Cybersecurity Automation Squared: Security Automation × Network Automation

In cybersecurity, the concept of automation is provided in two distinct yet complementary areas: network automation and security automation. Network automation simplifies the workflow to deploy and manage security devices. Security automation provides the needed interactions and intelligence to learn, adapt and prevent successful attacks.

There are times in service provider cybersecurity conversations when the descriptors are dropped, and the topic just becomes “automation.” However, based on the audience’s perspective and focus with only the network or security aspects, this may limit complete understanding of the benefits provided when both types of automation are used in tandem.

Network automation and virtualization are coupled to allow for rapid deployment and configuration of devices and applications without slow, error-prone human intervention or purpose-built hardware deployments. Network automation drives the rapid scalability that enables operational benefits from virtualization.

The networking industry continues to transform from purpose-built hardware like routers, switches and firewalls to software-centric models that can leverage general-purpose or mass-market hardware. Network automation is often tossed around in conversations accompanied by acronyms such as SDN (Software-Defined Networking) and NFV (Network Function Virtualization). The key with automation in this environment is the ability to instantiate a virtual system as a piece of the network – that is, to get the system up and running, connected to peers, and ready to move packets – without direct human intervention. Network automation could be applied to internal private networks using VMware, or in public cloud environments such as Amazon Web Services or Microsoft Azure, or with platforms used across public and private deployments, such as OpenStack.

While rapid instantiation of a virtual network function is often good enough for network automation of routing and switching functions, it is only the beginning for security.

Security is a dynamic ecosystem of enforcement, threat analysis, threat feeds and signature updates that allow it to adapt as adversaries leverage previously unknown exploits and malware techniques. This is a world that never sleeps and keeps evolving.

Security automation is the engine that drives this ecosystem. Effective security automation includes automated data collection, analysis, enforcement and feedback.

  • Data collection: Security automation starts in learning mode by pulling files and links from the network for malware indicator analysis, crawling websites, and receiving third-party information about potential threats.
  • Analysis and enforcement: Once indicators of compromise are known, they can be converted to threat signatures, URL categorization and threat feeds. This information can be pushed into enforcement points in the network, primarily next-generation firewalls or endpoint protection applications. All of this is done moment by moment, day after day, with little to no human intervention.
  • Feedback: As enforcement points see attempted attacks, the ecosystem can send alerts, perform dynamic policy updates, quarantine users and devices leveraging network automation, and push out notifications to affected users. The endless feedback loop is only effective when highly automated, without the bottleneck of limited or nonexistent human resources.

Rick Howard, our Chief Security Officer, gives a great perspective on security automation in a March 2017 interview on Federal News Radio. Rick reinforces the idea that manual security techniques will always stay behind automated adversaries and provides insight into how to move to automated security.

As you can see, cybersecurity automation is really “automation squared” for modern preventive security in a virtualized world: network automation to easily instantiate and bring a firewall online and ready for action anywhere in the world; security automation to work against adversaries and continuously try to prevent successful cyberattacks.

Palo Alto Networks partners with managed security service providers to provide effective and differentiated security services that reduce cost and increase average revenue per customer.  For more information, visit our Nextwave Managed Security Service Provider Program.

[Palo Alto Networks Research Center] 

Cloud Security Alliance Announces “Grand Opening” of Its New Third-Party Global Consultancy Program

SEATTLE, WA – June 5, 2017 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the launch and immediate availability of the CSA Global Consultancy Program (CSA-GCP). The new professional services program, developed and managed by the CSA, has been established to support the growing global demand from organizations in need of improved cloud security posture and high standards of compliance and assurance. The CSA-GCP is grounded with CSA’s industry-leading and widely accepted best practices in cloud security and is being offered by a highly-vetted, trusted network of organizations and professionals with the first being BH Consulting, KMPG, Optiv and Securosis.

“For many organizations, adopting the cloud can seem like a monumental task, and it can be difficult to know where to begin as there are too many and often too complex series of business and technology decisions that must be understood and weighted,” said Daniele Catteddu, CTO of the CSA. “The Cloud Security Alliance Global Consulting Program has been created with precisely this in mind and supports our ongoing mission of providing best practices and education for secure cloud computing. These first four program providers are among the most trusted and recognized in the industry and bring with them a broad understanding of the challenges organizations face when moving to the cloud. We are excited and fortunate to have them on board.”

The first four providers making up the initial program network are:

BH Consulting is an independent advisory firm, specializing in information security consulting, ISO 27001, cybersecurity, risk assessment, cloud security, incident response, cloud and digital forensics, and training.

KPMG is one of the largest professional services companies in the world, providing audit, tax and advisory services. KPMG works closely with their clients, helping them to mitigate risks and grasp opportunities.

