CISO Q&A: Convergence, Consolidation, and FortiOS: Whether it’s a new project, procedure, or branch location, business changes depend on a fast, secure network. And supporting major digital initiatives such as work-from-anywhere (WFA) or converging IT and OT networks requires organizations to look closely at both the operational and security implications. As organizations move forward with projects that affect the network, they need to ensure their security can keep up with today’s complex and fast-evolving threats.
Fortinet Field CISOs, Joe Robertson, Ricardo Ferreira, and Alain Sanchez share their perspectives about how organizations can stay ahead of challenges such as new, automated attacks, the expanding attack surface, and networking and security silos.
Why is the convergence of networking and security so important today?
Joe: For most organizations, networks and security were separate for a long time. But that was an artifact of technology history, not because they were fundamentally different environments. When you think about it, every threat traverses a network somewhere, so the network is the logical place to catch, block, and quarantine threats and malware.
The convergence of security and networking is extremely logical and has been coming for a long time now. In fact, when Fortinet started over 20 years ago, this convergence of the network and security was part of Ken Xie’s vision when he founded the company.
Ricardo: I agree. If you look at cybersecurity trends, you realize that there’s an increased need to protect data, people, and devices everywhere. When computers were linked to just a set of Ethernet cables and a server somewhere, there was relatively minimal danger of attack. But now, every human being has two or three devices, and they can connect to almost anywhere in the world and be connected from almost anywhere. Networks are a victim of their success. The growth and distributed nature of networks now mean more people and devices are exposed to more threats from bad actors. The explosion of network edges, new environments, new types of clouds, and endpoints means we can’t have the same security mindset we had a few years ago. Now we need to have real-time security to be proactive in our defense.
Alain: Every convergence carries change. Remember the big wave created by voice and data convergence? Not only does it affect the infrastructure, the management platform, but also the organization, the team, the budget, and the policy. In the case of networking and security, we’re even reaching the next level of change. Such ability to literally embed security in the network unleashes creativity. CISOs can become the “inspirers” in an organization. Like a race car with excellent brakes, the converged security and network discipline, can turn the corner of innovation faster.
The terms consolidation and convergence are often used interchangeably. Can you explain the difference?
Joe: Convergence is about different interacting technologies that are no longer separated. I mentioned the convergence of networking and security, but you also see convergence in networks that connect with each other, such as the convergence of operational technology with traditional IT networks.
Consolidation is something totally different. It is talking about product consolidation. For example, your organization might have a lot of products from different vendors in the network environment. Each of those products behaves differently and has different interfaces, management consoles, and configuration methods. Having so many products makes it difficult for the technical team to manage everything. So consolidation is about reducing the number of vendors, so there are fewer consoles and interfaces to deal with. Of course, the assumption is that a given vendor uses a single interface for multiple types of security or network devices.
Ricardo: Risk management can be an important aspect of consolidation. Risk management is a top priority for CISOs; as such it’s important to have a consolidated single source of truth that shows the risk profile, so data-driven security decisions are appropriate to the organization’s risk appetite. Consolidating products also consolidates security data sources across your environment, to be viewed through a single dashboard.
Joe: Also, in a highly regulated environment, such as banking, having documentation of your status and proof that you are following the regulations is essential. Providing proof of compliance is easier to do in a consolidated environment than if you’ve got dozens of different devices. And because environments are so dynamic, having real-time visibility into your risk and compliance posture is critical.
Alain: Consolidation addresses a particular pain point of the IT and security community: too many point solutions, too many platforms, too many correlations to make between heterogeneous platforms. The typical number of different network and security vendors averages 60. Convergence calls for a multi-domain convergence that, as said earlier, embraces technology, protocols, but also operations and budget planning.
How can you detect unknown threats before they infiltrate the network?
Alain: Artificial intelligence, and more specifically machine learning, play a significant role as a proactive detection defense line. The main idea is to create a map of what baseline traffic looks like. It’s like recognizing the way you drive, typical revs of changing gear, itinerary, parking habits. So that when the network is stressed in a different way the gap between baseline traffic and actual is detected. Someone might have stolen your car keys (access credentials in the IT world) and consequently gotten access to your car, but the way the vehicle is driven, it is clear it is not you.
Ricardo: As threats evolve, it’s essential to have a platform powered by artificial intelligence that consumes security-enriched data such as threat intelligence. In FortiOS 7.2, platform features like in-line sandboxing, inline CASB, advanced protection for OT and IoT, and many others consume threat intelligence data from FortiGuard Labs. FortiGuard Labs analyzes more than 100 billion security events per day, which are translated into security-enriched data to detect unknown threats, contributing to an organization’s resilience.
The other benefit is that automation with AI improves scalability. If you are relying only on people to review logs or risk profiles, it doesn’t scale. But automating with AI using the threat intelligence from FortiGuard Labs helps ensure that the platform can react proactively to those threats and block them effectively.
How are threats evolving?
Joe: Something you need to keep in mind is the dwell time of an attacker. That’s the amount of time an attacker has access to the network and is rooting around in it. The problem is that in the past, dwell time was measured in months. Reducing that time period to days, hours, or minutes is one of the significant advances of FortiOS 7.2.
Because the rate of exploit is increasing and attacks are happening more quickly, there’s simply too much data for people to go through in a security operations center. That’s why using AI and ML to stop unknown threats is so important.
Ricardo: Building on what Joe said, according to the Global Cybersecurity Outlook 2022 from the World Economic Forum, the average time it takes an organization to detect a threat is more than 280 days. Think about the damage an attacker can do with access to systems in all that time. That statistic highlights the need for automation with AI and ML to detect novel threats but also to counteract existing threats. People tend to forget about the old threats, but if you look at statistics from FortiGuard Labs, new threats are present, but outdated threats are still making the rounds as well. They don’t just go away. Attackers continue to use old methods because those old methods still work when people don’t patch or update their systems.
Joe: Another reason for the AI advancements in FortiOS 7.2 is because the bad guys are using AI too. They are using it to create new malware variants. They’re creating not just hundreds but thousands and tens of thousands of versions of the same malware that’s just different enough that signature-based tools don’t detect it. That’s why we need to use AI to catch the malware that’s being generated by AI.
Alain: A next generation of threats are emerging that take advantage of the very innovation that propels digital acceleration. In this perspective, Log4j is quite representative of this new generation of threat. For starters, being able to reproduce in a remote server all the conditions of a crash is extremely useful. Like the forensic police would take notes, pictures, and samples of a crime scene to make sense of it all in a remote lab, the process exploited by the Log4j attack weaponizes this process. Today, we are witnessing a whole family of attacks that turn innovation into weapons. Hence the importance of a holistic cybersecurity platform that addresses the various steps involved in the attack scenarios.