Connect to Protect: CSO Thoughts from RSA 2016

The theme of this year’s RSA Conference was “Connect to Protect,” promoting connections among the information security community, IT and other parts of the enterprise, and private and public sectors. It was the 25th annual event, which saw 40,000+ attendees and more than 550 vendors in the expo hall showing off their wares.

Over a number of days, keynotes from industry leaders addressed the need to do something different. Debates focused on the Internet of Things, industrial control systems, encryption, artificial intelligence and machine learning, crowdsourcing, and more, with many reflecting on current industry news.

Here are some of the highlights and themes of the week that particularly interested me:

Innovation Sandbox

In the top 10 finalists battle for the title of the “Innovation Sandbox” session, each vendor had three minutes to pitch to a panel of judges why their solution will have the greatest impact on information security in 2016. Phantom was the contest winner, describing how a typical enterprise has over 50 security solutions and nothing interoperates. Their solution tries to solve this by offering an open and orchestrated security platform.

Many vendors were talking about the need for security orchestration and how, in light of the challenge to hire skilled talent, teams need help integrating security tools and workflows. The industry needs to work together to make it easier for security professionals to do their job. The other side to this is the need to consolidate security solutions into a platform and move away from siloed approaches to solving security challenges.

Threat Intelligence

A very big theme that many vendors were talking about was threat intelligence. Whilst not new, it has evolved over the years to the point where many organisations are grappling with what to do with all of the data. We have seen various threat feeds being bundled into security solutions, web portals offering the latest security bulletins, indicators published on an ad hoc basis, and vendors trying to establish their own standards as opposed to aligning with industry- and community-based standards, such as STIX and TAXII. Whilst STIX and TAXII had evolved, security solutions and processes had not. Manual efforts were still required to be fed directly into the systems and, typically, required additional processing and analysis of raw information before being used.

The goal here is to provide as much end-to-end automation as possible, to collect the raw information from various sources, normalise the data as no one source looks the same, de-duplicate the data, age out the data, and the final piece is to use the data automatically in security solutions. As an industry we need to move away from manual analysis in processing the raw information. We need to be able to automate the enforcement to prevent an attack from taking place or the attackers from achieving their objective.

Skillset Shortage

The shortage of skills was mentioned during keynotes and in a lot of sessions I visited. When we look at the continuing rise of successful cyberattacks, as well as the growing focus on cybersecurity in businesses today, this has created the need for more skilled security professionals. This is an area that is often debated and was no different at RSA, with many saying that there aren’t enough people entering the field with the required skills, that the education and required skills may not necessarily be taught, and that the required skills are not necessarily taught but rather learned on the job. Unlike many industries, security is not a stand-alone discipline; it is actually a discipline within the computer field. Treating it otherwise is a mistake.

At the same time, businesses need to learn to foster these types of skills to be taught, looking at developing new processes and even operational models. Businesses should look to have programs in place to identify competent professionals within their own organisation and offer them jobs and training that will arm them with the security expertise needed. Whilst throwing more people at the security challenges, it is time businesses look to leverage other ways they have built, run and managed security in their environments and look to automate as much as they can.

When relating these themes to Asia-Pacific, I see that we are no different to the rest of the world. These are global challenges; and, in Asia-Pacific, we need to all work through these challenges together. The cyber attackers don’t discriminate against industries and geographies. Organisations in Asia-Pacific need to automate as much as possible. We, like every other part of the world, have a skillset shortage challenge. Like many organisations and governments, we are working to solve that by funding from industry to build security curriculum to be taught in higher education, governments investing in internship programs, we need to think about doing things smarter. Automation is key here. We need to work on preventing attacks, detecting the unknowns and closing the time it takes to turn them into known threats and provide this timely threat intelligence to everyone else – across all industries in Asia-Pacific.

In keeping with the theme of RSA, we need to connect as many people and businesses together as we can to solve the security challenges facing all of us. Security needs to be a team sport. Collaboration is something we need to continue to do more of across industries and between the public and private sectors. Working in siloes and not sharing what we have learned will only slow us down in our mission: to defend our people, organisations and information.

[Palo Alto Networks Research Center]

Are We Winning the Cyber War? A Look at the State of Cybersecurity in 2016

Who is winning the cyber war—the criminals and hackers or network and system defenders?  ISACA and RSA Conference wanted to answer this question so we conducted the second annual State of Cybersecurity study, which was released today at the RSA Conference.

The data shows us that the answer is a bit unclear. Cyber attacks are still pervasive. We are still experiencing many of the same attack types that have plagued organizations for years. And it is increasingly difficult to hire fully capable cyber-practitioners and others who are part of the enterprise assurance and risk management network. The good news is that executives and board members are very concerned. They recognize that cyber threats are harming the bottom line and that—if they want to deploy leading-edge technologies and offer new technology-based services and products—they need to ensure that security is designed in and that personal information is protected.

