Is Cybersecurity a technology issue or a business issue? How are Boards reacting to the massive data breaches that are demolishing corporates both financially and reputation-wise? What should a CISO do to manage the deluge of data and devices, half of which are not even visible to him? What’s the new perimeter in the digital age? These and many other such questions are enough to perplex a CISO and other security professionals. While on one side security is a perennial exercise for any corporate, the key is to stop treating security as an afterthought and make it part of business thinking.
Zulfikar Ramzan, Chief Technology Officer, RSA, a Dell Technology Business spoke to Rahul Neel Mani, Editor, dynamicCISO.com on a variety of issues ranging from new threat vectors, to importance of visibility to effective management of incidents as part of business risk.
Below are the excerpts:
DynamicCIO: An information deluge is created by technologies such as IoT, Mobile, AI, and SaaS etc. To detect and respond to incidents in such a scenario require an evolved level of threat intelligence. How can that be dealt with?
Zulfikar Ramzan: The first big thing is to rather not treat incidents in isolation and identify business contexts around those incidents. Look at the potential impact of an incident. E.g. when a server is compromised, the most critical question to ask is what was resided on that server. Did it contain sensitive IP? Was a critical application hosted on it? Or that server just had some PDF of the lunch menu of a cafeteria. Instead of making this distinction, most security pros treat each incident as a major one. A CISO should have the acumen to understanding the severity of an incident and prioritize the response to it.
Not so long ago, I spoke to a CISO who, in his environment, was noticing 3000 incidents/day. He was able to reduce it to almost a dozen in a short time. All you need is a couple of analysts to go through those incidents and prioritize the incident management.
The second key thing is to group the incidents together based on threat intelligence. E.g. In many cases an attack by a threat actor might produce distinct incidents because attacks are not isolated to a particular system. If you can put together these incidents and identify that these were part of one attack, a single analyst can look at those incidents and handle it more efficiently and effectively. By using analytics, you can group these incidents in a meaningful way. It is important to extract the relevant metadata and put intelligence on top of it.
The third key thing is to apply analytical framework to identify the important context of an incident. Lets assume something happened in our environment today and we have an analyst who’ll examine that incident. Could he bring in that additional context to determine if the incident needs to be looked further? That will enable the analyst to spend less time on a given incident and action the remedy faster.
The fourth critical thing is to make it simpler to investigate an incident. The InfoSec organization may get an entry from the log that identifies something malicious and then the analyst has to analyze that. Often, they don’t have the visibility, which causes tremendous delays. If we make it easy for the analyst to truly understand the attack timeline, the investigation can be more seamless and effective. For example, if you see any abnormality in traffic on your network, the most important question to ask is what is generating that traffic. It could be an endpoint device and can be quickly investigated.
In the end, I would say the problem is multifold and therefore these four steps need to be followed absolutely diligently.
DC: Today many unidentified devices enter the corporate networks. These could be IoT devices, virtual servers, cloud instances and so on. There could be many rogue devices too. How do CISOs put controls in such perimeter-less world?
ZR: The notion that we live in a perimeter-less world is true. Enterprises are borderless. In such situation, the identity becomes the new perimeter and is the heart of security. It ensures that only the right people access the right resources at the right time. To be able to control this environment, it is critical to manage identities.
Identity itself is a multi-faceted concept. Typically, when we talk about identity, we talk about access, authentication etc. But it’s also important to understand the identity lifecycle and governance. As organizations morph or people move, there is a need to maintain a consistent notion of identity to ensure their proper usage.
Identity has yet another crucial aspect. People generally don’t want to be burdened by complexity of passwords, multi-factor authentication etc. How do we assure that users move at a rapid pace without compromising the security? Security has now become a business concern.
This means if a CISO has to deal with this landscape, s/he has to be able to articulate and be able to provide the value back to the business. Historically, CISOs were not accountable for or answerable to the business. Their only job was to deal with security threats. Today, the scenario has changed. CISOs have to talk to the board, the CEO, the other members of the executive team. Unfortunately, if a CISO doesn’t speak in the language that business understands, s/he won’t be successful at all. A CEO or Board member doesn’t care about someone exploiting vulnerability and applying an SQL injection to steal the corporate data. All they care about is how that incident will impact the business. It’s CISO’s responsibility to translate the security details into the language of business and risk.
Having said that, achieving this objective is not just about establishing a common language between technical and business folks. To bridge this gap, one has to insure that technology doesn’t operate in silos. Today, in many organizations, security technologies and business risk technologies operate in silos. It is important to look at them in totality to get a better perspective, which in turn will help a CISO in talking to his CEO and other business executives in their language.
