Tzury Bar Yochay is the CTO and co-founder of Reblaze. Having served in technical leadership in several software companies, Tzury founded Reblaze to pioneer an innovative new approach to cyber security.
Tzury has more than 20 years of experience in the software industry, holding R&D and senior technical roles in various companies.
Prior to founding Reblaze, he also founded Regulus Labs, a network software company.
As a thought leader in security technologies, Tzury is frequently invited to present at industry conferences around the globe.
Threats are everywhere and always changing. How can we address this difficult reality?
It’s important to acknowledge that this is indeed reality—that there will always be new threats, and we’ll always need to stay vigilant against them.
Unfortunately, there are still many executives for whom security is an afterthought—who think they can just delegate security to IT, and then not pay attention to it anymore. That’s a good way to become the latest high-profile data breach.
The good news is that even in an evolving threat environment, effective security can still be maintained. But executives need to give it the attention it deserves. It won’t happen on its own.
How can executives balance security and innovation? When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?
The first step is to frame the issue correctly. It’s best not to think of security as something that gets “plugged in,” because that implies it’s a separate item that gets added later.
A better approach is to think of security as something that gets “baked in” to your sites, web applications, and so on, from the very beginning. Methodologies like DevSecOps allow you to build security into your products, services, and environments.
The old approach to security was to create and deliver something, put up a guardrail around it, and then hope it doesn’t get breached. The new approach is to bake security into all processes from the very beginning—from development through to testing, delivery, and production. This makes it much more difficult to produce a web application that has vulnerabilities. Plus, production environments are set up to constantly reset themselves to a baseline configuration.
In other words, a system’s default state is to be secure and compliant, and any drift away from that state gets reverted. So, it becomes extremely unlikely for an attacker to succeed, and whatever damage he could do is limited anyway. There are many advantages to DevSecOps.
However, there’s a major obstacle to implementing all of this. Traditional security products like on-premise WAFs are not designed to support these practices, and so these products will hinder an organization in adopting them. On the other hand, many cloud security solutions support environments built around agile methodologies and DevSecOps.
So, executives who want to balance security and innovation need to assess their current security measures. Traditional security products force a choice between effective security and constant innovation. Newer solutions allow both.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
Often, big stories about security contain a lot of noise. You can usually figure out fairly quickly if there’s anything you can learn from it, or an action step you should take. If not, then you can ignore it.
For example, in 2017 the Equifax breach occurred because the company ignored a known vulnerability in Apache Struts, and left it unpatched for months. So the only lesson here is, “Being outrageously negligent will cause major problems,” which shouldn’t be a new idea to anyone anyway. Another example is the 2018 Memcached exploit, which allowed for record-breaking DDoS assaults. But multiple solutions got published for the problem immediately, and once you had implemented the appropriate solution, you were done. So there was nothing more to be learned from it, regardless of how long the fuss lasted in the media.
Sometimes there are news stories that do require close attention. These are usually longer-term issues—things that aren’t necessarily important immediately, but will be very important later. For example, the GDPR was proposed in 2012, was discussed for four years and finally became law in 2016, and then wasn’t enforced until 2018. Yet judging by the panic that occurred then, many executives apparently had ignored it until the enforcement deadline was almost up on them.
Other issues get little coverage as “news,” but are still very important—for example, the arrival of the cloud as a key component of modern cybersecurity.
Traditional security technologies like on-premise WAFs have too many disadvantages in today’s environment: they don’t scale, they hinder DevOps and DevSecOps, they’re difficult to maintain, and there are other problems too.
The cloud solves all of these, while adding a lot of additional benefits. For web security, the cloud is the future.
For an issue like this, staying informed requires a little effort. A reasonable approach would be to regularly browse the reports from industry analysts, and attend a conference or two each year.
Financial institutions face strict expectations from regulators and consumers alike. This sets financial institutions up for serious reputation consequences if they let consumers down by suffering a data breach or by failing to innovate service offerings. How can we address this reality?
These expectations are a good thing, and we should embrace them. Customers trust institutions with their data. Institutions should earn that trust, and do their best to safeguard their customers’ privacy and data security. As for regulators, they are merely trying to enforce practices that the industry should already be doing anyway.
It’s important to remember that data breaches are not inevitable. Most breaches occur because the victims allowed them to happen—for example, by misconfiguring their servers, or by failing to install patches promptly.
Good IT policies within an organization will prevent these incidents from occurring.
Other events should be mitigated by the security solution. I say “should” because few solutions do this well; most security solutions today still rely heavily on signature detection. This doesn’t work for zero-day exploits, or in situations where an attack isn’t completely new but the solution provider hasn’t yet updated their signatures.
A modern security solution avoids these problems. Our Reblaze platform uses a multivariate approach to threat detection, including not only signature detection, but also fine-grained ACLs (Access Control Lists), a full positive security model, behavioral analysis, and more.
Each of these provides benefits beyond the traditional approach. For example, Reblaze uses Machine Learning to build behavioral profiles for each web application and API that it protects.
Reblaze learns to recognize legitimate users, based on how they behave and how they interact with the protected application. It analyzes their (anonymized) data such as mouse movements, clicks, taps, zooms, typical device statistics, and more.
Therefore, even if attackers cannot be recognized by their signatures, this is irrelevant. By definition, all attackers must deviate from legitimate user behavior at some point. As soon as they do, Reblaze blocks them immediately.
So, with legacy security solutions, there can be gaps, and therefore possible concerns about meeting expectations from regulators and customers. But a modern solution solves these problems.
What advice do you have for security leaders?
Modern threats require modern defenses. Traditional approaches to security—such as installing a few appliances in front of your data center, and hoping for the best—aren’t enough anymore.
There are very talented people using new technologies to create more effective threats. For example, Machine Learning is starting to be used for all sorts of purposes: for instance, to create bots which are extremely good at mimicking humans, and thus are very hard to detect and block. Or, to automate vulnerability discovery on potential targets, more thoroughly and more subtly than was possible before, and at scale. The list goes on.
Defeating these threats requires an even higher level of sophistication. An effective security solution today includes a variety of technologies, including the cloud, Big Data, Machine Learning, and more. At the same time, it automates everything and provides it in a platform that’s straightforward and easy to use, while still being effective.
So, my advice to security leaders is to avoid being complacent. Keeping current on what’s happening and what’s available will require some effort—but it’s necessary, and it’s worth it.