Archive for category IT security info
Big data has lots of potential to make our decisions more efficient and effective. But like any powerful substance, too much in the wrong hands can have disastrous consequences.
Your credit card number has been stolen; the bank sees a suspicious transaction, informs you, and issues you a new card. No big deal.
Your personal health information is stolen, and a criminal group has been making fraudulent claims against your insurance. You are possibly embarrassed by some of the information the thieves know about you, but the insurance company takes responsibility for the claims. Maybe a big deal, but you get over it.
What’s coming next could be much, much worse.
Data about you is everywhere, and companies are actively collecting it. Every device, app, web service, search query, and online transaction. Your friends and business associates, travel plans, photographs, and online cloud storage. Your thermostat, power consumption, and GPS locations. For the most part, companies collecting this data have privacy controls and safeguards in place, and you have agreements with them covering how they can and cannot use the information. But what happens if one of these large databases is breached and data is stolen?
From a personal perspective, it would be a big invasion of privacy, but too many people have the attitude that since they are not doing anything wrong (and are sharing lots of this info on social media anyway), it is not a serious issue. A consequence of this attitude is that many of the companies making the apps, devices, and services that are collecting your data are not taking a strong enough approach to security.
So what? Well, let’s look at some possibilities — not for you personally, but for the organization you work for. Analyzing travel patterns of company employees could help competitors identify your next acquisition or customers that are ripe for stealing. Combing through search queries and department purchases could point to your next big strategic move.
What if the data breach was at your company? Are you collecting and storing personally identifiable information that could be damaging if stolen or released? So far, companies that have been breached have not suffered consequences serious enough to put them out of business. What if your data could be used to identify people who are cheating on their partners, have a socially sensitive medical condition, or have bought embarrassing things? Could the resulting backlash and lost business actually bankrupt your company?
Going forward, we need to take a more active role protecting ourselves and our companies’ data. Be very selective about what devices, apps, services, and companies you use. Pay close attention to what that service or device is able to track and store. Once data is out of your or your company’s hands, it is much easier for a malicious entity to steal and make use of this information. At the same time, take a serious look at what your company is storing. Big data has lots of potential to make our decisions more efficient and effective. But like any powerful substance, too much in the wrong hands can have disastrous consequences.
Josh Thurston is a security strategist in the Intel Security Office of the CTO. In this role, Thurston drives business growth and defines the Intel Security go-to-market strategy for the Americas, creating and communicating innovative solutions for today’s complex … View Full Bio
The Necurs botnet associated with Dridex and Locky is back after three-week haitus.
A botnet associated with the huge volumes of Dridex and Locky-laden emails in recent months has resumed operations after mysteriously going dark for three weeks.
Researchers from multiple firms report seeing a sharp increase in malicious traffic originating from the Necurs botnet, after a significant drop-off beginning May 31.
AppRiver security analyst Jonathan French spotted the botnet back in action on June 21 in the form of a massive Locky email campaign. From an average of between three million- to 10 million emails with malicious attachments per day since the beginning of June, the number suddenly shot up to 80 million malicious emails on June 21, and 160 million on June 22, French said.
“It looks like Necurs is coming back and ramping up,” he said in a blog post this week. “Whether or not this is a temporary spike or a return to pre-June 1 “normalcy” is too early to tell.”
French told Dark Reading says it remains unclear why Necurs apparently went offline for sometime and then came back up again just as abruptly. “This is the question everyone is asking now. While it’s pretty apparent the botnet wasn’t taken down, no one is entirely sure why it went offline for three weeks,” he says.
One possibility is that the operators of the botnet encountered technical issues and were busy trying to fix it, or they were adding new functionality to it, he says. But a three-week hiatus seems too long to fully account for either possibility. “With how large the botnet is and how successful it’s been, it seems odd any issue they ran across would have taken three weeks to overcome,” he says.
Another likelihood is that the botnet has changed hands and is now under the control of a new set of operators, French says.
