Mike Campfield, Vice President of Security, ExtraHop, offers some advice for CISOs on how they can ensure long-term success.
CISOs are not sergeants. They’re generals. Their job is not to fight battles, it’s to win wars. And yet so often, CISOs are torn away from their strategic roles to fight the everyday battles keeping them from assuming the long-term planning and strategic oversight that the role is made for. When they should be thinking about the future, they’re stuck dealing with the minutiae of the present.
Getting ahead of those smaller fires to tackle the larger blaze will first require a change in thinking. So how do you start getting ready for long term now?
First, you’ll have to get an idea of where you are now. What can you do well and what do you do poorly? Where do you have visibility and where is the darkspace within your environment? And what could you do to harden your attack surface? Importantly, you should know whether you have an easy way to demonstrate your strengths and weaknesses as well as the ability to show progress.
You must also assess how compliance-fit your organisation is. The General Data Protection Regulation (GDPR) came into effect last year and requires compliant organisations to file comprehensive reports to the local regulator and possibly the data subjects, within 72 hours of a breach. Those who fail to do so may face fines that run higher than €20 million. Figuring out whether you could file that report within the window will be critical to this assessment.
The next question is about how your staff’s effectiveness can improve. Could, for example, better cyberhygiene or monitoring improve your security posture?
Moreover, does your staff have access to the data and the skills they need to do their job? If there are barriers, where can they be demolished? Where data is available, could datasets be more complete or made more intelligible to the people using it?
Identifying places and routines that you can automate will be important. Where staff are doing repetitive tasks, you should consider where scripts, integrations, orchestration tools or ticketing systems can be applied to replace those time-consuming manual activities with policy driven execution.
Finally, you have to get the board – and indeed the whole enterprise – on your side and convince them that these changes really need to be made. The technical specifics of security are still obscure to most, so how can you educate key stakeholders about what you are doing to keep the enterprise secure; attaining the buy in, budget and support you need to make real change?
Knowledge is power
Still, none of these stages can be completed without one key component: An understanding of your organisation’s traffic and the interactions of its systems, users and applications.
Getting assistance from outside can help you here. Penetration tests, for example, can help you understand your strengths, weaknesses and perhaps most importantly, your blind spots. It also provides a great live fire test for your real world response goals. This gives you the opportunity to discover, for example, how quickly you’d be able to file a breach report under the GDPR’s 72-hour notification window.
Participating in exercises like this will help staff expand their skills and cognisance of security issues. Moreover, it will help bring other parts of an organisation into the discussion, giving them a stake in your long-term security plans. The kind of support you can get from such cross pollination across the enterprise will strengthen your case when it comes to getting projects approved.
Those external assessments should be supplemented with internally executed monitoring and threat hunting. Automated analysis and ad hoc validation provides not just a way to avoid consultancy fees but to catch problems quickly and respond effectively. Moreover, this can be easily demonstrated to the security illiterate with easily intelligible trending analysis tools
Whether they choose to validate externally or internally, many companies are discovering their own darkspaces, areas of their environment which they can’t see into or analyse.
It was darkspace that lead to the catastrophic breach on the US government’s Office of Personnel Management in 2015. The post-mortem report, compiled by the US Congress pointed to a lack of visibility as one of the main causes of the breach. Attackers had lurked undetected inside OPM’s network since 2012. That darkspace is everywhere and still a leading cause of breaches.
To light up that darkspace, these companies are looking to new ranges of Network Traffic Analysis tools which can accurately identify threats, vulnerabilities and attack behaviours and directly integrate that analysis into SOC workflows.
Any forward plans must have their sights centred on lighting up that darkspace. Plans for the next year must ensure complete coverage and security for the entire enterprise this includes capability to see into the long neglected East-West corridor of internal traffic and analytics that extend to cloud services, remote sites and encrypted traffic.
Getting a better view of your environment
Real time analysis of network traffic will give you a full picture of what your environment actually consists of, providing you with a full inventory of assets and putting you most of the way to meeting CIS Control 1: Inventory and Control of Hardware Assets.
This allows you to closely monitor and control your most critical assets such as databases or developer workstations, responding quickly when suspicious behaviour is detected.
That accuracy will vanquish another bugbear of every CISO and SOC – false positives. The average platform supposedly gives out 5,000 alerts a day, wasting the time of experienced security teams as they chase – what are too often – phantom threats. Real time monitoring can provide the accurate, contextualised and relevant analysis required to save time, cut down on false positives and maximise the talent, skill and experience of security teams.
Furthermore such tools can easily replace pricey encryption audits from the outside, by gathering data about the strength and type of encryption being used on the network. That information is available not just in real time but can be published as a regular report.
The same goes for monitoring access. When it comes to watching privileged accounts, APIs or sensitive assets, real time monitoring is far more effective than occasional scans. With real-time monitoring, suspicious behaviour can be detected and quarantined almost immediately, extinguishing fires before they even have time to spread.
Increasingly, malware is written to avoid conventional detection measures. With that in mind, any monitoring platform must be able to spot attack activities which are traditionally hard to identify. However stealthily a piece of malware is written, they won’t be able to outsmart an SOC which can identify attack behaviours like internal reconnaissance, lateral movement, C&C activity and exfiltration.
The SANS Institute considers this lack of visibility to be the number one cloud security issue so obviously, that coverage has to extend to cloud services and third parties. One patch of darkspace can be just the thing an adversary needs to do real damage. Deloitte, one of the world’s largest of the ‘big four’ accountancy firms, learnt just that lesson in 2017 when an attacker used an apparently unmonitored cloud-based email platform to hide inside its network for months.
From tactics to strategy
All of this boils down to richer, more intelligible information and that will make big waves across an entire organisation. That means a clearer idea of what your priorities are and what your next steps should be. It means a faster, more effective response to real threats and not the false positives that dog so many SOCs. In essence, it means a way to more effectively deal with short term threats and a long term strategic view – for everyone – of how to best secure your organisation.
A secure organisation needs buy in all the way from the top. Playing the long game means that decision makers have better strategies for long term security success and a better understanding of how security will enable a business’ true goals.