What’s preventing you from modernizing your organization?
Sort by:
We are in an aggressive lifecycle upgrade for sure. We're on 365 now and we've been in the middle of migrating the old, traditional storage locations, but similar to every company, you're straddling a hybrid environment. It's not necessarily just upgrading the systems. We have to start adopting really good architecture. The real issue is that we don't take architecture seriously. If we did, the way that threat actors are able to penetrate our environments wouldn't be an issue because we would really understand the architecture.
Roughly what percentage of attack attempts are on-prem vs in the cloud? And when you say architecture, is that on-prem architecture?
The majority percentage of attack attempts are on-prem. And in terms of architecture, it's both. We're talking about the threat environment holistically across multiple industries and for companies that are straddling both on-prem and cloud, you have to have an understanding of that architecture design for your traditional environments, the environment that you're going to, and then the environment in which you're straddling. Part of the issues that we've seen in most breaches over the past two to three months—especially around API connections—was because the architecture between those systems wasn't configured and tested to be as resilient as it could have been. We have to start thinking more dynamically about those.
The top 10 threats of Q2 ‘21 have evolved and as security professionals, we're trying to be progressive. We're trying to put processes and tools in place to address these threats as well as bring our people up to a skill level where they can move to cloud and pivot quickly to the new tools. But auditors are stuck in a rut checking for old-fashioned AV, etc. We have to teach them how the automation for periodic checks is supposed to work, for example, and that it doesn't mean we have to fill out a check sheet every week.
Recently we were dealing with a third-party pen tester who was pen testing our AWS sites. We run CloudFront in front of the AWS sites and we were trying to explain that what they were calling a vulnerability is the way CloudFront actually works. We had to actually get the third-party pen tester on the phone with AWS for them to believe it.
On another occasion I happened to witness two auditors argue over traditional AV and new forms of AV like CrowdStrike. They were going to give someone a finding for running a progressive tool.