Consumerization of network security, pt. 1
Last month at the CableLabs Summer Conference, I had the opportunity to present with CableLabs Distinguished Technologist Steve Goeringer on the security considerations faced by network operators in today's connected world. While we covered numerous topics, I want to continue where our discussion left off on the consumerization of network security.
Steve and I on stage at #CLSC19
Enterprises are taking network security seriously
Cybersecurity is an arcane science. Books and movies depict good and bad hackers sitting in a basement at their text-filled screens. But in real life, enterprises are increasingly taking cybersecurity seriously, hiring said talent and building security operations centers with clear risk management practices.
Organizations are beginning to view the network as inherently insecure by default, and rightfully so. Our data is more online, digitized, and centrally retrievable than ever. Security breaches are becoming commonplace and resulting in more damaging, hazardous outcomes. Therefore, organizations are beginning to embrace the notion of mitigation, data governance, and incident response as a core competency.
The first attack on the internet was written by Bob Thomas, who wrote a small program called CREEPER to alter text in printouts to include the phrase, "I'M THE CREEPER : CATCH ME IF YOU CAN." In what was the first arms race of command and control, Ray Tomlinson in 1970 wrote a remediation system that would look for and replace CREEPER with REAPER. Bob and Ray were two academics who were playing a mostly harmless prank on the highly controlled early internet.
Almost twenty years later in 1988, Robert Morris wrote a self-replicating worm to gauge the size of the internet. But, something went wrong, and the Morris Worm, as it was called, spread and shut down systems, leading to outages and network cleanups that measured in days. This confusion and lack of incident communication is what eventually led to the creation of US-CERT, the U.S. Computer Emergency Readiness Team.
The consumerization of network security and the ISP's central role
Now in 2019, there are a few billion internet users made up of not only well connected corporate networks, but also high speed, gigabit connected homes. As broadband consumers now have an average of 10 devices with over 80% of traffic traveling over WiFi, the home network represents the battlefront of today's cybersecurity fight. It's where the growth of the internet is— and where bad actors are turning their attention.
This dynamic is placing the network operator at the center of many debates regarding user autonomy and prescriptive network management policy. Operators are having to decide what security behaviors they want to ensure that customers can still do what they want while the network is protected for the benefit of the whole. This debate has played out with illegal file sharing services and network prioritization, and mirrors the discussions around net neutrality.
While operators have mostly had the luxury of "clean pipes" and "see no evil, hear no evil," they are being called upon to ensure a certain quality of service for everyone. Their networks are increasingly becoming critical infrastructure as they carry a variety of network traffic, but the security approaches lack a way to become common business practices.
Looking at IT services, which were once largely performed in-house, we see that the likes of Amazon and Microsoft have migrated these services to the consumerization of enterprise IT services. Now, anyone can access file sharing, computer resources, and collaboration services. I hope for the connected world's sake that network security services also become more accessible and consumerized.
Network operators must take a new approach to secure customers
Security practices need to involve the entire organization to have better visibility about the tradeoffs involved in making business decisions. There are numerous technical and security-centric issues that are relevant to teams beyond just IT. Essentially, everyone should have a seat at the table when it comes to security.
At Dyn, we had to deal with WikiLeaks and the infamous 2016 Dyn cyberattack, aka the Mirai botnet. It was not surprising that while the technical aspects of the security incidents arose, such as regarding how our security and operations teams reacted, there was more emphasis placed on the non-technical aspects:
- How was management involved?
- What customer communications were sent out and why?
- What was the training beforehand and what was learned from that attack?
- How was our response in line with ethical and legal practices?
With this scenario as the backdrop, Minim proposes a new dynamic for how network operators should approach and think of security. Stay tuned as we share more in the coming blogs.