We all want to protect our customer and employee data, but as the threat landscape changes and the publicly disclosed data breaches get increasingly larger, our approach may need to change. What constitutes "state of the art" information security in 2016?
It’s tempting to create a listicle of 10 shiny new security tools that will save your bacon, but they won’t. Target had an expensive tool to help protect it, and the company failed to pick up on its warning signals – perhaps because of the of the large volume of alerts it received, as has been suggested.
Data security isn’t just about tools any more, if it ever was. The latest Unified Threat Management appliance or Intrusion Prevention System may well be helpful, but it goes far beyond that. Effective security has to be more foundational, baked into everything that a company does.
We can sum up the state of the art simply: it’s about moving beyond ad hoc firefighting and playing a longer, more carefully planned game in which you know what your attacker is thinking, and what to do about it. But what does that look like, and how can you build a team that will really make that happen?
Fleshing out your core team
You’ll need a new set of skills to evolve beyond games of security whack-a-mole. A lot will still rest on security staff with operational technical expertise, but they won’t cut it on their own. The skill set has to be broader, and deeper.
Breadth means building out a wider array of technical skills. Most firms can configure firewalls and routers. Not as many can properly mine and interpret data from firewalls, servers and email logs to look for emerging attack patterns. Companies might know how to size relational database tables properly, but may then find it hard to create a list of datasets spread throughout the organization, ranked by sensitivity. Maybe you’ll want to start door rattling your own software and infrastructure with some penetration testers, or thinking like an attacker and engaging in some red team/blue team exercises. Technology skills like these will help to support a longer-term security strategy.
Strategic thinking is where you need depth in your security skill set, complementing the operational technology skills with business expertise. If no one in your organization properly understands how to conduct a cybersecurity risk analysis in different departments, then it’s going to be hard getting the visibility that you need into emerging threats, and you’ll be stuck at the ad hoc "see it, hunt it, kill it" stage.
Reaching out beyond your core team
Risk analysis can seem as simple as drawing a matrix with potential threats on one axis, and department or process on the other, so that you can graph the probability and impact of each risk. In practice, the risks affect different parts of the organization, managed by different people. Someone closer to that process understands better than you do what a security compromise would mean in their own operation, and how much it would cost them.
Finding those people and making them part of an extended security team is a key piece of the puzzle. Your core security team, with its strategists and technologists, needs these links to key business executives to push this security culture into the rest of the organization.
Those business executives will comprise an executive team, which you can think of as a concentric circle around your core security employees. They may come from departments as diverse as legal, HR, sales, marketing, and warehousing.
This doesn’t necessarily mean that companies should roll different types of security into one function, warned John Pescatore, former Gartner analyst and now director of security education and awareness organization the SANS Institute.
“The biggest security risks are related to IT,” he said. “Some firms have tried having someone own physical, personnel and cybersecurity. That has almost never worked well.”
Instead, your information security team will continue to focus on protecting your data as it collaborates with other business departments, rather than handing other kinds of corporate risk.
Getting help from business managers
Aside from risk analysis, there will be several IT-related projects foundational enough to need substantial help from business leaders. Identity and access management is a good example.
“What we see in many corporations around the world is that roles and responsibilities are not properly maintained,” said David Burg, global cybersecurity leader at PwC. “They likely don’t even have the right level of rigor or granularity associated with them to create the kind of controlled environment that you must have to do the kinds of things that we’re talking about.”
Employees should only have access to the functions and data that they need, which means that their privileges must be properly recorded and linked to access management controls. That could make it less likely that a relatively low level employee could steal significant data, for example, as happened at Morgan Stanley recently.
That kind of mapping is something the IT department needs help with. Understanding what privileges particular staff members need will naturally involve discussions with the business.
When tools are useful
State of the art security may not be about shiny boxes, but there’s no doubt that some tools will help to prevent potential breaches, both from insiders and outsiders. You just need the right people to use them. Monitoring for insider threats is a good example.
