The Evolution of Security: A Critical Panel Discussion at AT&T’s The Summit

Recently, Fortinet held a critical panel discussion at The Summit, entitled “Winning the Security Battle for Your Enterprise Requires a New Approach.” Panelists included:

• Ken Xie, Fortinet’s CEO, Founder, and Chairman
• Phil Quade, Fortinet’s Chief Information Security Officer and the former Director of the Cyber Task Force at the National Security Agency
• Matt Paull, who serves as the Senior Director of Technology Management for Best Western Hotels and Resorts, with over 4,000 hotels worldwide.
• Michael Daniel (Moderator), President of the Cyber Threat Alliance

The panel focused on the challenges of digital transformation and how traditional network security is insufficient to the task of protecting and defending the virtualized and borderless enterprises of today and tomorrow, using Best Western and its member hotels as a highly relevant use case.  Here are some of the key takeaways from this panel:

Michael to Ken Xie: The world around us is changing, and the “traditional” ways of securing IT and networks just don’t easily apply to today’s new, distributed networks. You have talked before about the evolution of networks and security. What has changed and how do organizations need to think differently about security?

Ken Xie: The Internet has been using the same protocols and infrastructure for decades, which means that 95% of today’s data no longer fits with what the original Internet was designed for. At the same time, the volume of data has increased 40 times in the past decade, and much of that in just the last couple of years. This has created huge challenges with cybercrime.

To respond to more and more sophisticated threats, the security industry has evolved through several generations. The first generation of network security started 25 years ago and was about securing the connection.  Firewalls were used to control who and what could connect to the network, and was then combined with VPN to encrypt those connections.

The second evolution started 17 years ago when Fortinet was founded.  The rise of content and applications led to a need to secure inside the connection and secure the application and content via firewall policy that defined a permitted connection. Fortinet pioneered and led the second generation of network security. 

Mobility, IoT, and cloud computing are leading to a new, third generation of security. Data and applications travel between a variety of users and devices and span multiple borderless networks, making visibility and control more difficult. For example, we need to make sure that endpoints and IoT devices don’t become a way to inject malware into the cloud.

This latest generation requires us to secure all interconnected infrastructures simultaneously. It needs to include things like unified access control, secure access points, visibility into all devices, network segmentation, central management, and automated response to threats.

Michael to Phil Quade: You have a unique perspective because of your role in cyber at the NSA. How have security and threats changed? 

Phil: First, organizations are facing unprecedented levels of complexity, both in the IT systems they manage and the cyberthreats they face. This digital world operates in real time, is always on, and is globally distributed. At the same time, IT teams are trying to manage and configure a growing number of tools, devices, and applications distributed across highly distributed environments. This increasing complexity can cause a lot of security challenges, especially in creating lags between detection and mitigation that can sometimes last for months or years.

Simultaneously, cybercriminals are combining sophisticated techniques with a mature ecosystem that allows them to quickly penetrate networks and evade detection. 

Finally, adding to this complexity is the growth of laws and regulations designed to protect data and users. They routinely dictate controls such as network and endpoint security, access control, activity logging and monitoring, policy enforcement, and standardized reporting. With so many standards, it’s can be very difficult to build and maintain consistent security solutions, protocols, and policies.

Michael to Matt Paull: So, how is the hospitality industry being disrupted? Are you facing these same complexities? What sort of security challenges are you facing, and how is Best Western trying to solve these challenges?

Matt: Well, first off, Best Western is an international hotel company with thousands of hoteliers that we call “members.” Best Western is not a typical franchise but rather Best Western International is a non-profit funded by the members.  We have a Board of Members that serve these members, but unlike traditional franchise models where the parent company mandates all decisions, each Best Western member gets to vote on Ballots, this can make it difficult and a lengthy process  to make changes and enforce standards across properties.

To address this challenge we decided to establish universal security standards and the expectation of compliance, meaning that members that failed to comply could lose their affiliation if they do not remediate as outlined in the membership agreement. But the skill levels at each hotel can vary greatly. Some have their own IT staff and others are true mom-and-pop shops that manage everything on their own.