One-third of the 461 cyber and information security specialists who participated in the study reported that their organization was a cyber-victim in 2016. While this is a high number in itself, an additional 20 percent did not know if their organization had been a victim. When asked about the frequency of attacks, the largest number (23 percent) reported experiencing cyber-attacks at least quarterly. The most frequent attacks were phishing, malicious code incidents, physical loss of computing or mobile devices, and hacking. As you might expect, the experience of attacks on a daily, weekly or monthly basis were reported less frequently. An alarming trend is that 54 percent of study participants did not know how frequently they experience cyber-incidents. While 73 percent believed they were able to detect and to respond to incidents, 42 percent felt they could only do so for simple attacks. In an era of increasingly sophisticated and persistent attacks, being able to identify and respond to attacks is imperative.

Board and executive concern and support for cyber activities are increasing. Eighty-two percent of security executives and practitioners participating reported that boards are concerned or very concerned about cybersecurity. This is not surprising given the higher level of awareness about cyber in general and the number of high profile attacks that we have recently seen. Executive support for cyber is essential. We find that executive support for enforcing security policy (66 percent) and providing needed funding (63 percent). The challenge is that less than half of executives follow good security practices themselves (43 percent) or mandate cyber awareness (59 percent). Cyber is not only a technical problem. Many attacks target the weakest link, executives who do not follow good practices, and employees who are security unaware.

Technical solutions to address cyber threats are getting better. We have all witnessed how technology vendors are enhancing current products. New startup companies are bringing very exciting products to the market. These however will not solve the problem alone. More important is the need to address the critical shortage of skilled cyber practitioners. Security executives are finding this difficult. The majority (54 percent) reported that it takes from three to six months to find a candidate. Less than half of these candidates (59 percent) are fully qualified on hire. Slightly more than 60 percent lack the required technical skills. Three quarters do not have the necessary understanding of the business to be effective. Slightly more than 60 percent do not have needed communication skills. Security will never be effective if new practitioners don’t have a strong technical understanding, the ability to address cyber-risks in business language, and if they cannot clearly and concisely communicate security issues.

While technology will help us meet cyber-challenges, it is also creating new opportunities for compromise. Cyber specialists are concerned about the rapid development of artificial intelligence products as well as the Internet of Things (IoT). We have all seen reports of advanced technologies, including medical devices and self-driving cars being hacked. More than half of those participating in the study are concerned or very concerned about the risk associated with the IoT. Forty-two percent believe that cyber risk associated with artificial intelligence will increase in the short term and 62 percent believe that risk will increase in the long term.

So, are we winning the cyber war? Not yet. We win some battles, but we are still plagued by attack types that have been long standing problems. We may not always be aware that we are being attacked, so we are too often late in responding. We are building our capabilities by deploying good technologies, but we don’t have sufficient skilled staff to bring to the battle. We still have too many leaders who say they support cybersecurity but do not consistently follow best practices or encourage cyber awareness in the enterprise.

To further complicate things, advanced technologies are expected to gain wide acceptance when we are still unsure about the risk they represent. The good news is that the challenges we are experiencing can be solved. We see increased attention to cyber by governments, research institutes and enterprise decision makers. Public awareness is increasing. Programs are being offered to solve the skill shortage. With skills-based training and performance-based testing, we are building the front line defenders and responders capable of engineering strong defenses and aggressive response plans.

Note: For the full survey report and related graphic, visit www.isaca.org/state-of-cybersecurity-2016. Hale will present a webinar on the study results and their implications on 8 March. Registration is open here.

[ISACA Now Blog]

The Need for Encryption Legislation

The current stand-off between Apple and the FBI highlights a growing problem: How do we balance privacy rights with the current patchwork of legislation that has failed to keep pace with the technological advances changing business and society?

For anyone following current events, the ongoing debate displays the need for comprehensive legislation.  Will Apple continue to defy the court order and, in essence, prevent the government from gaining information from a corporate owned device used by a dead terrorist? Is the government prepared to set a precedent and force Apple and other companies to knowingly provide code to make it easier for both US and foreign governments to gain access to corporate or personal data?  The answers to these questions are vitally important to the future of encryption.  As a U.S. citizen, I respect the loss of life and the need to hold those responsible for such horrific acts.  However, as general counsel for an international company, the implications of punching holes in encryption, even to help law enforcement, would be precedent setting.

Now more than ever, consumers are concerned with how their information may be used and collected.  Smartphones carry more information about a person’s life than ever before.  It may contain private conversations, financial accounts, credit cards, health data and even the location of your friends and family.  Smartphones have made it easy to access information quickly and consumers want to ensure that this information is properly protected from unwanted eyes.