Regardless, the reactivation of Necurs is bad news, notes Kevin Epstein, vice president of the threat operations center at Proofpoint, which also reported seeing a sharp spike in malicious traffic from the botnet. Proofpoint reported Necurs-related traffic over the last two days as being about 10% of the volume prior to June 1. Still, the campaign remains very large and dangerous, the company says.
“The Necurs botnet reactivation is significant,” Epstein says. “It is the sending infrastructure for the massive, global malicious email campaigns distributing Dridex banking Trojan and Locky ransomware.”
Like French, Epstein is at a loss to explain the sudden lull in activity earlier this month. But he, too, speculates that the botnet operators might have run into issues with their command and control infrastructure.
In similar cases such as the temporary cessation last August of the Dridex botnet and its spread of the Nuclear exploit kit, the disruptions stemmed from law enforcement actions, he says. But there has been nothing to indicate the same is true of Necurs. He conjectures that the reason why the botnet has resumed operations is simply because of the money to be made in distributing ransomware.
“The Locky ransomware and Dridex banking Trojan are too lucrative for the threat actors behind them to stay quiet for long,” he says.
According to Proofpoint, the Locky sample coming via the newly revived Necurs botnet is more sophisticated than previous versions and includes new evasion and sandboxing techniques that make it much harder to detect and stop.
MalwareTech, an outfit that operates a botnet tracker, described Necurs as comprised of seven smaller botnets, with a total of around 1.7 million infected systems. All of the botnets went offline around the same time on May 31, stayed offline for the same length of time, and revived at the same time. That suggests the same organization is in charge of all seven botnets, MalwareTech noted.
- Here Are 4 Vulnerabilities Ransomware Attacks Are Exploiting Now
- Hacker 2016 To-Do List: Botnet All The Things!
- How To Lock Down So Ransomware Doesn’t Lock You Out
- A Brief History Of Ransomware
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
By adopting new ways of thinking about security, improving the capabilities of existing systems, and integrating key innovations, enterprises will be well on their way to better security.
In blog 1 of our series, we examined three realities that are driving enterprises to embrace an adaptive approach to security — an idea coined by Gartner and explained in the report, Designing an Adaptive Security Architecture for Protection From Advanced Attacks.
Pardon the cliché, but as my mother was fond of saying, “An ounce of prevention is worth a pound of cure.” As someone who believes in a proactive approach to good health, I believe that this ounce of prevention applies to other areas of life as well, but sometimes we have to think beyond just prevention.
In the security world, some believe that it’s a given that the bad guys will get in, so let’s stop worrying about prevention. That’s like saying that you believe it’s inevitable that you’ll contract a serious disease, so you just work on treating the illness when it takes hold and not bother to work on preventing it in the first place or not monitor yourself along the way. I tend to disagree with this perspective. In this blog post, we’ll take a look at how some security professionals think, and why they need to change their mindset in some key areas and embrace an adaptive approach to security to mature their defenses.
“Blocking and Prevention Solutions Will Keep All the Bad Guys Out.” I’m a big advocate of good nutrition, regular exercise, and sufficient rest. But even if you take these basic preventative measures, life can still throw you a curve ball. You may catch a rare disease while vacationing on an exotic island or injure yourself while participating in a triathlon. In much the same way, enterprise security teams believe that investing heavily in blocking and prevention solutions is a surefire way to keep bad actors out. However, the problem is that today’s well-funded and technologically advanced bad guys churn out complex and sophisticated attacks faster than most security vendors can release products to stop them. Ten years ago, we saw approximately 25 instances of malicious code at my organization. Today, that number is just under 500,000.
While preventative controls are important against opportunistic attacks, most of today’s most destructive threats are low-and-slow targeted attacks that can circumvent traditional signature-based defenses such as antivirus technology. Basic prevention alone is not enough. This is something that enterprise security organizations need to accept. The fact is, no matter how much enterprises spend on blocking and prevention solutions, they can never keep 100% of threats at bay. Some are always bound to get past current defenses.
