BY Capgemini
This page was produced by FT2, the advertising department of the Financial Times. The news and editorial staff of the Financial Times had no role in its preparation.


IT trends spotted and checked by experts


Can Security-as-a-Service Fight Constantly Evolving Threats?

26 Jul, 2016 05:16 pm

As we stand in 2016, information technology security is still a problem. It's a big problem in fact. Could an emerging 'as-a-service' based approach to security be part of the solution?

For all the antivirus protection we have developed over the last several decades, the operational business issues and technical challenges thrown up by a constantly evolving landscape of malware, Trojans, phishing, social engineering, ransomware and more all present a problem for businesses in all verticals. Part of the root of this 'problem' stems from the abilities malicious hackers have to create variants their harmful code.

A comparatively 'simple' tweak in a piece of malicious software code can spawn a new piece of malware that detection engines have to treat as a completely new problem. These chunks of code are then exchanged across the interconnected back passageways of the so-called 'dark web' (that part of the Internet that is hidden from most search engines and users). At this point, the problem we face escalates even further.


What is truly problematic (frightening, might be a more appropriate term) is that black hat malicious hackers now offer their destructive code in a service-based delivery format. Anyone who wants to engineer an attack or mount an Advanced Persistent Threat (APT) can do so, if they have the money to pay for it. We are quite literally in an era of Cybercrime-as-a-Service (CaaS) where hackers even offer technical support to those who wish to mount an attack of one form or another. 

As we stand today, the challenge for our world economy is that we typically only really see security taken seriously by organisations in finance, gambling, medical, aviation and other 'mission critical' operations. In reality, all firms should consider themselves to be mission critical and take the same locked down approach. 
There's a logical equation building here i.e. we see Cybercrime-as-a-Service (CaaS) on the rise and we see that firms fail to protect themselves properly and very often don't detect breaches when they do occur -- looking outwards to a managed outsourcing specialist to provide Security-as-a-Service (SaaS) may be a rational route out of this predicament. 

Key features within SaaS platforms will include robust anti-virus protection, identity and access management controls, application testing intelligence and (at a more holistic level, the ability to execute operational diagnostics through a managed Security Operating Centre (SOC)-as-a-Service function.

The real difference in security today

With these SaaS-based tools, firms can put the tools in place to form a robust enough layer of protection for a generation (if not generations, plural) to come. Cybercrime is evolving everyday and the existence of Bitcoin means that a frightening new wave of monetised ransomware is fast developing. Fighting malicious hackers with a proactive posture to protect from first principles is essential.

VIDEO: Enterprise level ransomware is on the rise
In a world where Bitcoin has become the currency of electronic cybercrime, how should firms regard the new threat landscape and what major trends are driving the behavioural model of the cybercriminals themselves?
Simon Edwards, cybersecurity architect at Trend Micro explains how enterprise level ransomware has evolved in the modern business landscape.

INTERVIEW: Andy Powell, VP for cyber security, Capgemini UK
In an ever shifting IT threat landscape, how can firms fight the rising tide of malicious intent that looms over their day-to-day operations?
Andy Powell, VP for cyber security at Capgemini UK, explains how the Security-as-a-Service model can apply to enterprise.

What is your first and most fundamental piece of advice to firms on primary security issues?

My first piece of advice to any firm is to adopt a proactive security posture. We find ourselves in a 'defensive spiral' as we try to fend off the threat of cyber attacks every day, so a proactive posture is essential if the business is going to move forward. What I mean by this is that the key to any successful business is being able to shape operations into the way a firm itself wants to operate -- as opposed to the way hackers would like to view the business.

Clearly, the process of digital transformation is one of the key drivers here for many organisations. We know that our clients want to operate in a digitally transformed environment, so we need to examine exactly how we can build in the right degree of robustness and resilience that will stop the bad guys exploiting an individual firm's architecture.

Perhaps firms should think of their headquarters as a stronghold of some sort that they need to fortify against cyber invaders?

Indeed. I'm a big fan of medieval history and I like to draw parallels with the way we used to build castles as our protective shells. Castles actually did rely simply on their tall outer walls, they were built with 'keeps' for a reason i.e. this was where we kept our most precious valuables. Castles were also built with small narrow staircases and rooms so that we could restrict and deal with any invaders.

Good architectural design is absolutely a precursor to creating any cyber safe operation. Medieval castle builders were way ahead of their time. Our networks are far too open today by comparison.

One of the reasons we are still encountering the bad guys inside our networks is that our networks were never built for robustness with enough strength to repel external threats. Furthermore, we have not focused enough on building structures to watch inside and outside our networks. The insider threat is pervasive and whether by blackmail, bribery or just poor practice, a majority of breaches are caused by the door being opened from the inside. Training and monitoring our people is critical.

How do you justify the Security-as-a-Service model that Capgemini provides?