DC: Whatever best efforts a CISO makes, s/he is still unable to create an infallible, watertight security strategy. As an expert in security technology, what would you recommend to them?
ZR: If we look at all the high-profile security breaches that have occurred in recent past and analyze what caused the breaches, the causes behind those are mostly simpler ones. For example, unpatched servers being exploited. We’ve been talking about the patches and exploits caused by not patching the systems timely for decades. But we have the same conversations year after year on breaches caused by exploitation of unpatched systems. Why does it occur over and over again?
Here’s my take:
It’s not just about the security of a system. You have to take many factors into account. Suppose I patch a critical system in my environment and the patch fails, and (as a result) the system crashes, I might be denying my customers actual service. On the flipside, if I know that vulnerability is being exploited on a critical system then I better think about patching it rather than leaving it unpatched. CISOs therefore need to take a holistic risk-based view on how to operate in a company and what decision we need to make. A risk-based view makes it easier for the CISO to have conversations with the other C-level execs including the CIO.
The challenge for CISOs is that they are responsible for security but they have no control over applications or the servers. The CIO takes a call on patching those systems. The foremost responsibility of CISO is to prioritize what matters most to the organization. And the most effective way to do this is through a risk-based approach.
Risk has two components: The first component is likelihood – something can happen. The second component is the impact of an incident. The CISO should do this risk analysis and articulate the same to the CIO and seek his attention to those priorities and fixes. Now the CIO has a more focused area to work on and not an open field.
I recently had a conversation with the security architect of one of the world’s largest medical device manufacturing industries. The company manufactures medical devices to be implanted into the human body. If those devices have vulnerability, patching that device might require a surgery on the patient. It has a certain kind of risk associated. It could be anesthetic risk. The patient can die on the operation table due to a complication during the surgery. So, you have to balance the risk. One has to take a conscious call whether or not to fix the vulnerability in the medical device through a surgery. If nobody is exploiting the vulnerability, it’s not worth taking risk. So, as a CISO, one has to see the big picture taking all these factors into account. Some of the actions could be security-oriented, others could be financial-oriented and if you are not considering these implications in totality, as a CISO, you won’t be effective in your job. As I said earlier, security should be considered as a business issue.
DC: It is increasingly becoming difficult to trace the new threat vectors and comply with security norms to mitigate risks. How does the future appear to you in such uncertain times?
The root cause the problem is that everyone is caught up with the advance form of vulnerabilities. They forget that most times it’s the very basic stuff that lets people get through to their systems and networks. You can take care of these low hanging fruits by applying basic intelligence. Question is how do we deal with the more sophisticated threats.
I don’t believe we can prevent those threats from entering our environment. The attackers are mostly aware of what you’re running in those environments. You can get the best antiviruses and firewalls and still there’s no guarantee on intrusions. That’s where visibility becomes the key. If a CISO is able to understand what is happening in his environment, s/he is in a better position to potentially prevent that threat from causing damage. For example, you’re trying to protect a bank from a robbery. The bank robbers don’t aim to rob the bank from the front door but to lead their way to the vault. Think about this from a Cybersecurity perspective. Threat actors aren’t concerned by the intrusion but they are focus on the breach. Those two are different notions. We often talk about intrusion and breach as the same thing but in reality they are not.
Intrusion is how the actor gets in and breach is what they take away in the end. Between the intrusion and breach there is a surprising amount of dwell time and effort for the attacker to find the most critical assets. It literally takes those attackers months before they find something worth stealing from the time they first intrude. That means if you have visibility across the enterprise assets – the network, the endpoints, the cloud – you can begin to understand when are attackers are inside your network with the behavior they exhibit because they invariable leave some trail behind.
If you have the necessary visibility, you can actually identify what has occurred. And if you have good analytics in place, you’ll be able to investigate those incidents very quickly. More fundamentally, by applying visibility, we can really ensure the risk of the breach occurring even though the intrusion has occurred.
We can now augment that in the business context. Rather than trying to monitor everything simultaneously we can now put extra emphasis on identifying attacks and potential threats on the assets that are most critical to the business. For example, if you’re a retailer, your most critical asset is the Point of Sale (POS) terminal. If you see a threat on the POS, you can look at that in more detail. If you look at any of the major breaches occurred in the past at some point, the breached organization had been alerted by one of the security devices. The problem is that alert was like many other alerts, which keep coming time to time. Therefore, it is important to prioritize the alerts that matter the most to business and help your organization to reduce the risk in the most intelligent way not only for the most mundane threats but for also for the most sophisticated threats.