Enterprise Security Strategies in Today's Threat Environment
By Mike Convertino, VP and Chief Information Security Officer (CISO), F5 Networks
Contrary to popular belief, the threats that both companies and we as individuals are facing today are more sophisticated than in the past. In the past, the term “script kiddie” was frequently thrown about and it was for good reason: the online hacking tools available could often get by traditional defenses very easily. Though some of those tools have been updated and remain effective, the types of groups and people wielding them today are far better funded and do a far more effective job of targeting the information they want.
For example, spear phishing, or using an email as a lure to get the recipient to click on a link or attachment that infects the user’s machine, has gotten a great deal more sophisticated. Often times now, any malware associated with the attack will only work once or only work with the targeted individual and is transmitted encrypted or so obfuscated that it cannot be detected via traditional packet inspection. Hackers now use social media to obtain good target addresses and spoof sender’s emails that appears to be from trusted contacts. Even the crafting of the text of these emails is now often tailored to the content of the target’s social media profile, mimicking the lingo of the target’s industry. Most often targeted are technology and financial professionals, since these specialties accounts are the most likely to have privileged access to control a company’s network or financial assets, including money transfers.
Ways to raise awareness within your business of the dangers of a successful security intrusion
I use a three step process to get mindshare on the dangers of intrusions:
1. Communicate about the threat–Quarterly threat briefings, frequent heads up emails, and internal social media messaging about the attacks that the company has seen-It is important make people aware that the enterprise is constantly being probed. These communications need to explain to employees about the kind of control that hackers can take of their department’s systems. If workers cannot see the impact that an intrusion will have on their personal work directly, then we have not achieved our goal. Providing a fast way to report suspicious activity that gives the reporter feedback is also important to empowering employees to blunt threats, feel ownership of their role in security, and get more educated on what to look for in their day-to-day work.
2. Train to increase knowledge–For nearly every business; there are corporate compliance requirements that require annual security refresher training. Careful selection of this training for both content and applicability to the business lines within the company is very important. Having everyone in finance take the same security training as engineers does not make sense in the context of their daily jobs and people quickly lose interest.
Hackers use social media to obtain good target addresses and spoof sender’s emails that appears to be from trusted contacts
Whether you select a third party to offer the training online or develop your own, keeping everyone engaged is the key and only way to do that is to take a modular approach that is tailored to each major function at the company.
3. Get senior management support and involvement–It is important to get the participation and backing of leadership in order to effectively communicate and teach about the dangers of intrusions to the company’s bottom line. That starts with security identifying and effectively communicating about threats and related risks to company leadership at the highest levels. Articulating risk to leadership and the Board can be done in many ways, but the desired result is to get the most senior leaders in the company talking about intrusions and the risk they pose to the company.
Right technologies, expertise and coordination is important for shaping security R&D agenda
There is no substitute for starting with strategically acquiring the right talent and expertise with the right connections to the security community. An informed security R&D effort needs to have the right people in order to track both emerging technical and sociological tactics, techniques and procedures of various different attack groups and at the same time, maintain a firm grip on the vulnerabilities of the new technologies that are emerging in IT. Making solid, risk-based decisions about which systems to adopt and which to skip is difficult without the in-depth knowledge of hackers’ tactics as well as the vulnerabilities present in current and new technologies. Beyond that, the security staff should help to educate and coordinate across the company to ensure that the risk decisions and investments made in selecting systems provide the best available protection for the business your company is in.
From direct regulation to indirect influence on negligence suits, the government has taken a big initiative to change network security practices around the country
First and foremost, government can take legislative action to encourage information sharing between private entities by reducing the liability companies face as a result of a hack. Of course, there have to be strong and inviolable privacy protections in place or the privacy risk to our citizens will be too high to bear and there must be stipulations that companies can only get that legal protection if they share relevant information at near real time speeds. Second, the government can have a strong impact on information security by increasing its own basic security research budget and funding private research and development to reinvent the way our information is protected.
Cloud computing, a mission critical part of the enterprise
The biggest thing I have learned is that to be successful in securing the cloud, security has to be an integral part of developing in the cloud. Typically, your own applications written to operate in the cloud through the DevOps process need to be monitored and protected by security-specific features you embed just as you would embed any other functionality you would for your product. Security in DevOps is only way the industry is going to increase trust and adoption of cloud and SaaS solutions from a security perspective. Of course, cloud providers generally have certain capabilities like firewalls and heaps of logging available, but in most cases you still have to figure out how to use those data sources with your own in a way that is scalable and responsive.
Your role as a Chief Security Officer
I have found the role of the CSO/CISO has changed in a few different ways. Certainly attacks have become more frequent, effective and insidious, which have placed a premium on accurate and timely detection and intelligence capabilities like never before. Recent attacks have also gotten the attention of the Board room as well though and that has lead to greater investment in better training, technology and made a larger number of business cycles available to improve the processes and systems needed to provide the security that companies need in today’s threat environment.