Journey to the centre of IT - What Jules Verne can teach security teams today
Getting a central view of everything you have, even when it is distributed, will help navigate threats and risks
Journey to the Centre of the Earth is a science fiction story by Jules Verne, first published in 1864. The book describes how a team discovers that the centre of the world is home to dinosaurs and prehistoric humans. After a terrifying journey, the team emerges on a volcanic island in Italy.
So what does this have to do with IT security? Well, the dinosaurs are obviously threats and risks, but the bigger lesson is to do with proper preparation for the journey, making sure all the critical data required is at hand.
Problem 1 - Translating documents can lead to new opportunities
Journey to the Centre of the Earth starts with the discovery of a coded note which, when solved, provides a clue to a secret route into the core of the planet. The main character Professor Lidenbrock immediately journeys there and the adventure ensues.
For security teams today, understanding the business and other IT teams is necessary to be successful. However, the growth of new approaches like DevOps and the use of new application delivery approaches like containers has upended some of security's existing best practices. Effectively, security teams now have to decode how DevOps teams work, how they think about security, and how to build security into that process from the start.
It's important to think this through as it embeds security into the whole process from initial code development through to testing, QA and on into production. While the term DevSecOps has become popular, it encourages people to think of security as a stage to go through rather than part of the overall approach to software. This assumption can be difficult to overcome, particularly if the teams involved are not used to collaborating with each other.
For security, focusing on providing the right information about security and vulnerabilities back to developers in the tools they use - and in the language that they can understand easily - is therefore well worth the effort.
Problem 2 - Knowing where you are going
Professor Lidenbrock doesn't know what is in store for him or his team. With little information to go on and not enough preparation, they go on a trip into the unknown and almost die due to a lack of water.
For security teams, an accurate overview of IT provides a map for any security planning. More importantly, it can flag any changes that have taken place and any unauthorised assets that have joined the network that should be investigated. This can be simple things like Internet-connected devices being linked up to the network by users who aren't aware of the potential issues, through to devices being installed with a disregard for security rules. Either way, detecting these devices as they join the network is essential.
Alongside this ability to get information on what is on the network, security teams have to prioritise these issues based on how severe they are. There is no one-size-fits-all model that can be applied here - every company has to understand their own specific conditions, the levels of risk they are willing to accept, and the biggest issues that might affect them.
For example, a bank or financial services company will have very different ideas of what constitutes a risk and how quickly it should be fixed compared to a small business or an e-commerce company. Each security team will therefore have to map out its own journey into the unknown, based on getting accurate data on IT assets and potential vulnerabilities.
Problem 3 - The journey can take you to places you don't expect and that are far away
In the story, the team start in Iceland and end up in Italy. They travel across subterranean seas and along underground rivers which eventually lead them to Stromboli, another volcano. The distance travelled is around 5,200 kilometres.
As well as not knowing what will be involved in the journey, security teams today face the prospect of managing geographically distributed IT assets alongside those on their internal networks. DevOps teams are normally keen to use cloud services and containers to run their applications as they can deploy faster, while implementations on cloud can be missing security processes like authentication or encryption by default. Parallel to this, all these services can have very different security models to understand and enforce.
For cloud implementations, getting an accurate overview of all machine images and applications should be just as important as any internal IT asset list. For new applications based on containers, this can be particularly tricky, as container images can be created and destroyed automatically in response to application demand levels. Container orchestration tools like Kubernetes mean that these changes can be automated, but security teams have to plug into this as well.
If you have a traditional vulnerability scanning approach in place that is based on taking snapshots of what is deployed, you could miss out on huge changes taking place in your infrastructure over time. Instead, getting real time alerts on any issues within containers or cloud deployments should ensure that you can keep control over what is deployed, regardless of where it happens to be.
Jules Verne's novel has been in print for more than 150 years, and inspired countless other stories of daring adventure into mysterious worlds. It also has lessons to teach us about how to prepare, how to understand each other, and how to look beyond simple internal boundaries. For security teams who have new challenges every day, the story of Professor Lindenbrock and Axel can still inspire new ways of thinking. Taking the journey to the heart of IT requires understanding what is taking place around us, getting accurate data on IT assets and preparing more effectively for whatever life has to throw at us. An up to date IT asset inventory will always be an enduring and essential element for security.
Marco Rottigni is chief technical security officer EMEA at Qualys