“There’s Nothing We Can Do Once the Bad Guys Are In.” In the security world, it’s true that some malware or creative hacking will make it past enterprise defenses. So what do you do? When it comes to your health, you make sure you get regular checkups and see the doctor when you experience symptoms instead of letting things get worse. In enterprise security, the next mindset change that needs to occur is to realize that detection and response are as important as blocking/prevention technologies. Without effective support for these processes, attacks will have longer dwell times, leading to more serious damage. Clearly, enterprises are beginning to move in the direction of continual detection, monitoring, and response. Gartner estimates that by 2020, enterprise security teams will allot 60% of their budgets to rapid detection and response solutions — up from less than 10% in 2014.
“Our Security Products Don’t Have to Communicate.” As enterprises struggle to protect themselves against the next new attack, they are drawn to the promise of the latest shiny silver-bullet product. In health, as in security, there’s no magic cure-all. All too often, the silver-bullet approach results in a mash-up of siloed solutions that can’t communicate with each other. But this best-of-breed approach can still succeed by designing in data integration and process and policy orchestration.
Here’s a health-related comparison. HIPAA (Health Insurance Portability and Accountability Act) sets standards for health information privacy, security, and communications format in an effort to enable electronic exchange of patient data. Now specialists and other practitioners can easily share and analyze medical records without any manual effort and come up with an effective course of treatment faster.
The premise behind an adaptive security infrastructure is much the same. If the technologies are connected and enabled to exchange insightful threat information and context, security teams and processes will be more effective both in the short term and long term. So if you allow me to slip in a different analogy, it isn’t just a silver bullet, but rather a bunch of bullets — and what we’re really trying to do is make them fit in the same gun.
“Incident Response Only Needs to Happen on an As-Needed Basis.” Getting back to health again, what happens if you have a car accident or suffer a severe injury? These types of incidents require immediate attention and response. In our everyday lives, we make the assumption that incidents like these may happen, so we create a proactive continuous response process. We visit the doctor for annual physicals, get the right tests, and see specialists if we develop a condition. And, yes, occasionally we might end up in the emergency room.
Many enterprises have an “emergency response” consciousness. They look at incident response as something that happens only when a security event is discovered. A bad actor introduces malware or compromises a corporate asset, a security team is pulled together to investigate and remediate, and then everything goes back to normal. Today, this ad hoc approach is not an option. The new normal is the continual risk of compromise, which demands continuous response. Finding the bad guys and stopping them from doing further damage must become an ongoing endeavor with formal plans and optimized processes that feed learnings back in to improve policies, processes, and technologies. This feedback loop is the key to adaptive security.
Get On The Adaptive Security Bandwagon
“If you can change your mind, you can change your life,” said William James, the father of American psychology. This certainly rings true in the realm of security. By adopting new ways of thinking about security, improving the capabilities of existing systems, and integrating key innovations, enterprises will be well on their way to better security.
Stay tuned for blog 3 of this series, which will address the specifics of what it takes to create an intelligence-driven security operations center (SOC).
To learn more about Gartner’s research in this space and approaches for implementing adaptive security, view this webinar featuring Neil Macdonald from Gartner and me as we talk about the Adaptive Security Architecture concept.
Brett Kelsey is the VP and Chief Technology Officer for the Americas for Intel Security. In this role, he has leveraged his business and practice development, technical expertise, and innovative thought leadership to evangelize Intel Security’s go-to-market strategy across … View Full Bio
New ‘attraction and curiosity’ for infosec at the Intelligent Buildings Conference this week.
A glance at the schedule for this week’s IB Con conference in Silicon Valley on “intelligent buildings” makes it clear that the building industry knows cybersecurity is a topic they must address.
According to Idan Udi Edry of Nation-E, who appeared as a panelist at IB Con, the industry has evolved past a dutiful attitude towards cybersecurity, and instead displayed “an attraction and curiosity” for the topic.
“This year there was a change,” Edry says.
