episode 3: andrew hay of opendns
DESCRIPTION
Welcome to The Security Influencer's Channel. In this episode, Jeff Williams interviews Andrew Hay of Open DNS. They discuss bad credential management and the recent eBay breach, thinking with the mind of an attacker, firewalls, security in the cloud, and fast-moving agile and DevOps life cycles in the software development life cycle (SDLC).TRANSCRIPT
THE
SECURITY
INFLUENCER’S
CHANNEL
HOSTED BY JEFF WILLIAMS,
CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY
Episode Thee: Andrew Hay,Open DNS
THE
SECURITY
INFLUENCER’S
CHANNEL
HOSTED BY JEFF WILLIAMS,
CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY
Episode Thee: Andrew Hay,Open DNS
JEFF WILLIAMS
“Tell me: What’s going on? What are the top DNS-based attacks that are going on these days?”
ANDREW HAY
“Not DNS-specific, but malware bots, spammers are continuing to utilize domain generation algorithms or DGAs to stand up tens, hundreds, or even thousands of randomly-generated domains at a time.”
ANDREW HAY
“Beyond DNS attacks, one of the big concerns I have is data and information leakage on the whole. That’s definitely one thing I’m seeing a lot of these days.”
JEFF
“From an application security point of view we hear about domain spoofing. What can companies do to protect their apps against that kind of problem?”
ANDREW
“Well, I think the main thing that they have to be very clearly aware of is what their assets are doing and are capable of doing when connected to the internet.”
ANDREW
“You need to know how you can interact with that and how attackers might interact with that system.”
ANDREW
“We want to make sure that everything is going to be operational and working 24/7 and available to customers in a secure and safe way. But the attacker? They just want to get in through x, y, or z mechanism to get at what they want to get at.”
JEFF
“So how do firewalls play into all this? Do they play a role in defending the new, modern enterprise?”
ANDREW
“I doubt.”
ANDREW
“I think there’s always going to be a place for the firewall at the network edge. That being said, the network edge is no longer the choke point for all of the organization’s Internet traffic. In fact, the network perimeter is eroding.”
ANDREW
“They just want to be able to connect safely and securely wherever they are and on whatever platform they’re using. Whether it’s their flashy new Android tablet, or a clunky old laptop that work gave them.”
JEFF
“It seems like you could get pretty quickly to an organization that really doesn’t have internal IT. They’ve got mobile applications pushed out via app stores accessing their applications running in a cloud-based environment.”
JEFF
“Do those organizations lose a critical amount of control over their IT? How can organizations deal with that?”
ANDREW
“I think there was a time with every new iteration of technology where security comes late in the game. Hosted server. Virtualization. The Cloud.”
ANDREW
“We are dazzled by the price and cost…and then it’s the kind of think like, well, “We’ll just figure out security later.”
ANDREW
‘“Okay, well, my Cloud provider; they’ll protect me.” But Cloud providers aren’t really in that business.’
JEFF
“So are we just doomed?”
C
JEFF
“Are we always doomed to play catch-up? Is that just the way security has to be?
ANDREW
“I think there’s always going to be a place for security…the knowledge of the technology gets broader, the attack surface area grows, etc. So we generally have to play catch-up.”
ANDREW
“…people aren’t doing this proactive method mainly because they don’t know the threats; they may not have budgeted for the security side of things.”
ANDREW
“It’s really just user education. Like, ‘This is why we need to be proactive…we need predicitive securities so that we can block these things before they impact you.’ It’s more of a frame of mind.”
JEFF
“With new development life cycles like Agile and DevOps, they’re doing things that we really didn’t imagine back in the 80’s. Continuous integration, continuous deployment. It’s moving really quickly.”
JEFF
“There’s a lot of folks out there that say, ‘You’ve got to do security during the SDLC!’ But what they really mean is: ‘Take these old, monolithic security activities…and shove them into a fast-moving DevOps life cycle.’ It’s really incompatible.”
JEFF
“How can we get security to be itself more agile and more dynamic?”
ANDREW
“I think that security needs to be a key component of not only development, but the operationalization of code and applications and hardware. It can’t be an afterthought because that’s when we get caught on our heels.”
JEFF
“I think that’s right. We’ve got to get out of this reactive mode and really become part of the engineering process.”
JEFF
“What happens with monitoring? Organizations get better censors, gather lots and lots of data, start gathering application layer data: How do enterprises deal with that?”
ANDREW
“A lot of organizations are hiring or planning to hire data scientists. And these folks understand machine learning, big data analytics, mathematical algorithms.”
ANDREW
“The hope is that the organization can build their own data repository without having to shell out hundreds of thousands of dollars for SIEM or log management products and associated consulting fees to tune the system to their environment.”
JEFF
“So is that the way we get out of this reactive security approach? We start playing Moneyball and base everything on real-time monitors and responding to everything really quickly?
ANDREW
“I think that’s probably one aspect of it. We also need to shift to more of a risk-management style of handling mitigations and technical controls.”
ANDREW
“We can’t just buy the flashy new box because the vendor tells us that it’s going to solve world hunger and cure everything that ails us.”
ANDREW
“I think people need to be put more into this process. We need to put more security in the development side and the IT operations side of things…[and that in turn] moves us more towards the proactive side of that.”
JEFF WILLIAMS
WITH
ANDREW HAY