“There are some extremely innovative young companies with solutions targeting this space that allow for dynamic, unobtrusive monitoring along with the ability to detect out of pattern behaviour which can be investigated,” said Steve Durbin, managing director of the Information Security Forum (ISF).
While we’re discussing tools, it’s worth mentioning authentication. In a state-of-the-art information security environment, the password would not exist. It’s time to put a wooden stake through its heart. There are expensive alternatives – Windows Hello, which uses a RealSense camera to visually authenticate users, springs to mind, and Intel just announced plans to embed security credentials directly onto its vPro chips – but those will be prohibitively expensive for some.
Multi-factor authentication is a no-brainer, though. Even using out-of-band confirmation via a mobile phone will be better than persuading someone not to use a daft password, or write a strong one down in their little book of passwords, or share their colleague’s log-in credentials.
Measure it to manage it
While the new, improved security team works with the business on some foundational projects, there’s another activity that should be top of mind. In a cutting-edge security operation, the strategic team will call upon the technical skills at their disposal to help them with some big picture thinking. Security analytics will be a key piece in this puzzle. Tomorrow’s security operation will be data-driven.
The analytics picture breaks down into two broad areas: operations, and performance.
Operational analytics is an evolution from security incident and event management (SIEM), and enables security teams to crunch security data from varying sources to identify emerging threats. Pulling data out of SIEM tools and various logs into a full-featured reporting tool can yield some valuable information.
Collating different types of operational data, such as user behaviour information, network flow data, email metadata and endpoint activity can help to identify immediate threats, but also mid- to long-term patterns that could indicate an ongoing attack, for example. This takes some decent data science, which is another technical skill that a forward-thinking team will have under its belt.
On the performance side, analytics tools can help security teams to answer questions about what is and isn’t performing well, which can guide policy decisions. Examples include implementation metrics (what proportion of information systems have properly configured access controls compared to last quarter?).
Other measurements may focus on effectiveness. What percentage of enterprise applications have up-to-date patches applied? What proportion of these are considered mission critical? Robust performance metrics could surface that data.
The truly savvy organization may even be able to map these performance figures directly to financial data, enabling them to work out which of their investment dollars are working hardest, and what line items can slip further down the budget. So it’s a path to accountability, albeit one that relatively few firms have started down.
Extending outside the business
The final part of any state of the art information security system is an awareness of the world around you. Organizations can find strength in numbers, and that typically involves sharing information. This is a nascent trend that is still evolving, but it’s an important one.
Sharing information about exploits, attack patterns, and vulnerabilities with industry peers can help to protect the pack. We’re seeing some promising signs here. Companies in the US are collaborating on a sector-by-sector basis via Information Sharing and Analysis Centers (ISACs). These organizations create private, safe spaces for organizations to warn each other, and are operating in sectors like finance and retail.
There are other initiatives that can help organizations to share information about their security events. Facebook’s ThreatExchange is another venture designed to encourage information sharing in the cybersecurity space. There are also now languages to formalize the sharing of some kinds of cybersecurity event information. Verizon’s Veris is a good example.
A long way to go
This all sounds very utopian, but it’s a difficult journey, with many obstacles in the way. Getting the budget and the political buy-in to manage this kind of transformation will be an uphill struggle, and finding or developing these skills won’t be easy. Information sharing alone is a political and legal minefield. But remember, we’re talking about cutting edge information security here, not established modes of operation.
You only have to look at top-headline hacks to see how far behind we are. So many of the mistakes that crop up in the headlines stem from systematic problems that should have been solved years ago in theory. We’ve seen companies like Target suffer because attackers were able to enter via a third-party contractor and move laterally throughout the network. Companies are still getting pwned by malware exploiting vulnerabilities that are years old.
Before we can evolve beyond basic firefighting, we need to think carefully about formalizing the basic stuff like application whitelisting and patch management. With these things still often done manually, there are plenty of loopholes for the average attacker to walk through – and they don’t need any cutting edges to rip a giant hole in the network. ®