The “smart” building industry — connecting operational technology (OT) like HVAC sytems, elevators, surveillance, lighting, water, and the candy bar machine, to information technology — is growing faster than either IT or OT pros can keep up with.
According to Navigant Research, total global revenue from the commercial building automation industry is already $70 billion, and will increase to $101 billion over the five years. The growth is expected to be particularly great in the Asia-Pacific region, where the demand for smart building technology is accelerating due to programs like the Indian government’s $15 billion “Smart Cities India” program.
One of the key components of many smart buildings is the Building Management System (BMS). A BMS system may integrate facility access controls, surveillance, HVAC, lighting, power, elevators, fire safety, etc.
Nevertheless, if a cyberattacker zeroes in on a BMS system, “The target is not necessarily the building,” says Edry.
A BMS system wouldn’t necessarily need to interact with the CRM system your sportswear company is running up on the 15th floor, or the e-ticketing system the entertainment company is running on the 30th floor. However, if a denial-of-service attack on the BMS managed to take out the power for the entire building, it would cause a very bad day for all the businesses in that building. And that’s just the beginning of it.
Edry’s bigger concern is that OT and IT teams don’t work together to spend enough time thinking about each other.
Despite all the advancements in IT technology, for example, “OT still hasn’t changed,” he says. “Whether you bought your generator today or 10 years ago” (or longer) “the communication protocols are the same.” Everything still has a serial port, Edry says, and that creates a vulnerability that IT professionals might not think about.
It doesn’t matter how much you invest in securing your IT, Edry says. If you don’t also take into account the OT, you’re missing something, and leaving yourself vulnerable.
So step one to a smart building cybersecurity strategy? Edry’s advice: map all the building’s assets, both IT and OT alike, in one place.
“There is always going to be a conflict between the IT and the engineering” departments. The direction must come from the top.
Edry says that this is beginning to happen. Because regulations and cyber insurance policies are now mandating certain protections on “critical assets” — including cyber-physical systems in smart buildings — OT engineers are now talking to their boards of directors about cybersecurity.
“Real change,” says Edry. “The strategy has changed.”
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio
SEC files case in US court, alleges offender cost victims $289,000 through illegal trades.
The US Securities and Exchange Commission (SEC) has filed a case in a US District Court against a UK national accusing him of hacking into the accounts of US investors and carrying out fraudulent trades, reports Reuters. SEC alleges that Idris Dayo Mustapha made a profit of at least $68,000 while costing his victims around $289,000 through these illegal transactions in April and May.
Mustapha, who has been charged with securities fraud, hacked into the investors’ online brokerage accounts and traded more than $5 million worth of stocks — transferring profits into his account, says the SEC.
“We will swiftly track down hackers who prey on investors as we allege Mustapha did, no matter where they are operating from and no matter how sophisticated their technology,” says Robert Cohen of SEC.
The court has ordered a freeze of the defendant’s assets.
Click here for full story.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
PunkeyPOS copies card data and bank magnetic stripes and has breached around 200 POS terminals in the US, says report.
PandaLabs this week published details of a new variant of point of sale (POS) malware called PunkeyPOS that attacks POS terminals and steals card details of customers. The researchers investigated the malware while studying POS attack-related activities in US restaurants.
PunkeyPOS has a two-fold function – installing a keylogger that gathers credit card data as well as a RAM-scraper that reads the magnetic strips on bank cards. The information collected from infected POS is then encrypted and forwarded to a command control (CC) server managed by the intruders who could later use it to sell in the black market.
PandaLabs was able to access the malware’s control panel and fount that it has infected some 200 POS terminals in the US.
PandaLabs says it has forwarded its findings to US authorities.
More on this story here.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
Pays ransom to save $2 million worth of information, warns others of the dangers.
Dave Winston had heard stories about people who had to pay money to get access to hijacked computer files, but like many everyday computer users going about their business, he didn’t put much credence to the rumors. He wasn’t familiar with the term ransomware and he didn’t know what a Bitcoin was: But all that changed for the NASCAR Sprint Cup crew chief one day this spring when all of the files he depended upon to tweak his team’s valuable race car specs had been encrypted by cybercriminals.
