December 21, 2017 • Elias Ladopoulos
So much attention is given these days, to the tools and technology surrounding sophisticated attacks by APT actors, and financially motivated operations by criminal hackers. Unfortunately, it’s very easy to fall into a kind of myopic view of cybersecurity — one that heavily embraces the sexier “cyber” elements in lieu of the not-so-sexy (even mundane) practical components of an information security program. As a former hacker and CISO (chief information security officer) myself, hopefully this blog post serves as a balanced dose of each, that can lead you toward building a fully integrated and vastly more effective security program for your organization.
Before we begin, let’s flashback to the early days of “information security” (as we called it then), to give you a perspective of where we’ve been, and how things have changed in the world of the CISO today.
As long as 20 years ago, the title of CISO surfaced to reflect the authoritative figure whose role was to secure the systems and information at an enterprise, whose assets consisted of the servers, workstations, networks, and databases that supported the applications by which organizations thrived. The concept of application security was relatively new, and was essentially ignored (sadly, this is still an underserved area today). The common threat actors generally fell into one of four categories: insiders, corporate spies, small-scale criminals, and generic, nameless “hackers.”
This was a period with limited public vulnerability research and exploit development, from a much smaller universe of hackers and researchers, in comparison to today. Denial of service (DoS) presented the greatest threat from hackers at the time, corporate espionage was rare, and the number of exposed surfaces was manageable, given a reasonable budget. It was generally sufficient for a CISO to establish strong corporate policies, build a strong perimeter defense with firewalls and router ACLs, implement antivirus, monitor a network IDS, and run a web scanner from time to time. Boy, do I miss those days.
Today, the number of threat actors we face have grown to also include: APTs, nation states, organized crime, terrorists, hacktivists, and more. While the threat of DoS has diminished greatly, new threats now include: bulk data theft, large-scale financial theft, ransomware-based extortion, personal defamation, and corporate blackmail. The criminal underground has also matured into a fast-growing cybercrime ecosystem, replete with successful serial entrepreneurs, startups, on-demand services, and markets. Individual payoffs are now reaching millions of dollars, and eventually will reach ten times that. There doesn’t seem to be an end to the progress given the growing technological footprint of devices (mobile, IoT), and the increasing rewards. Add to this the fact that the exploit development cycle has shortened and the sophistication of hacking tools has increased … this is going to be a long war.
From where CISOs sit, risk exposure increases proportionately with the number of expanded business initiatives and supporting technical infrastructure in play. Their resources are relatively inelastic (e.g., security talent, security infrastructure), and they have little time given the number of exposed surfaces that needs protection. Meanwhile, their adversaries are in a much better position with a lower barrier of entry (getting lower every day), and a near-infinite amount of time to spend on a problem, with little loss other than opportunity cost.
So what is a CISO to do?
First, I suggest you learn to get comfortable accepting risk. Place your love of everything technical to the side, and embrace probability theory instead. The truth is there’s no binary outcome in store for you — it’s not a “keep them out, or else they get in” scenario. It’s more like, you’re sitting on a continuum of risk, whereby you’ll experience different levels of pain based on how you allocate your time and resources. This is an economic problem — not a technical one.
In this “game” of competing resources, you need to act strategically to quickly gain leverage. Very rarely does blindly adding new technology help the situation — it usually just sucks up resources and time, adds to your budget, and leads to more “stuff” to implement, manage, and monitor (i.e., overhead). Not to say these are valueless, but these are tactical solutions to a growing gap between you and your adversaries. You can’t get ahead of the game by throwing money at playing defense all the time!
Let’s look at more specific tips on how to become an evolved CISO.
1. Take an enterprise “asset management” approach by implementing the following steps:
2. Place immediate focus on developing strategic assets. For example, vulnerability research, threat intelligence, deception technology, pen-testing, code review, and data management tools that will increase efficiency at the security operations center (SOC).
3. Stop being insular. Develop a strong relationship with the business units, and prioritize resources based on risk to each line of business (by revenue, brand importance, etc.). Together, identify any non-technical processes that add additional cost to the attackers at the application or service level. Recently, for example, a large-scale SWIFT transfer at Union Bank of India was prevented via manual controls, not technical ones. In fact, the technical sophistication of the hack itself exposed the illegitimate transfers during the bank’s pre-established reconciliation process.
4. Refine your incident response processes so that they are also ranked by priority, as simple as possible to follow; that will get you a Pareto win (e.g., stop the bleeding) as soon as possible. Minimize the number of decisions to be made during a crisis. Assign case managers to consolidate information, and manage interactions with all parties in the rest of the organization (and external parties: regulators, investigators, partners, etc.). The UBI case also reportedly excelled in this area, which greatly isolated the damage within a short timeframe.
5. Run playbooks everywhere. Operationalize and automate as much as possible.
6. Combine technical and non-technical threat intelligence. If the vast majority of your team is looking at IPs and hashes, then you will not be winning this game — you’ll be stuck playing catchup forever. You need to spend calories focusing on identifying TTPs, profiling threat actors, and researching the vulnerabilities and tools threatening your enterprise out there.
7. Repeat this mantra to yourself every day: “I will not invest in technology unless it offers leverage and long-run efficiency.” Period.
8. Balance your team with technically sophisticated engineers and technically sophisticated analysts. You need both.
9. Invest in training — for your team AND the rest of the organization you protect. Phishing and social engineering remain the lowest-hanging fruits for an attacker.
10. And finally, provide regular and extensive reporting to key stakeholders within your organization (especially business unit managers and executives), clients, and partners. One of the frustrations I often hear from CISOs is that they are sometimes perceived either as policy pushers or glorified IT managers. It can be a thankless job, especially if you’re not communicating value to the world outside your organization — particularly to those who drive business revenue directly. It’s a necessary evil.
Remember, this is a game with many players and many rich targets. Hopefully, as you evolve into CISO 2.0, most of those targets will be easier and more desirable targets than yours. As the old joke goes …
A bear jumps out of a bush and starts chasing two hikers.
One of them stops to put on his running shoes.
His friend says, “What are you doing? You can’t outrun a bear!”
His friend says, “I don’t have to outrun the bear; I only have to outrun you!”