25 Oct 5G: fight fire with facts
Rik Ferguson, Vice President Security Intelligence, Forescout, looks at the impact the emerging 5G technology will have on the future of threats, and how to security plan for tomorrow
The professional life of a security practitioner is a fast-paced one. Constantly having to respond to the shifting tactics of the adversary, having to understand and secure new infrastructure implementations and delivery platforms, and both facilitating and, yes, mitigating changes in user behaviour over time. All too often the enterprise still thinks of the security function as a bolt-on. The business is structured, the architecture implemented, and the employees are hired. The fires are started and then someone calls the security team: “Secure this.”
‘Firefighting’ for many years has been the default operational mode of an information security department. We are running to stand still. Securing infrastructure as it is implemented, responding to breaches after they happen, patching vulnerabilities once the exploit is already in the wild, auditing inventory already in use that is barely workable now – what of the enterprise of the future?
The single biggest infrastructure change of the next five to ten years is one that is still in the early stages of adoption right now: 5G. 5G enables a new global communications standard designed to bring together everyone and everything, including people, machines, objects, and services. 5G promises a wealth of benefits, much greater bandwidth, and faster connectivity with lower latency over a wider geographic area to many more devices.
What 5G offers is a scaled-up infrastructure that will drive change in many areas, 3G drove the advance of the smartphone, 4G the streaming services that are steadily replacing conventional media. Except this time 5G with its low-latency, high reliability, high mobility high throughput, and very high device density, has caught the attention of more ‘traditional’ industries. These features enable asset-tracking, connection of hard-to-reach equipment, operational intelligence (through real-time asset condition and maintenance tracking), truly representative digital twin infrastructure, autonomous mobile robots (AMR), cobots, and Augmented Reality (AR) enablement. Enterprises will not be faced with a choice of just lease or build for private 5G but, just like cloud, hybrid models will be widely adopted. We will be connecting not only the traditional fixed internet, today’s mobile internet, but also every sensor and actuator, every vehicle, traffic management system, smart city, smart home and factory on the planet. 5G will be the foundation of a truly immersive interconnected experience.
Of course, one inevitable outcome of this is continued exponential growth in data generation. Consider that 2.5 million terabytes of data were generated every day in 2021 and extrapolate from there. From a security perspective, therein lies the real challenge.
Our future business will rely on the scale and speed of Artificial Intelligence (AI) and Machine Learning (ML) to cope with these mountains of data and the Security Operations Centre (SOC) will be no exception. Integration of ML into the SOC of the future is critical for several reasons, not only related to the volumes of data, but also to address the cyber skills gap. We need to leverage the power of ML to collect and correlate data from across the enterprise, carry out a triage of generated events, forensic investigation and evidence capture, and yes even mitigation, surfacing only those urgent or high-priority events to decision makers.
A greater volume of traffic, a greater number of endpoints (many with no user interface at all) and an ongoing explosion of data means that not only do we have more to secure, but more to secure it from. This is already driving a huge shift in the way we do business, accelerating the adoption of IPv6 (to accommodate all these new devices), Software Defined Networks, big data and cloud services to store and process the volume of data. Additionally, AI and Network Function Virtualisation will provide scale and speed of response with an ability to integrate security functions at carrier level, rather than relying solely on an ability to enforce at every endpoint in this new interconnected world.
The risks of 5G
This rapid diasporization of the enterprise infrastructure leaves practitioners with a significant number of areas to reconsider security for. For example, the adoption of volatile and software defined architectures, new subscriber and authentication types for Identity and Access Management (IAM) in Machine to Machine (M2M) and Massive Internet of Things (MIoT) environments and increasingly non data centre-centric usage patterns. Furthermore, an exponentially greater attack surface, migration of intelligence to the network edge, challenges in the security of the 5G core network such as encryption, device update management, continuous device integrity monitoring, in-network attacks, low visibility, limited mitigations and an increased attack surface (more data, more services, more devices).
The software-driven models of 5G mean higher exposure to risks in the underlying software stack (protocols, Operating Systems, hypervisors, apps, containers, APIs, VNFs, shared software libraries), and new opportunities for lateral movement and exploitation (VNF – app for example). Adoption of a new protocol stack in 5G using more familiar software architectures than previously (EAP, IPSec, TLS & OAuth, and more) will shorten the vulnerability to exploit window, and the integration of cloud services further broadens attack surface.
Firefighting as a means of maintaining a secure enterprise is not a workable model for the future, or even the present. No one can deny that even if your firefighting is of the highest calibre, you will systematically end up with fewer trees to burn in the long run.
Security planning for the future
There are five critical areas of focus for security planning when facing up to the rapidly approaching tomorrow:
- You cannot secure what you cannot see. Visibility is fundamental to effective security. What is connecting to your network, wherever your network is, enterprise, remote, cloud or mobile? Audit assets, access, and privileges on a continuous basis.
- Risk should also be continuously assessed; effective security cannot rely on periodic snapshots of compliance.
- Timely and accurate security decisions rely on rich context. An event considered in isolation might appear entirely benign but can take on an entirely different cast when considered in the context of all other available related data.
- A security policy without an enforcement capability is no more than a wish list, but enforcement of policies, mitigations and responses must be policy-based, dynamic, real-time and continuous. As soon as the risk level of an asset falls outside of an acceptable range, responses and mitigations should be automated and orchestrated
- Eliminate trust entirely from security decision-making.