Winston and his colleagues with Circle Sport-Leavine Family Racing are coming forward today to talk about their very personal experience with Teslacrypt ransomware back in April — to warn others of the reality of ransomware so that fewer businesses and computer users in their position don’t have to learn the hard way.
“We learned first-hand that it’s a fact and it happens,” Winston says. “So that’s what we’re hoping to be able to do is to spread the word and the knowledge, and have people understand that this is something that’s going to happen more and more and you have to protect yourself.”
Circle Sport-Leavine Family Racing is a close-knit team with a small IT footprint of only about 10 computers. Prior to the ransomware attack, nobody on the team was super-savvy about backing up files or choosy about anti-malware packages. Each user was pretty much responsible for using whatever default antivirus came on the computer out-of-the box and there were no standards for protection. Things like ransomware and malware attacks simply weren’t on the team’s radar–they were too busy tuning their cars to perform well in the Sprint Cup series races.
As crew chief, Winston depends on his computer to store valuable and sensitive information vital to competing in the series.
“It was any information you could possibly imagine, whether it was track set-up information, car chassis information, wind tunnel information, personnel information, or parts information,” he says. “Everything was on my computer and there were spreadsheets I used to determine setups and things like that in the car as we went from racetrack to racetrack.”
When he was confronted by the pop-up box that all of his data and files had been encrypted and he had to pay a ransom, he thought, “This can’t be.” So he tried to open another one. And another one. Soon, the panic kicked in.
He got four or five of his teammates around the table and they tried to figure out what happened. After hours of research on ransomware and the thought of losing what they estimated to be $2 million worth information just a few days before their cars were set to hit the next racetrack, they decided to bite the bullet. Considering that it would have taken the team 1,500 man-hours to recreate the data, they felt paying off the bad guys was their only option.
They found a Bitcoin ATM just a few miles away from them, loaded up with $500 worth of the digital currency, crossed their fingers and paid the extortionists. After a night sweating it out, the criminals did come through with an encryption key. But the next morning when they tried to apply it, they couldn’t get it to work.
That’s when they went to get help from their technical alliance partners at the Richard Childress Racing team, which does have an IT staff. Not only did they help them apply the key, but they got Circle Sport-Leavine Family Racing on the path toward future protection by steering them over to Malwarebytes and offering best practice advice on things like backup procedures and establishing standard security set-ups across all of their computers.
According to Nathan Scott, technical manager for ransomware for Malwarebytes, Winston and his team are not alone in learning about ransomware the hard way. It’s the reason why ransomware is what he calls “the biggest threat of all time” and “technology’s worst nightmare”–because there are lots of other anonymous victims out there just like this NASCAR team who bend to the simple but effective extortion.
According to Malwarebytes information, instances of ransomware in exploit kits have increased by about 44% in the last six months alone.
- Crypto Ransomware Officially Eclipses Screen-Blocker Ransomware
- How To Lock Down So Ransomware Doesn’t Lock You Out
- Majority Of SMBs Would Not Pay Ransomware Attacker
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio
Security investments can be viewed as a portfolio. If we think in portfolio terms, we realize that ROI is a backwards-looking measure. What else can we learn from financial planners?
Leading up to today, I’ve talked about clear communication, the difficulty of changing behaviors, the power of myth to distract us, and how letting someone else select metrics for you can be a killer.
So what should the poor security professional do?
Take a page or two from financial planners. If you go talk to a financial planner, they’ll ask you questions that help them get a picture of your financial state, and they’ll help you think about that state in terms of what you can control.
One thing they do is measure your portfolio with a variety of tools. For example, they’ll be able to express your asset to debt ratio, what fraction of your assets are higher risk versus lower (stocks versus bonds versus cash), and what portion are liquid or not (public company stock versus private, home ownership). Your portfolio can be measured and assessed in the same way as mine, even though they might be very different, and that’s ok. For example, younger people are usually advised to take more risks than older people, and so have a higher fraction of their investments in stock.