Optiv is a provider of end-to-end cybersecurity solutions to help companies plan, build and run successful cybersecurity programs in any technology environment, whether on premise, cloud or a hybrid of both.

Securosis is an information security research and advisory firm that has the field-tested techniques, frameworks, and programs to be “more” secure in the cloud than in data-centers, without sacrificing agility.

The CSA-GCP will initially focus on consultancy support in the areas of secure cloud design, cloud architectures, secure cloud implementation, cloud information security programs, cloud assessment and compliance, risk management, and cloud security governance. The following CSA best practices will be included as a reference body of knowledge: CSA Security Guidance, Cloud Control Matrix, Consensus Assessment Initiative, Open Certification Framework and STAR Program, Enterprise Architecture, and Software-Defined Perimeter.

Only organizations with a broad understanding of CSA best practices and values are eligible to be recognized as a qualified source of professional services based on CSA best practices. Provider fees for consultancy work are set independently by each authorized partner and are based on the individual program scope and support required. Organizations interested in working with one of the CSA-GCP providers may visit https://cloudsecurityalliance.org/global-consultancy/#_contact.

For more information on the CSA Global Consultancy Program, please visit https://cloudsecurityalliance.org/global-consultancy/.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

How to Improve Communication Within Your Technology Team

Few things can stunt the growth of an organization more than a lack of healthy communication. This is especially true in IT departments, where open lines of communication and transparency are paramount to efficiency and output. With that being said, have you considered the topic of internal communications and how you can improve in this area this year?

Prioritizing better internal communications
I’ve worked for a number of different companies in my career and have been exposed to a variety of different workplace styles. I’ve been in large organizations where it’s not uncommon to walk into the cafeteria and hardly recognize any of the faces in the room. I’ve also been a part of small businesses where the team consists of just a handful of people who have been together for a number of years.

What I’ve learned is that internal communications doesn’t have anything to do with size. That’s a misconception that a lot of people have. From my experience, communication was much better in the larger organization I was at than it was in the smaller one, at least in my opinion.

So if the size of the company – or the IT department – doesn’t matter, what does? It all comes down to strategy. If your organization doesn’t make internal communications and open collaboration strategic priorities, then it will fail to reap the rewards associated with these healthy pursuits.

When communication is prioritized within the IT department, everything changes. With one company I worked for years ago, I noticed that the simple act of having a 10-minute morning “powwow” had the benefit of setting the tone for the day. Instead of spending the first couple of hours wandering around and trying to figure out what to do, everyone – myself included – had a clear picture of what we were supposed to be doing.

Another company I recently consulted with was having trouble with work orders. One of the IT guys would see a work order in the system, respond to it, and then find out that it had already been completed by someone else. This sort of inefficiency was killing the department’s productivity. I suggested that they utilize a a system that gives everyone real-time access to work order progress. As soon as they switched, they saw a huge boost in productivity. But on an even more practical level, there was less frustration in the department, and everyone was much happier. In the months since, this satisfaction has led to better overall performance.

Actionable ways to emphasize communication
When it comes to communication in the IT department, you need to approach this challenge from all angles. That means implementing techniques, testing them, and sticking with the ones that work. With that being said, here are a few ideas.

  1. Use the right tools and apps. In today’s business landscape, there’s no excuse for not using some of the numerous tools and resources you have at your disposal. From helpful tools like Slack and DialMyCalls to HipChat and Skype, there are many communication apps designed for the sole purpose of improving internal communications. Identify the ones that can positively impact your business, and proceed from there.
  2. Create an open-door policy. Anyone who’s in a position of leadership within your IT department should be encouraged to have an open-door policy. With an open-door policy, you’re able to show employees that their opinions matter and engage them in effective ways. Two-way feedback is always better than a one-way chain of command. Maintaining an open-door policy is just one way of proving this.
  3. Develop KPIs to evaluate results. How will you know if your efforts to improve internal communications are going well? While you can get some direct feedback from employees, this isn’t always the most quantifiable data. What you really need to do is establish some key performance indicators (KPIs) and track them. This gives you concrete numbers to rely on, and you can gauge long-term performance.

Never settle for average
You may assume that internal communications is all about talking, but this isn’t true. We did a lot of talking, storytelling, and joking in the small business I worked for. However, there simply wasn’t any healthy form of communication that allowed us to do our work better. The fact that we were comfortable being around each other masked this issue.

You may feel as if your IT department’s communication is fine, but fine doesn’t cut it. You must resolve to be better than average and recognize the supreme importance of seamless internal communications.

