Followed closely by bacon—always an IT hot topic.
Security was front and centre as the main topic when more than 500 members of Manitoba’s information and communication technologies community converged on the Victoria Inn Convention Centre in Winnipeg on April 12, 2016 for Epic Technology Day. The event was hosted by Winnipeg’s Epic Information Solutions, an MTS Company.
Both keynote speakers — Epic’s Senior Technical Architect, Mike Chudy, along with Cisco Canada’s Consulting Architect, Ronnie Scott — focused on security architecture. This is an especially timely topic in light of data breaches such as the Panama Papers and the booming threat of ‘ransomware’ like CryptoLocker hitting high-profile targets such as Canadian and American hospitals in recent months.
Why Security Is Getting Major Attention
“The big events we’ve seen in the news are the hospital in Hollywood and in Ottawa,” said Epic’s Director of Technology, Doug Scott.
“In Ottawa, they had good prevention, but the key is they had good response. They knew if they ever had a security incident how they would respond. You can’t just protect with a perimeter firewall anymore—you need to have layers of defence and know that something eventually is going to get through. And then how are you going to react to it? That’s why one of the things we preach is, don’t just back up your data, but test your restores.”
In addition to keynote speakers, attendees had the opportunity to take in dozens of breakout sessions and the Solutions Showcase, featuring 35 vendor exhibitors at the 25th edition of the semi-annual tech event.
Tech Day again featured “tracks” tailored to attendees’ interests, allowing them to organize their day of breakout sessions, about 25 per cent of which were security-based. The tracks focused on collaboration, converged infrastructure, Microsoft, network, security and storage.
“Almost two full tracks were security-based and we got a really strong turnout,” Epic’s Scott said. “Typically, the October turnout is higher than the spring turnout, so I think we were above average for spring and I think that attests to the fact security is the timely issue right now.”
Scott says Tech Day also expanded on the demonstrations that premiered last fall.
“We’ve grown our demo from last year to include six others that cover almost every aspect of IT management, including security (malware and mobile threats), backup and replication, wireless, storage, collaboration and cloud management,” he said.
“I’ve had a lot of good feedback about the demo zone.”
When it came to security, Chudy and Cisco’s Scott spoke not only of the technical components needed to shore up organizational information security, but also the design and user-based procedures that are necessary.
Chudy walked the Tech Day crowd through the history of cyber-attacks, from the early days of relatively benign ‘phreaking’ and website defacement, to today’s reality of ‘Locky’ and forking over ransom to buy back sensitive data.
“In the past the motivation for (hackers) was typically to be annoying or damaging or to get some credibility among their peers. The scope was limited.”
Goals have definitely changed.
“Now we’re looking at financial motivation, as most commonly seen are phishing attacks attempting wire fraud,” Chudy said.
“The scope, of course, has changed because of the explosion of the Internet. The impact can be worldwide and with the Internet of Things, that’s going to be the next explosion.”
Epic’s Senior Technical Architect, Mike Chudy, speaks to the crowd during his breakfast keynote address.
Predicting The Future State of Technology
“By 2020, it’s predicted there will be over 50 billion devices with IP stacks on them,” Chudy said.
“How is that going to change information security? Only time will tell,” he said. “Things are much, much easier now. You can purchase sophisticated, zero-day enabled malware from the darknet and you don’t have to know what’s going on in the underlying system.”
Chudy also notes that phishing attacks have become much more personally tailored to the point they’re known as ‘spear-phishing.’
“Attacks for wire fraud now are very well researched and sophisticated. They’re dropping the right names, the spelling is perfect, the address is formatted correctly, the logos are there. They’re getting very challenging.”
Cyber-attackers have also gained patience.
“They might gain access to your systems and not leverage that access for some time,” Chudy said. “In the past, attackers wanted to create a disturbance and be a nuisance. Now they want to gain control of your system without you knowing and then launch their attacks when they’re ready.”
So how do businesses and organizations combat increasingly sophisticated attackers?
Combatting Extremely Savvy Hackers
“It’s about people, policy and processes,” Chudy says.
It’s definitely not about setting up a massive firewall and forgetting about it, and security is no longer solely an IT concern. Cisco’s Scott says it’s time organizations build cyber-security into their psyches from top to bottom, and he argues that design is key.