The advice you hear about more risk is a corrupted or perhaps abbreviated version of ‘they should accept higher risk in pursuit of better returns.’ Really, the important part is the pursuit of higher returns, not the acceptance of risk. A similar mistake is often made by businesses talking about risk appetite as if risk is something one should want.
Another thing financial planners will do is focus on what you control: how much you spend, and how much you save. While there are life events to plan for, like buying a house, paying for college, retirement, they’re events to be planned for by managing your portfolio.
So what exactly should the poor security professional do? Hire a career coach, today! In the current job market, there’s not a lot of reason for a security professional to be poor.
But more seriously, there are important techniques to learn from financial planners about how you plan to protect your organization.
First, focus on what you can control: your controls. The things your organization does to influence risks and outcomes.
Second, look at your entire portfolio of controls. Think about people, process and technology. (It’s cliché for a reason.) Think about all of the ways you invest in security. It’s money spent on products, both purchased and free. You spend money on free products because time is money. You spend money on training. You spend money on compliance, and that often includes huge asks of the rest of the organization: take this training, wait while we reboot, change your password, don’t launch the product until we’ve done the code review.
Third, as you look at your entire portfolio, use a variety of tools to measure it. I have a new favorite, and that’s Sounil Yu’s Cyber Defense Matrix. (Full disclosure, I like it so much I’m building it into my new product, but it’s free and I’m going to talk about the matrix here.)
Over the next few weeks, I’ll talk about “portfolio versus X,” and why I see this approach as one of the most important trends of the next decade.
- Revealing Lessons About Vulnerability Research
- Security Lessons from C-3PO, Former CSO of the Millennium Falcon
- Security Lessons From My Stock Broker
Adam is an entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board, and helped found the CVE and many other things. He’s currently building his fifth startup, focused on improving security effectiveness, and mentors startups as a … View Full Bio
Image Source: www.itproportal.com
Everyone in the IT security world lives in fear that they may be vulnerable to the next high-profile breach. The list goes on: Target, Home Depot, Sony, and J.P. Morgan in the business sector and OPM and the FDIC in the federal government. There are dozens of other incidents.
Something has to change, and it will ever so slowly.
Guy Bejerano, CEO of SafeBreach, has been going around the world talking about continuous security validation. Rather than reacting to events as they unfold, Bejarano says organizations need to change their mindsets and think of continuously challenging their security defenses and security operations center teams via breach simulations.
Besieged as they are by attacks from nation-states and cybercriminals, Bejarano says companies need to focus on the latest zero-day threats, as well as understand what the hacker wants to steal, map it to a cyber kill chain and break the steps in that kill chain.
“Getting into the network is one thing. Actually exfiltrating the data is another and where the damage really takes place,” he says. “By running breach simulations, we can find out how the hacker works and look for the most effective way to stop him from stealing important assets, be it credit card data, Social Security numbers or source code.”
Here are five steps a CISO should take to reduce the advantages that hackers have today:
Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio
How open communication among security execs and analysts, incidents responders, and engineers can help organizations stay on top of the constantly changing threat landscape.
Whether or not you’ve had the pleasure of visiting London, you are no doubt familiar with the famous warning given in the London Underground to “Mind The Gap.” The instruction is one of the most famous in the world, having found its way onto tee shirts, coffee mugs, keychains, and many other products.
In security, we also need to mind the gap. But by that I mean the stark communication and understanding gap that exists in many organizations between the Chief Information Security Officer (CISO) and the operators — analysts, incident responders, engineers – in other words, the team doing the hands-on, day-to-day work.
