JC2 Ventures

View Original

The Legacy IT Security Problem

Volume 1 - Issue 7 ~ JANUARY 30, 2023

Happy New Year! It’s January 2023 and I am excited to share the next edition of the “CIO Two Cents” newsletter with you all. Read on for insights from me, Yvette Kanouff, Partner at JC2 Ventures, into what is on the mind of CIOs at this moment in time.

The JC2 Ventures team (John J. Chambers, Shannon Pina, John T. Chambers, me, and Pankaj Patel)

Cybersecurity remains a top risk for businesses in 2023.

We lose sleep over the worry we’ll be the target of tomorrow’s ransomware attack that risks damage to customer data, confidential information, brand reputation, and more. So, we diligently search through seemingly never-ending lists of new innovations and best practices to enhance our arsenal of cybersecurity countermeasures and ensure proper compliance and risk management. We implement endpoint protection, security information and event management (SIEMs), security orchestration, automation, and response (SOARs) – yet none of these actions help to make us feel much better about our ability to withstand the next cyberattack… the threats are changing every single day, and we are all worried about existing threats, as well as the next zero day attack. At the same time, CIOs are barraged with a constant need for run-the-business work that needs to be prioritized.


“I am looking at startup innovations that address host protections and application Intent. This comes at security a very different way, looking at the integrity of the implementation of files, memory, and more. If the application’s intent is broken, then we can take business rule steps such as stopping the application, traffic, alarming, allow-listing, etc.”

- Yvette Kanouff


One thing that is of particular concern to me is the patching problem for legacy systems. The easy thing to say is ‘just move to cloud’. I am guilty of saying this all the time. Any CIO with significant legacy systems will tell you this is easier said than done, given the complexity of transitioning some of these large, integrated systems to a modern solution. Many industries, like government, banking, and financial institutions, still rely on legacy systems despite the many promises and security benefits of the cloud.

So, what do we do in the interim, until we complete our modernization? This problem is especially difficult when CIOs are faced with end-of-support notices, constant patching, lack of in-depth telemetry and more.

Endpoint protection and response (EDR) continues to be critical to businesses. As we all know, EDR platforms protect us by finding known threats that come in through the endpoint, investigating potential threats with tools such as anomaly detection, behavioral analytics, and responding with the help of threat intelligence and data analytics. An EDR deletes malware, stops attacks, isolates systems, and many other things to help stop an attack at the endpoint instead of letting it penetrate further. There are some great EDRs in the industry – I’m sure you all have your favorite.

Then there is Extended Detection and Response (XDR), which helps unify our individual security tools beyond the endpoint (e.g., Cloud, network, SIEM, external data) to deliver even more detection and telemetry. AI is used in many EDR and XDR solutions these days. XDRs in particular are a nice addition to our industry because we get “one pane of glass” for telemetry analysis and response. If we want more, there are MDRs, where we can have a managed detection and response environment (i.e., monitoring, detection, and response as a service).

Even with great EDR vendors like Crowdstrike, TrendMicro, SentinelOne, Microsoft, and more, plus SIEM vendors like Microsoft, IBM, Splunk, Securonix, Exabeam, and others, one thing I find missing is great solutions to the legacy problem I mentioned earlier. How do I protect what’s not in the cloud? Many companies need to protect legacy workloads.

Organizations should demand a deeper layer of protection for workloads to manage application dependencies and components during runtime to maintain provenance, integrity, as well as authorization to protect against known and unknown zero-day vulnerabilities. It’s the unknown (i.e., tomorrow’s zero-day exploit) that I’m interested in, and I want that protection with zero dwell time (i.e., the time in which an attacker has free reign once they manage to penetrate a system). Most of us measure the days between security patch availability and update installation. This vulnerable time gives hackers an opening to attack. What’s more, many legacy systems no longer receive patches for security vulnerabilities – a cause for even more concern. These scenarios help explain why we must take a proactive approach to thwarting the cyberattack of tomorrow, regardless of the age of our digital infrastructure, and we must focus on bring the unprotected dwell time down to milliseconds instead of days.

Consequently, I am looking at startup innovations that address host protections and application Intent. This comes at security a very different way, looking at the integrity of the implementation of files, memory, and more. If the application’s intent is broken, then we can take business rule steps such as stopping the application, traffic, alarming, allow-listing, etc.

This is how Virsec, a JC2 Ventures investment, protects workloads, which is a really neat way of creating customized security. They run Breach and Attack Simulators (BAS) to try to infiltrate a workload itself, looking at workload design and purpose from the developer – if the developer’s intent is broken, then it’s something potentially malicious. With some legacy systems that can no longer (or simply don’t) get patched, workload protection becomes immensely important. There are 560K new malware detected daily, Virsec’s testing has shown that they stopped attacks at double the rate of EDRs (high 90% vs. mid 40%) with close to zero dwell time. The company targets modern workloads, but at the same time, it happens to offer a fabulous solution for our legacy system problem. Since there are few options available in this space, at least we have a solution that helps us with the “can’t-patch” issue until we can migrate our servers and applications to the cloud or otherwise.

There are not a lot of other solutions specific to legacy systems. There are certainly firewalls and upstream products, but I think focusing on the legacy server attack surface is something we cannot ignore. In the modern cloud space, we have application security solutions, but that doesn’t help our aging on-prem systems. Digitizing is always a goal, but we still have to manage the older platforms until then.


Moving fast? I've got you covered:

(1)

  • Cybersecurity remains a top risk for businesses in 2023. Of particular concern to me is the patching problem for legacy systems. One solution is endpoint protection and response (EDR). EDR platforms protect us with tools such as anomaly detection, behavioral analytics, and responding with the help of threat intelligence and data analytics.

(2)

  • Another solution is Extended Detection and Response (XDR), which helps unify our individual security tools beyond the endpoint to deliver even more detection and telemetry. If CIOs want even more protection, there are MDRs, where we can have a managed detection and response environment (i.e., monitoring, detection, and response as a service).

(3)

  • I am also looking at startup innovations, such as those from Virsec, that address host protections and Application Intent connections. This approach comes at cybersecurity from a very different angle, looking at the integrity of the implementation of files, memory, and more. 


Image of the Moment

HealthDay News reported a ransomware attack in October that significantly disrupted care at one of the country's largest hospital chains. In January 2023, another HealthDay News article reported that since 2016, ransomware attacks have doubled in U.S. hospitals, which many times house on-prem IT systems.

Your thoughts on the legacy IT security problem at the moment:

See this form in the original post

More CIO insights to come! Until next time
Yours truly,
Yvette Kanouff