When it comes to SaaS, there is one school of thought to say that nobody knows how to look after a firm's assets better than the owners themselves. There's another school of thought saying that no single firm can ever know enough about the threat landscape to look after itself competently. 

I am in fact an advocate of a hybrid approach in this case. Firms should own a degree of their own operational risk but also look to an external organisation to provide constantly updated threat intelligence. Assuming that the client itself is not a cybersecurity specialist in their own right, they can never have the core competency needed to provide fully robust protection. 

Capgemini has built its SaaS offering around three core functions: Identity and Access Management, Software Testing and Security Operating Centre (SOC)-as-a-Service. We are now bringing elements of these three capabilities to firms alongside a security-first approach to engineering.

How much of a risk is the Internet of Things (IoT) and do we need to reverse engineer security into existing devices?

We do indeed need to spend more time considering the impact that the Internet of Things (IoT) will have on security issues. All connected devices will have to have an IP address and from this they are then broadcasting their status across the web. What we need to ensure now is that we are not building legacy problems without security provisioning into our networks.

If every device has an IP node to allow it communicate externally, then we need to accommodate for this into our security architecture planning. This will apply both in our factories with industrial sensors and inside our homes with connected televisions and so on.

Firms will need to focus on which devices are connected onto their operational and corporate networks and once we have that knowledge then can focus the right protection in the right place. This may often require a bit of reverse engineering to find out which things are connected where so that we can apply the requisite levels of protection as the Internet of Things builds. We must think about segmenting our complex interconnected world into manageable and secure areas.  We must also advocate and properly apply standards in the rapidly evolving IoT-world.

So how do we get to the future?

The path towards safer future  and security-aware business operations is a tough one, but we can get there with the right level of strategic planning. Capgemini business modelers work to analyse a firm's existing operation and look for unstructured data and areas of weakness where security vulnerabilities exist. 

As the business modelers work towards digital transformation goals with firms, they ensure that security is baked in from the start. The worry is that digital transformation processes might start out without security provisioning in place at ground zero. Even if this does occur, a rapid analysis of what is critical and where it is best secured can help.

This comes back again to Capgemini insisting upon a proactive stance towards the threats that exist in the fully security-aware digitally transformed business today. This is the way forward; this is the way to a safer cyber-secure future.
AT A GLANCE: Capgemini's cybersecurity protectionCapgemini's approach to cybersecurity sees the firm strategically position three key elements in a new programme initiated to encourage firms to 'control and secure' their own assets.

From asset management to testing to security centre diagnostics, the firm's solution showcase is demarcated and defined as follows:

Identity and Access Management -- Having a strong identity regime inside your network is key if you are going to successfully take a proactive approach to cybersecurity. This means putting the controls in place to ensure that information and other assets are only accessible to the staff members that need them. Management controls also need to put in place to allow these identity controls to be changed when needed in a dynamic business environment.

Capgemini is forming new partnerships in this space to perform what it calls 'fast track' identity and access management services to bring these capabilities online rapidly. Capgemini uses templates that have been built and refined through working with thousands of clients globally. In this way, best practice can be applied quickly.

Software Testing -- The need to build software application level security testing at the initial architectural 'build' phase is of critical importance. Being able to constantly check for weaknesses in an application on an ongoing basis is crucial. Capgemini is working to build this type of capability into its standard approach to DevOps. 

Being able to evaluate weaknesses in source code on an ongoing basis is critical because no application stands still i.e. updates, patches, augmentations and enhancements are applied to heavily used software applications all the time. 

Being able to provide this type of source code analysis and testing on an ongoing basis is critical and being able to provide it as-a-Service means that threat analysis is constantly updated. This testing is focused initially on security testing, but the sister discipline of functionality testing is part of the total DevOps process which this service helps to facilitate.

Security Operating Centre (SOC)-as-a-Service -- Capgemini offers a SOC diagnostic capability that initially analyses what is best for the client so that initial planning can be executed. This helps to evaluate which elements of the total Security Operating Centre responsibility should be owned by the client itself and which elements Capgemini should offer. This allows Capgemini to effectively offer a SOC hybrid model. 

INFOGRAPHIC: Cyber-security costs, risks and means of protection
The notion of managed Software-as-a-Service (SaaS) gives firms the opportunity to concentrate on extending their core competencies while also operating their primary trading interests on the back of a more robust and resilient infrastructure. What are the costs and risks of cyber-security, and the market for SaaS protection?

Mike Turner, Meet Mike Turner, your expert in Cybersecurity.
Bhavuk Arora, Meet Bhavuk Arora, expert in Cyber Security.
Nigel Lewis, Meet Nigel Lewis, expert in Business Analytics.
Nigel Guy, Meet Nigel Guy your SI Delivery Excellence, BI & Analytics expert..