What I find fascinating about these two distinct vantage points is that while each of them are formed by observing the same security program in the same organization, they reflect a very different perception of reality. This creates a communication and understanding gap between the CISO and the operators that we as a security community need to “mind” in order to ensure our organizations reach their full potential. In other words, the gap itself can often impede a security organization’s progress. I’ve highlighted a few of my thoughts on why minding the gap from both perspectives is so important:
Minding the Gap from the CISO Perspective
Culture: No one wants to be the one to break the news to the CISO that something isn’t working or has failed. But for a CISO to manage risk properly, he or she needs accurate information. The key is for the CISO to create a culture where members of the security organization feel comfortable identifying gaps and shortcomings, as well as potential solutions going forward.
Let’s use the procurement of a multi-million dollar system that isn’t meeting expectations as an example. Although it can be difficult, the CISO should be open to input around how and why the tool isn’t helping the team succeed and solicit potential solutions that will address the needs of the mission going forward. But how many times in my life have I heard the phrase, “Well, we spent $2M on that system, so it has to work.” That attitude isn’t going to help solve any problems, unfortunately.
Yeah, We Got That: When the CISO asks if a given capability exists, the overwhelming tendency is to say yes. But what if the capability is in its infancy? Or what if the capability has issues or is so immature that it does not mitigate the risk or address the challenges it is intended to? While it may be tempting to check the box, it’s better for the organization’s security posture to be honest. The CISO that pushes his or her team for more granular, detailed, and accurate information will do far better in the long run.
The Oversell: There is a famous quote that “everyone is in sales whether they know it or not.” This also applies to everyone in the security organization who reports to the CISO. Although it may seem advantageous in the near-term to overstate or oversell capabilities, in the longer-term, this introduces risk to the organization by leading the CISO to believe that certain risks are mitigated when, in truth, they may not be. A CISO needs to be conscious and aware of this tendency and not reward those who oversell.
Minding the Gap from the Operator Perspective
Prioritize Risk: First and foremost, security is about mitigating, managing, and minimizing risk. The first step to doing this is to understand the risks and threats facing an organization and then prioritize them accordingly. Input to this process comes from intelligence, the board, executives, key stakeholders, and the security team. All inputs need to come together collaboratively with the ultimate goal of mapping out the strategic direction of the security program. This makes it much easier for all sides to see clearly and explicitly where the program is currently and where it needs to go.
Have a Plan: No organization is perfect. When confronted with shortcomings, most CISOs I know would rather spell out a way forward than a read a list of complaints. This means having a plan that details what is needed to overcome challenges and build or mature a given capability to where it needs to be. The operator that comes prepared will likely be far more successful in achieving his or her goals.
Maturity Metrics: Rather than “yes, we have that capability” or “no, we don’t have that capability,” how about a matrix showing the maturity of each capability? The CISO’s ultimate goal is to mitigate risk to an acceptable level. I think most people understand that this isn’t a binary metric. A matrix mapping capabilities or initiatives to risks they mitigate and the relative maturity of each one can help the operator communicate the importance of each task, while allowing the CISO to more accurately and precisely evaluate and measure risk.
Turn Reporting on its Head: How many security organizations report the same types of metrics to the CISO each week? We created 400 tickets, re-imaged 50 laptops, saw 15,000 IDS alerts fire, etc. But what does that actually tell the CISO about mitigating risk and understanding what capabilities do or do not exist and what gaps may or may not exist? Take the prioritized list of risks and the associated strategic plan and leverage it to report relative metrics that will give the CISO a much better idea of how the security team is progressing against the strategic plan — and narrow the gap.
There is no doubt that the CISO and the operator have different perspectives when it comes to security. Minding that gap helps organizations continually mature and stay on top of the constantly changing threat landscape. A good operator will work to communicate issues and challenges honestly and clearly to the CISO. In turn, a good CISO will appreciate the truth, as long as it comes with a plan for how to address any shortcomings. Both sides need to mind the gap and meet in the middle to ensure that a security program reaches its full potential.
- A Wish List For The Security Conference Stage
- 8 Signs Your Security Culture Lacks Consistency
- Cloud Security: Understanding New Risks, Rising To New Challenges
Josh is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO – Emerging Technologies at FireEye. Until its acquisition by FireEye, Josh served as … View Full Bio