since no one can tell how long the lockdown will last. Many also feel like this is a game changer for the future of IT and security.
I’ll continue to report on what’s happening in the CISO trenches as desperate times call for desperate measures. Your feedback, inputs, and suggestions are most welcome.
-
In Nassim Talib’s book, The Black Swan, he focuses on the extreme impact of rare outlier events. I highly recommend adding it to your quarantine reading list. The key takeaway is that you can’t predict these events, so don’t try. Instead, prioritize creating robustness, whether in your life or in your business, so that you are prepared. It is not an if; it’s a when. So, how robust do you feel?
For the past few years, when I spoke about digital transformation, I typically highlighted the opportunity that leveraging data effectively could create for businesses. If I thought about digital transformation as a risk mitigation strategy, it was only as competitive necessity. In other words, if you don’t reap these benefits, your competition will. What I forgot, however, was Talib’s Black Swan theory.
The business world looks quite different now than it did a month or so ago. There is a much higher risk and cost associated with direct face-to-face communication and manual activities. In a matter of days to weeks, businesses have had to become completely reliant upon digital, remote work and increase their usage of cloud services. Everything that can be digital, needs to be digital.
Need remote, automated IT? Welcome to the cloud.
The show must go on. Business must continue. And when it comes to standing up and supporting new digital services, manual, on-location, traditional processes are no longer just costly, they are not an option right now. And when it comes to delivering digital services without manual, onsite interaction and activity, public cloud services typically have the advantage.
Hybrid cloud maybe the current de facto standard of IT, but both sides of the hybrid equation are not equal when it comes to automation. In a 2019 study of storage administrators using both on- and off-premises storage infrastructure, admins were 2.5 times more likely to perceive cloud services as superior at enabling IT automation.
It’s not surprising then that cloud adoption is taking off even more than it was before. So much so that in a recent Wall Street Journal article titled, “One Business Winner Amid Coronavirus Lockdowns: the Cloud,” it was reported that Microsoft Azure was running into its limits in some locations.
Where is my automated data center?
While there are tools and technologies that deliver similar levels of remote control and automation to the data center, the usage of these tools is not where it needs to be. This is likely due to a combination of under investment by IT organizations along with the challenges of automating a diverse set of heterogenous vendors and technologies.
For example, in a recent ESG study, IT orchestration and automation was identified by more than one-third of IT organizations as a problematic skill shortage. Think about that for a second. Automation is meant to reduce the number of personnel you need. When you are saying you can’t hire enough people to manage your automation, maybe the automation technology is too complex to be of any real use.
Innovation and investment continue in the area of IT automation, orchestration, and remote management, but is it moving fast enough? The answer at the beginning of the year might have been yes. The answer now is probably different. Given the realities of Covid-19, this could become a real concern for on-premises IT vendors.
Two Paths, One Destination
What does Covid-19 mean for the data center and for business and for IT moving forward? Is this a momentary anomaly or the start of the long-term shift? Let’s think about the options using a “choose your own adventure” style.
- Path A: You were successful weathering the storm. You and your business were able to continue operations and find some success during this difficult time. Moving forward, you will likely recognize that this was due to your investment and experience with digital productivity tools and cloud services, encouraging more investment in the future. You might even recognize that if operations were able to continue without those big expensive office buildings, maybe you don’t need those anymore and you accelerate remote, digital work programs.
- Path B: Your business took a significant hit during the pandemic. In this scenario, day-to-day operations took a huge hit. Either your organization is too reliant on physical employees being at a specific location or you under invested in remote digital services and automation. When the crisis hit, maybe there was a significant investment, but the roll out and learning curve took too long, and the damage was done in terms of lost revenue and lost market share. Moving forward, assuming the business is still intact, your executive team will want to be better prepared. As a result, you increase investment in digital collaboration tools and public cloud services.
Ultimately, both paths end up at the same location, with businesses prioritizing investment in digital transformation activities and investing in cloud services. In other words, investing in ways to make sure the business can operate with people doing as few physical, manual tasks as possible.
Traditionally, I would expect these types of investment to span both on- and off-premises resources. Unless on premises technology can improve its automation and remote management capabilities quickly, cloud services will likely capture the lion’s share of this investment moving forward.
Covid-19 is a wake-up call to all businesses on the necessity of digital transformation. But it should also be a wake-up call to data center technology providers. IT needs the ability to deploy, provision, and manage new services automatically and remotely, with little to no manual interaction. IT needs the automated data center. Better yet, IT needs the automated hybrid cloud, and it needs it now.
-
Veeam’s maniacal focus on channel has paid off handsomely through the years. What is even more remarkable is how much has changed in what used to be a very traditional 2-tier distribution channel with VARS and integrators in the same 10-year timeframe. The ability of Veeam to help partners evolve to successfully adopt and make money with cloud technologies while avoiding disintermediation has been key in my opinion. -
The notion of a matrix of “anyness” describes how the combination of knowledge worker mobility and the broad use of cloud services has significantly impacted the cybersecurity remit. The recent surge in remote workers has brought this concept to the fore and shown how conducting business on any device from any location at any time accessing any app and any data is the norm. This reality certainly challenges the castle and moat security model, highlighting the need to evolve how we think about the perimeter, to one that contemplates the many aspects of identity. -
Enterprise Strategy Group research shows that using a formal data science team is tied to better business outcomes.
Use this infographic to understand what that means for IT organizations in terms of total data use, the public cloud, serverless analytics, and more.
For more information or to discuss these findings with an analyst, please contact us.
-
Anyone tracking virtual desktop infrastructure (VDI) has seen numerous claims over the past 5+ years that “this is the year of VDI.” The technology has been compelling but limited in deployment for corner cases and specific employee profiles. It’s never bounced past these use cases. Until now.