Anna Johannson, Writer

[ISACA Now Blog]

How to Properly Review and Act Upon SOC Reports

There continues to be a great deal of confusion over the new service organization reporting structure and which reports are the best to obtain. The basic intentions of the reports are as follows:

SOC 1 – Related to Internal Control over Financial Reporting
SOC 2 – Related to testing over the Trust Services Principles of Security, Availability, Processing Integrity, Confidentiality and Privacy
SOC 3 – A simplified report on the same principles in SOC 2 and available for public use

In this article, we won’t go into the details of what report you need to obtain. Here, we’ll help answer the question of what you should be doing once you get the report in your hands. Properly reviewing these reports is an essential part of the vendor management and risk management functions, and should be taken very seriously. You are only as strong as your weakest link, which could indeed be your vendors.

Obtaining the correct report
When obtaining the report, make sure it is the correct one. There are vendors that issue anywhere from one to sometimes more than 30 reports for different areas of their business. To increase the efficiency and effectiveness of your review, ensure you have the correct one. If you are reviewing card issuance procedures, the item processing report will not suffice.

Time period of report
The time period of the report should be reviewed to ensure it covers the needs of the user. Reporting periods vary and often don’t cover full calendar years (i.e. reporting period of October 1, 2016 – September 30, 2017). Make sure the time period meets your needs. If there is a gap between the report and the time period you require for your review, you can obtain what is called a bridge letter (serious investigation should be put into why). Ineffective controls at a key service provider could have serious consequences on your own control environment.

Management’s opinion on the operating effectiveness of the controls
Like the service auditor, management also opines on the operating effectiveness of controls. The same considerations should be taken as were done with the auditor’s opinion. If the two opinions differ, investigation of why should be performed.

Inclusion of control environment in reports
An aspect of reports that may have not been included in the past is description of the service organization’s control environment. This description can provide valuable insights and should be reviewed if present.

Control exceptions
Each report contains a section listing the controls tested and the results of that testing. Any exceptions noted should be investigated for possible impacts on your process. This especially holds true for controls being relied upon.

Vendors who have mature risk management and internal control functions have a minimal amount of exceptions in these reports. If you are seeing a high number, your level of caution should be raised.

User control considerations
Most reports contain a section listing controls that should be in place at the user (your) organization. These sections are typically called User Control Considerations, Complementary User Entity Controls or Description of Client Considerations. These are controls the service organization is assuming you have in place. They may not all be applicable to your business, but this section provides some great insight and may point out gaps in your control structure. Each user control consideration should be reviewed and addressed as applicable.

Subservice providers
Your service providers may be outsourcing part of the service they provide you. This could include hosting, helpdesk and other essential functions. The report you are reviewing should list what activities are outsourced. The term used in the report is most typically “subservice provider.” You should determine if you rely on that subservice and if you need to obtain a report from the subservice provider or perform any other sort of investigative activities. Remember, you are only as strong as your weakest link.

Controls relied upon and reports relied upon
As mentioned before, it is a good idea to keep a running listing of reports and controls you rely upon at your service organization. This will increase the efficiency and effectiveness of your review and will help manage your risk.

Performing your reviews with the proper amount of rigor will ensure you are practicing proper risk management. It is a best practice to create an internal checklist for reviewing the reports to ensure all areas are covered.

We hear stories every week regarding vendor weaknesses resulting in control breakdowns and, in some cases, data breaches. Establishing a proper vendor management program is essential to guard against these threats.

Shane O’Donnell, CISA, CPA, CCSFP, Principal, Chief Audit Executive, The Mako Group

[ISACA Now Blog]

What We Learned From This Month’s European GISWS Report

What is the GISWS?

Since its first release in 2004, the biennial (ISC)²® Global Information Security Workforce Study (GISWS) has been gauging the opinions of information security professionals; and in turn, providing detailed insights into the important trends and opportunities within this increasingly crucial profession.

This year, the study conducted its largest-ever global survey of cybersecurity professionals, with over 19,000 individuals taking part (3,694 of which hailing from Europe), further allowing it to ascertain an even clearer and progressively more complete profile of the information security workforce; with stronger understandings of areas and issues such as pay scales, skills gaps, training requirements, corporate hiring practices, security budgets and career progression. Additionally, the study explored corporate attitudes towards information security; presenting a useful and reflective reference for governments, corporations, hiring managers, as well as information security professionals themselves.

The latest release from GISWS and what this means in Europe

This month sees the third release of data from the Global Information Security Workforce Study 2017: Benchmarking Workforce Capacity and Response to Cyber Risk, which was conducted by Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)2, Booz Allen Hamilton and Alta Associates; and offers up a deeper exploration of the growing cybersecurity skills gap.