“Design can have just as much impact on our security as a product,” he said. “Firewalls and intrusion-prevention devices, and any number of security appliances will increase your security posture. But without design, I would suggest they will fall short.”
According to Cisco’s Scott, design facilitates leveraging these tools to improve your organization’s security more than the sum of the parts. Education also plays a big role and should be an ongoing process.
“Not just for our users’ protection of our infrastructure, but for our users’ protection of themselves,” he said “People still don’t understand the threats they walk into and what the risks are. It’s our job to protect our data, but it’s also our job to educate.”
Ronnie Scott, Consulting Architect with Cisco Canada, speaks to the crowd during his lunch keynote address.
IT departments can look to older times for ideas when it comes to security.
“Architecture and design for security is not a new thing,” said Cisco’s Scott, citing millennia of fortress and castle design with structures built for visibility, resilience, ability to repel attack and many tiers of defence all protecting an inner sanctum or vault.
“Micro-segmentation is a big word in security circles now,” said Cisco’s Scott.
“The idea is we’re going to carve our network into multiple different subsets of infrastructure and we’re going to isolate them from one another,” he said. “This is a design capability. This isn’t a tool, it isn’t a box or appliance that you buy—this is thinking about how to put things together.”
Security is about control points now, rather than an all-surrounding firewall that can contain millions of lines of configuration.
“If we can put in simple control points every step across the network, we are able to avoid these massively overcomplicated entities and create small, controllable elements we can then enforce our policy and contract through,” said Cisco’s Scott. “This has become the heart and soul of our new design. It’s defence in depth.”
The Solutions Showcase, featuring 35 vendor exhibitors.
The Realization: Security Threats Will Always Be There
Regardless of security measures, it’s important to realize you’re not impervious to attack.
“We know the attackers are out there,” said Cisco’s Scott. “Whether you’re a target or not, you’re likely to be impacted at some point. You need to ensure you have a design and response—and not just having a firewall and saying ‘My job is done.’ A design your organization buys into and agrees on and works together to fulfill. That design can go into significant detail across the entire infrastructure.”
It’s vital to think about what to do during and after attacks, not just about what is put in place before.
“We’re very good at protecting ourselves from someone coming in the front door,” said Cisco’s Scott. “What we haven’t necessarily been as good at is looking at what happens during an attack. How do we find it, isolate it and protect users as it’s unfolding? Assuming the attack was at all successful, we often don’t think about how we’re going to clean up afterward.”
“You want to feed the lessons learned back into your program to increase your capability of handling incidents in the future—faster and better,” Chudy said.
It’s important to reach out to others to build security capability, no matter how competent you are.
“The attackers are increasingly competent too,” said Cisco’s Scott. “Don’t be afraid to ask for ideas or help. That goes across the whole organization. It doesn’t just fall to the IT department.”
Chudy says too many businesses and organizations still look at security solely as an IT issue or simply as a negative cost.
“They’re waiting and hoping and praying that something doesn’t happen,” Chudy said. “It’s not a matter of if, but when. Often, organizations don’t even have the capability of identifying that something has happened. Sometimes it’s not until an organization is audited (for information security) that they discover they’ve been infected.”
Cisco’s Scott says it’s time that some get their heads out of the sand and deal with the security issues involving the cloud.
“You don’t run your business without email and you don’t run email without security,” he said. “This is how you communicate and operate. As you move to cloud, it’s the same thing. You’re not going to do business without it and you definitely shouldn’t do cloud without security. Be involved in the cloud discussion—don’t be afraid of it.”
Cisco was platinum sponsor of Tech Day, while gold sponsors included Microsoft and NetApp. Silver sponsors included Hitachi Data Systems, IBM, Kaspersky Lab (who also sponsored the return of the breakfast buffet’s bacon, a crowd favourite), Simplivity, Trend Micro and VMware. The event’s bronze-level sponsors were Polycom and ZEROSPAM. Additional sponsors of the event were AAA Security, Avnet, Citrix, Deloitte, EMC, Emerson, HPI, KEMP Technologies, Logitech, Manitoba Hydro Telecom, NetScout, Nimble, Noramco, Tegile and Veeam.
The next Epic Tech Day will be held in Fall 2016.
Did you attend Tech Day? What other hot topics were on your radar? Tell us in the comment section below.