COVID-19 has found companies left unprepared for this unplanned event and without a solid business continuity plan in place for WFH (work from home) employees. Prior to COVID-19, business executives were reluctant to support WFH and feared the impact to employee productivity. The technology to deliver a secure workspace for an employee is rarely the issue but was often used as an excuse to restrict WFH policies. A small percentage of companies had a local business continuity plan in place for local natural disasters, but few had plans in place to address the scale of WFH we are seeing today.
Since companies were unprepared, they naturally rushed solutions for WFH employees knowing that there were security risks, questionable impact to productivity, and unknown network issues. As companies work through addressing any shortcomings, now is an ideal time to consider VDI and other digital workspace technologies that can deliver a secure and productive experience for WFH employees. ESG research validates that the top benefits of VDI are improved security, reduced operational expense, and improved employee productivity gains. This is exactly what businesses need right now.
ESG research continues to monitor how VDI is empowering WFH employees and more importantly, the role VDI and digital workspaces will have post-COVID-19 and how business can prepare as we welcome back some normalcy to our lives.
-
There hasn’t been a conversation in the past 3 weeks in which a particular non-cyber (for once) virus hasn’t been discussed. Many of our clients are asking us what we believe will change from a product/service/solution strategy in the space of backup and recovery. I don’t have a crystal ball but based on recent research, and as the year progresses, I expect that we will be able to better understand what might be significant changes in how organizations approach IT and the topic of backup and recovery, including disaster recovery.
In the meantime, I would like to share what I expect will happen based on past trends, pre-Covid-19, and my broad perspective on the market. I will not name specific vendors–this is not about who’s better than the other at this or that…Look at this at a high level revisited checklist of what to look for in a solution.
Before we start: I believe a lot of the changes that we will see were already in motion; what we will likely see is an acceleration of underlying trends or needs.
What will not change
Good data stewardship is not going away – probably ever – and this means that all the best practices for defining service levels (RPO/RTO) still apply. How you get there is likely to change, but business and IT fundamentals in this case remain the same. Data is an asset that must be protected, business must continue in the face of planned and unplanned interruptions, and compliance requirements must be met. Data growth is not slowing down, meaning that organizations will need to keep planning accordingly, and archive a growing volume of data.
This means that organizations will still need to look for solutions that meet all their SLA requirements and can accompany their data growth, or perform at scale, or fit in the environment with the proper set of integrations (hardware and hypervisor integration, for example).
What will change – or is changing already – Part 1 of many…
Management capabilities: It’s the pretty obvious one with staff now working remotely from home or having limited options to be in an office or data center. The winners of this phase will be solutions (whether on-prem, hybrid, or in the cloud) that reliably deliver advanced remote and secure management and deployment capabilities. For example, adding endpoint backup and recovery, or protecting new VMs created for the specific circumstances brought about by this crisis. Usability will be key against a backdrop of skills shortages (which began long before Covid-19) in data protection and adjacent IT areas (including cybersecurity). Further abilities are listed below. In addition, organizations that have coherent, broad, and deep reporting and alerting capabilities will be in great shape. However, I suspect this is a hurdle in many organizations.
DR Testing, and testing in general: It’s a best practice everyone should be an expert at, and most solutions today offer many possibilities to conduct non-disruptive (to production) testing, often supplemented by AI/ML and automation in general. Our research shows that the more people practice recovery the more satisfied they are with their solution. Great news for vendors who have put forward testing education programs. Based on our experience and validation of many solutions in the market, I would say there is no question that great solutions exist and can be leveraged. Not every solution is born equal, but overall they’re pretty good. So if the technology is available and in place, the real question revolves around practice and skill sets. It’s a combination of process and people. In a pandemic you may not have the experts available to do it. It is therefore key that more IT generalists be trained (which ties back to the usability requirement mentioned above). This positions certain cloud-based solutions/services in a pretty good spot.
I will stop for now, but stay tuned as I continue in my next blog….
In a time where nearly every business is searching for some good news, IBM’s storage systems business impresses with strong growth. In IBM’s recent earnings 
Digital transformation initiatives have been well documented over the last few years and result in significant changes to an organization’s people (skills), process, and technology. The top goals of these initiatives, as reported in ESG’s 2020 Technology Spending Intentions survey, are to drive greater operational efficiencies and deliver differentiated customer experiences. To accomplish these goals, organizations are actively modernizing their application environments.
In Nassim Talib’s book, 
Veeam’s maniacal focus on channel has paid off handsomely through the years. What is even more remarkable is how much has changed in what used to be a very traditional 2-tier distribution channel with VARS and integrators in the same 10-year timeframe. The ability of Veeam to help partners evolve to successfully adopt and make money with cloud technologies while avoiding disintermediation has been key in my opinion. 
The notion of a matrix of “anyness” describes how the combination of knowledge worker mobility and the broad use of cloud services has significantly impacted the cybersecurity remit. The recent surge in remote workers has brought this concept to the fore and shown how conducting business on any device from any location at any time accessing any app and any data is the norm. This reality certainly challenges the castle and moat security model, highlighting the need to evolve how we think about the perimeter, to one that contemplates the many aspects of identity.
There hasn’t been a conversation in the past 3 weeks in which a particular non-cyber (for once) virus hasn’t been discussed. Many of our clients are asking us what we believe will change from a product/service/solution strategy in the space of backup and recovery. I don’t have a crystal ball but based on recent research, and as the year progresses, I expect that we will be able to better understand what might be significant changes in how organizations approach IT and the topic of backup and recovery, including disaster recovery.