‘A majority of cyberattacks occur at the Application layer’
The number of security incidents is growing at an alarming rate due to certain reasons. Enterprises need to respond by improving security at the Application layer.
Security has suddenly become a big concern for enterprises. In fact, Gartner predicts enterprise spending on information security products and services in India is on pace to reach US$1.7 billion in 2018, an increase of 12.5 percent from 2017. In 2019, the market is forecast to total US$1.9 billion.
Mohan Veloo, Vice President-Technology, Asia Pacific, F5 Networks attributes this to a shortage of security professionals, cheap devices with low security connecting to networks, buggy software and the lackadaisical approach to patching software. He worries that the number of security incidents will increase at an alarming rate as cheap devices like Web cams flood the market. The key to strengthening security now lies at the application layer, he says.
DC: Are you seeing more demand for security solutions in the Indian market? What kind of solutions in particular?
Mohan Veloo: Security has become very prominent now. From a vendor point of view. India has become important for us. We have seen a huge spike in revenue. There is more awareness among our customers, whereas two years ago they would not have cared so much, and they were fine with just having a firewall with no other advanced measures.
They would be contended with their network firewall as they perceived it to be enough for their security needs. Now, they are coming back to us and they are asking for advanced security solutions. Sales for our Web Application Firewalls have gone through the roof, especially in India.
DC: Web application security has become a very big thing. What do you think triggered it?
Mohan Veloo: Web Application Security has always been important. F5 has always championed web application security. The trigger I believe in India is directly related to the increased internet usage and mobility in India, as a result of which, our customers are seeing more threats and looking for more solutions in terms of security.
DC: Why is there a shortage of security professionals in India? And what needs to be done to address this?
Mohan Veloo: There is an acute shortage of security talent in India. A lot of companies that we talk to have just one person handling their security. These companies cannot afford to have a team of people. In India, it is common to see trained security professionals leaving to join other companies that offer higher salaries.
The universities and schools are not training people in security. How do you educate your internal people when it comes to security? And this education should start at the school level. Kids of today have access to, and have multiple accounts. There needs to be some form of simple curriculum — things like changing passwords regularly — to generate a sense of security from a very young age.
People need to practice security and digital hygiene. Digital hygiene is simple — keep changing your password, do not click on links, update your operating systems and be aware. More businesses are going digital these days, which means practicing digital hygiene is essential now, more than ever.
A lot of security professionals are network-centric; they spent time on network protection, blocking ports etc. They worked at the network layer, which is now very well protected. But the problem is happening at the Application layer.
DC: How do you protect the applications and the Application layer?
Mohan Veloo: The Application layer is a wide-open space. There are lots of ways to attack an application. An application can be attacked if the code is bad. These days anyone can be a coder. You can even build an application without coding knowledge. You can find instructions online.
To protect applications, one needs to understand the application architecture and not many people know that. It is only in the last few years that security vendors have started realizing that applications are attacked more often than the network layer. In fact, I would say, majority of attacks are application layer attacks.
The reasons why these happen is bad coding practices and they don’t patch software. Patching is a continuous exercise as vendors are always finding vulnerabilities in software, sometimes after an attack happens. For a lot of enterprises, doing this patching becomes an operational nightmare.
DC: Are you seeing attacks being launched from mobile devices? Which other devices are being compromised?
Mohan Veloo: One can launch an attack from a mobile phone. Security is being overlooked in cheap IP cameras. Recently in Singapore, there was a huge DDoS attack on one of the local telecom providers (StarHub). The attack was believed to have come from outside of the network, but what they found out was that, the attack came from within their own network. The attack was initiated from a hacked web camera.
These cameras are actually compromised. These are what we call IoT attacks. These devices are not well protected and they are not hardened. Companies invest a lot to secure their network from attacks that come from outside their network. But what happens within their own network with devices such as phones, web cameras etc?
I think this will become a huge issue in India. India is becoming highly connected at an extremely fast rate, with cheap connectivity. Cheap devices will flood the market. So the incidences of attacks will increase.
People know that China is a place where most attacks are launched from, but within China it is like a war zone. There are lot of internal attacks within Chinese companies.