Ian FarquharCan CISOs change the balance and momentum in the current threat landscape to their advantage?
To tackle this crucial question, Gigamon hosted the CSO Panel at the RSA Conference 2016. Panelists included Justin Harvey (Cybersecurity CISO, Fidelis), Lance Dubsky (Chief Security Strategist, FireEye), Sean Cordero (Office of the CISO Executive Director, Optiv), James Adair (Security Operations Leader, Verisign) and Simon Gibson (Security Fellow, Gigamon). Bob Bragdon, publisher of the popular CSO Magazine, was our moderator.
Read on for a quick summary of the CSO Panel, or check out the full recording for more.
The discussion ran for over an hour and covered a lot of ground. We began by discussing the perennial issue of zero-day attacks. According to Adair, whether it’s a brand-new zero-day attack or an unpatched three-year-old vulnerability, the key is visibility. Cordero then noted that the ability to detect these attacks depends on establishing a reliable baseline for your network, thereby enabling you to detect aberrations.
Panelists were then asked, “What does steady-state look like?” Dubsky pointed out that as late as 2010, CISOs were making major investments in signature-based technologies. It’s a hard sell, he noted, to go back to the senior executives and say that these tools are now ineffective, and then ask for money to purchase new ones.
Panelists then turned their attention to the “new shiny object syndrome,” defined as the acquisition of security tool after security tool, without the ability to adequately deploy and operationalize them. Dubsky noted that it’s important to differentiate between “nice to have” and “need to have” when selecting new security solutions. Several panelists then chimed in, pointing out customers who own racks or boxes of undeployed security tools, some of which never gets used.
Harvey then noted that there are actually two perimeters to consider: not just the ever-porous network perimeter, but also the device perimeter. He discussed how acceptable use policies, which used to commonly ban corporate data on personal devices, have been gutted by BYOD. Gibson then suggested that the perimeters are actually an “architectural blast radius.”
Harvey went on to note that the “prevent” approach of the last decade is well and truly dead; “detect and respond” is the only viable approach. This does not, however, mean that we should retire all of the traditional prevention technologies, he said, but simply realize that they’re only effective for “known bad” signatures.
According to Harvey, it’s essential that security operations rule out false positives as soon as possible, and automation technologies are a great way to accelerate this process. Only then will SecOps be able to focus on the truly crucial issues.
Gibson then pointed out that reliable good/bad detection is the holy grail of information security, but that relying on humans is not sustainable long-term (According to some reports, INFOSEC has negative 15% unemployment).
As a publisher, Bragdon said he had witnessed a consistent trend in most industries: a consolidation of myriad innovative vendors to a much smaller number of large suppliers selling highly integrated products. Yet in security, he noted, this does not seem to be happening, with the number of security vendors reaching 1,500.
To counter, Harvey said he was seeing many large customers consolidating to two to three suppliers in the network stack, with the driver being hiring the skills needed to manage and operate these tools.
Adair then noted the absolute criticality of APIs, which allow people to integrate tools from different vendors. Gibson took this sentiment one step further, noting that what the industry really needed was a workflow-orchestration platform.
On the subject of threat intelligence, Harvey coined the term “threat intelligence fatigue,” and divided threat intelligence into two categories: tactical and strategic. Tactical threat intel, he says, is the information we receive today, which means that one person somewhere else has seen this attack. Strategic threat intel, he added, was the bigger picture: What threats are out there? Who are they being used against? What is the driver behind the attacks?
Taking on the topical matter of backdoors in crypto, our panel was in violent agreement. Nobody felt that backdoors, government mandated or not, was a good idea. Lance Dubsky quoted the following to summarize the mood perfectly: “The pathway to hell is through a backdoor.”
The panel finally turned to the subject of hiring good INFOSEC staff. Adair said Verisign had focused on building a good place to work, a strategy that should not be overlooked. He also highlighted the value of the “family and friends” network in finding great people. Cordero then added that many companies are listing experience with specific tools in their hiring requirements. This rarely leads to positive outcomes, he concluded. Instead he said Optiv looked for action-oriented, naturally curious, trainable talent.
Dubsky agreed, and said that while pedigree is important, passion is just as essential. Gibson pointed out that the INFOSEC world is very small, and speculated that everyone there was at most one degree of separation from one other. Finally, Dubsky added that it’s not a perfect solution, but that automation really helps.
In sum
So what’s the conclusion? How can we turn the table on attackers?
- Keep your prevention technologies, but focus on the development of an operationalized “detect and respond” architecture
- Visibility of both network and endpoint are essential, with the ability to baseline the “steady state” and detect deviations to identify and investigate attacks
- Rule out false positives as fast as possible, otherwise your OPSEC team will waste too much time tracking them down
- Choose the best tools, but make sure they have an open API so that you can integrate them with your existing systems
- Automation is essential: the more you automate, the less you’re dependent on hard-to-hire staff.
- Focus on workplace and hiring policies to get the best people, keeping in mind that recommendations are often the best way to find great people
All in all, the fight is far from over. But if we continue to put our heads together, we can in fact turn the tables on attackers.
To view a full video of the CSO Panel discussion, please click here.