The report revealed a number of interesting findings, including a predicted cybersecurity skills gap for Europe of 350,000 (globally 1.8 million) by 2022, resulting in European organisations planning their fastest rate of cybersecurity hiring in the world – as 38% of surveyed hiring managers in the region admitting they intend to grow their workforce by at least 15% in the coming year. Though, this is despite the fact that two-thirds of organisations have also stated that they currently have too few cybersecurity workers.

While there are strong recruitment targets, a shortage of talent and disincentives to invest in training are contributing to this skills shortage, with 70% of employers around the globe already looking to increase the size of their cybersecurity staff this year.

This demand is set against a broad range of security concerns which continue to develop at pace, with the threat of data exposure clearly identified as today’s top security concern amongst professionals around the world. Concern over data exposure reflects the advent of new regulations aimed at enhancing data protection around the world, including Europe’s General Data Protection Regulation to be in force by May 2018.

This month’s report illustrates a revolving door of scarce, highly paid workers amidst a non-existent unemployment rate of just 1% in Europe. While organisations struggle to retain their staff – 21% of the global workforce stated they had left their jobs in the past year – they are also facing high salary costs, with 33% of the workforce in Europe, in particular, making over $100,000 USD / EUR €95,000 / GBP £78,000 per year.

“The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries and high staff turnover that only increases among younger generations creates both a disincentive to invest in training and development and a conundrum for prospective employers: how to hire and retain talent in such an environment?” states the report.

Recruitment and professional development strategies must change

The lack of professionals entering the industry has a two-fold impact on the profile of the workforce. Not only is it not increasing at a rate fast enough to fill the necessary roles, it has also led to a greying workforce, with just 12% of workers under 35, and 53% over 45. The profession faces a looming skills cliff edge, with the majority of workers getting closer to retirement and companies failing to recruit long-term replacements.

Recommendations by this release suggest that organisations need to adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show that workers with non-computing related backgrounds account for nearly a fifth of the current workforce in Europe, and that they hold positions at every level of practice, with 63% at manager level or above.

As the fastest growing demographic, millennials will be critical to filling this employment gap, but the attitudes must change in order to entice valuable candidates. Recruiters are currently not hiring enough recent university graduates, instead opting for those with more prior experience – 93% of respondents indicated that this is an important factor when making their hiring decisions.

Yet, employers could be doing much more to attract and retain younger people. The study found that millennials value organisation training as well as mentorship and leadership programmes. As a demographic that holds personal development in such high regard, businesses need to be catering to these needs to attract vital young talent.

Undoubtedly, there is a real mismatch between the skills recruiters are looking for and workers’ priorities for developing a successful career, suggesting skills sets may not be keeping pace with requirements. Currently, the top two skills workers are prioritising include cloud computing and security (60%) and risk assessment and management (41%), while employers prioritise looking for communication (66%) and analytical skills (59%). Only 25% and 20% of workers are prioritising communication and analytical skills respectively.

Improving gender diversity

In addition to the widening skills gap, diversity within the workforce remains low. The study also revealed that women form just 7% of the workforce worldwide in Europe; a level that has remained virtually unchanged since 2004. There are also signs of a rampant gender pay gap, with male professionals in Europe earning £9,100 more on average than their female counterparts. This is despite Europe’s female cybersecurity professionals tending to be better educated, with a higher proportion of them occupying managerial positions. In the UK for example, 50% of female cybersecurity professionals hold postgraduate degrees, compared to just 37% of men, with 64% of women in managerial positions compared to 57% of men.

A workplace where women are both paid less and more likely to be subject to discrimination can make it harder to promote such a profession to women. The lack of women also creates a self-perpetuating cycle with few established female role models to encourage the new generation.

But there are clear steps that can be taken to attract more women into cyber, and at the same time address the growing need for more staff. Much like with millennials, employers need to create inclusive work places that support and value women, via sponsorship and mentorship programmes that tie to the success and satisfaction of women at all levels. Equally as important, organisations must end pay inequity, and also draw from a wider set of backgrounds and degrees, including humanities and arts degrees, where there tend to be higher proportions of females.

Fundamentally, this is no longer just an issue of increasing workforce diversity, but an issue of economic and national security. The cybersecurity skills gap is growing wider every time the workforce is surveyed, and governments across the world are recognising that cyberattacks are critical national vulnerabilities. Attracting more millennials and women into the industry would not only significantly help reduce this shortfall in skills, but by diversifying the workforce, it will provide the necessary basis for a safer world, especially in today’s increasingly plugged-in society.

The full report can be downloaded here:http://iamcybersafe.org/GISWS/

[(ISC)² Blog]

English
Exit mobile version