Consumers need to have trust in the public and private sectors.  The private sector recognized this need and in response created an ecosystem where individuals hold the key to their data.  This helped reestablish trust that businesses were not collecting and gathering information without their knowledge.   However, governments have been slow to modernize legislation, and now face the question on how to gather information from these encrypted devices when it satisfies certain legal requirements.

We cannot fall back to a time without encryption.  Recent data breaches demonstrate the need to secure information.  Encryption helps businesses secure their data on-site or in the cloud, and it protects the public utility infrastructure we use every day.  Private and public sector entities need the technology to protect data against bad actors.

As technology advances, there will be increased public discussion around privacy, encryption and the state’s right to access information.  Both the public and private sector need to further this dialogue to find a middle ground that provides everyone the necessary protection and ability to gather information when needed.  Without this agreement, and proper legislation, the questions being debated will only become more complex.

As a leader in certifying cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes comprehensive legislation is needed to help educate and certify the next generation of security professionals.  This is a real opportunity to learn, and build laws and regulations for the future.  We call on legislators to work with industry, professional bodies, interested parties and law enforcement to define these processes and frameworks so that no organization, individual or law enforcement agency has to repeat this in the future. — Graham Jackson, (ISC)² General Counsel

[(ISC)² Blog]

The Cybersecurity Canon: Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Dawn-Marie Hutchinson: Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization (2014) by Tyler Wrightson

Executive Summary 

In Advanced Persistent Threat Hacking, cybersecurity expert Tyler Wrightson reveals the instruments of attack needed to compromise any target in a well organized and easily digestible format. This book is a must read by both the technical cyber security professional and the board level executive seeking to further understanding of cyber security risks.

Review

The book discusses the strategic issues that make all organizations vulnerable, providing noteworthy empirical evidence and supporting technical detail. Wrightson artfully describes the motives, methodologies and weaknesses that allow an attacker access to an organization, shedding light on both the technical and non-technical methods of hacking. The singular theme of the book is to highlight the relative ease with which an attacker can gain the necessary skill to perpetrate an attack.

Wrightson defines threats, motives and attack methodologies that are arguably foundational components of hacking and as applicable today as they were when we first began combating threats. The unique five-phased tactical approach to advanced persistent threat (APT) hacking is presented with real-world examples and hands-on techniques that are well understood by the ethical hacker community. Wrightson also provides perspectives around the role, strategies, tools and limitations of the penetration tester versus that of the APT actor, explaining why the threat actor is more effective at leveraging what one could argue are the same toolset. This book serves as a strong resource guide for both technical and non-technical audiences in building and defining security programs and strategies.

Wrightson provides empirical data that point to the imbalance of the defensive and offensive maneuvering and the relative costs to both, demonstrating that the attacker has the advantage in almost every circumstance. Enemies assaulting organizations have reduced the cost of attacking so significantly that it requires very few resources, time or skill to compromise an organization. Wrightson goes on to debunk the economic argument behind the goal of impermeability and sets the stage for valuable content surrounding the risk management process. The core competency of a business is not often security, neither is security the key revenue driver; therefore, decisions must be made relative to the cost of controls and the mitigation of risk such that the core business functions are not impaired. This section alone makes the book a must-read for security leadership, executives and boards of directors.

The book’s organization enhances readability for all audiences. Each section provides a high-level business discussion followed by a technological overview, data and examples. Additional, highly developed technical content is available further into the book, allowing the author to take the content deeper and provide additional value for the advanced cybersecurity professional. This broad accessibility of the content enhances its value to the cybersecurity community and provides the greatest value to non-technical stakeholders, who must become conversant in security as a matter of business necessity, and advances the discipline of cybersecurity.

The book creates a common understanding of existing vernacular around advanced persistent threats. By defining the APT by threat class – motive plus capability – the author paints a clear picture of the attacker and, ultimately, illuminates elements of the dark web to enable organizational conversation. The time the author takes to ensure that all readers are operating with the same understanding may be arduous to some, but it solidifies the book’s value as a communication vehicle for a broader audience and, subsequently, enhances future risk management discussions from the board level down.

Conclusion

Advanced Persistent Threat Hacking provided challenging and thought-provoking content in an easily digestible and palatable manner. I liked Wrightson’s approach, the layout of information, and the ways that he challenged existing viewpoints on the subject. I’m recommending this book for the Cybersecurity Canon because I think the vast majority of the strategies, tactics, techniques, tools and attacks defined in this book will remain effective instruments of compromise for the foreseeable future. Establishing the common language of advanced persistent threats and facilitating conversation among a broader audience make this book a must-read for the business executive and cybersecurity professional alike.

[Palo Alto Networks Blog]

English
Exit mobile version