Michael to Matt Paull: So, how have you partnered with Fortinet and AT&T to begin solving challenges – what were you looking for in a solution and partnership?

Matt: Looking with the end goal in mind, like PCI compliance and meeting the objectives of the hoteliers, it made sense to back into the solution.  We reviewed numerous platforms and we thought the Fortinet platform was far and above the best and simplest platform, given the uniqueness of the security and ease of the interface. It’s fairly straightforward and easy to consume, especially with the training Fortinet provides.  And we also wanted a managed service, so we went the AT&T route to take the burden off the hoteliers so they can focus on their business. 

Michael to Ken: The cybersecurity skills gap keeps coming up. I know that Fortinet has been working hard to fill that gap. Tell me a little bit about that.

Ken: The cybersecurity skills shortage is real. We are working hard to fill that gap. We have a very successful FortiVets program, where we train military members who are cycling out of active duty to prepare them for a career in cybersecurity. And we have developed the Fortinet Network Security Expert certification program to train and validate security professionals. To date we have provided over 100,000 certifications, and have even made the first few levels of certification available online free of charge.

Michael to Ken: That’s wonderful, but that’s just part of the problem. What does this third generation of security look like, and how does it help mitigate the skills shortage?

Ken: The majority of data no longer stays inside company networks where it can be protected by edge firewalls. Instead, network security now needs to be broad, powerful, and automated, to protect data wherever it lives.

Securing the entire distributed infrastructure requires a Security Fabric built around interconnected security tools. This integrated fabric is able to span the entire network, from remote devices to the core and data center and out to the cloud, and dynamically adapt as network infrastructures adjust to meet changing data and workload needs. And it can do it at the speed of digital business.

Going forward, enhancing the fabric with automation and AI will enable it to serve as the framework for building Intent-Based Network Security, which must be self-provisioning, self-operating, self-learning, and self-correcting. This will enable the automation and coordination required by anticipating threats and responding before they can impact the network or its data.

Michael to Phil: How do you see the Security Fabric changing the way organizations secure their networks?

Phil: As organizations adopt cost-saving IT solutions like the cloud, or add smart devices to their network, they also put security visibility and control at risk. To ensure cybersecurity at speed and scale, organizations need to a security fabric that can span and adapt to the demands of a constantly evolving network through the use of automation and integration at the speeds organizations and consumers demand. This enables them to expand their businesses and embrace digital transformation.

To start, a fabric needs to be built around a neural network of interconnected devices that are designed to integrate, communicate, share information, and collaborate at speed and scale. It also needs to be informed by real-time global threat intelligence

It also needs to embrace automation so security can move beyond signatures to behavior-based analytics. Combining modeling and automation allows the network to predict risks, shorten the time between detection and response, and implement and integrate new approaches suited to an organization’s unique profile without human intervention. Finally, a fabric needs to be able to implement “auto-resiliency” to detect threats in cyber-relevant time, automatically isolate key assets, and dynamically map security to changing network infrastructures, whether local or in the cloud.

Michael to Matt: Do you feel like this vision makes sense for your organization?

Matt: Best Western wants to be an industry leader in next-gen hotels, but security was a challenge. We like the fabric approach, combined with AT&T’s managed services, because it can adapt to the different needs of our various hotelier members. We believe that we are setting an industry standard by implementing the Fortinet Security Fabric because the industry is changing and it needs security that can evolve with it.

Things like keyless entry, simplified reservations management, connected rewards programs, “frictionless” check-in and check-out without human contact, Internet access everywhere, and online connected amenities are the future of the business. We also want to integrate physical security, such as security cameras and wireless access points, with our IT solutions, which Fortinet can also do.

The value of the Fortinet Security Fabric is that it provides consistent management, tiered visibility, and full interoperability between all solutions. Best Western has begun implementing our security strategy through our partnership with AT&T. Our goal is to initially roll it out to 2,200 domestic hotels at a rate of 200 hotels per month, and to also begin upgrading our international properties beginning in 2018.