Proactive Cybersecurity: An Exclusive IT Roundtable

Aug. 21, 2014
Because adversaries are constantly finding new ways to attack, organizations must go beyond traditional product-driven approaches

In the ongoing cat-and-mouse game that pits cybersecurity teams against adversaries, will the cat ever gain the upper hand? The answer is yes, but only if those teams dedicate themselves to a new game strategy.

That strategy must combine tools with human collaboration to cultivate an organizational culture of awareness, analytics and remediation. It’s not enough to “buy a bunch of security products,” plug them in and walk away. Instead, risk management requires a continuous cycle of proactive monitoring, identifying, preventing and mitigating – zeroing in on user behaviors, patterns and trends. That’s when the cat “catches” the mouse, before the mouse has a chance to act.

Security Technology Executive magazine gathered four cybersecurity leaders for a roundtable discussion to learn more about creating proactive strategies. The participants are:

  • David Amsler, President & Chief Information Officer, Foreground Security
  • John Pirc, Chief Technology Officer, NSS Labs
  • Feris Rifai, Co-founder and Chief Executive Officer, Bay Dynamics
  • Ken Ammon, Chief Strategy Officer, Xceedium

Security Technology Executive: Industry has heavily invested in IT security. Yet, the breaches aren’t going away. What is the common thread causing organizations to fall short?

Amsler: Security isn’t a product! Throwing money and/or bodies at a problem does not guarantee it will be solved. Some organizations still cling to the outdated notion that signature or rules-based detection and annual audits are sufficient. Security professionals must focus on active threat hunting and advanced detection and defense capabilities. To offer an analogy: Think of the differences between firefighters and police officers. Firefighters sit at the firehouse and wait for the alarm to go off. Police officers patrol the streets looking for incidents. Security professionals have to change their approach from that of the reactive firefighter to the proactive police officer.

Pirc: I agree. We need to get out of the “security best practices” mindset in thinking that deploying a firewall, IDS/IPS and anti-virus is really solving the issue. We should aspire to “cyber resiliency.” This involves the non-interrupted preservation of operations, even under constant attack, while making sure one bad configuration or exploited vulnerability doesn’t spiral into a crippling breach or disruption. All of this starts with good “hygiene,” meaning your deployments are configured correctly and that you have a handle on every asset – laptops, servers, routers/switches, mobile devices, B2B partner connections, remote workers and so forth.

Rifai: Ultimately, we’re saying that CISOs should recognize the limitations of next-generation protection tools. They do serve a purpose, but only to a certain extent. On the positive side, these tools can help fill gaps in security practices. However, the more you learn from these individual tools, the less you know. They are optimized to catch violations in novel and innovative ways. The problem, however, is that they end up unintentionally contributing to the noise. By flagging every policy violation as a potential threat, security teams have thousands, if not hundreds of thousands, of events and alerts to triage on a daily basis. Sifting through the noise to get to alerts that matter requires an analytics-based approach.

STE: How else should security managers’ philosophies and/or technologies adapt?

Rifai: Philosophically speaking, the key is adding the relevant context, including whether the event in question is good or bad, normal or unusual. By applying behavioral analysis and correlating the relevant data for added context, you can isolate the events that require immediate attention based upon meaningful deviations from normal.

Pirc: As for new technologies, we believe managers should explore breach detection and brand protection solutions, and leverage multiple sources for vetting security products, including fact-based testing.

STE: Are organizations devoting too many resources to layered defenses?

Pirc: We think so. We feel that “defense in depth” – layering many different vendor products throughout a network – is a fallacy – and we have actual proof from our testing. We’ve found that common vulnerabilities attracting malware exploits will actually bypass numerous products in the same category, like next-generation firewalls. Many of these same exploits will also bypass other security solution layers, such as different vendors’ intrusion-prevention systems and anti-virus tools. If you keep deploying additional layers, but don’t know what can get through your solutions, the threats will continue. The landscape is changing on a minute-by-minute basis. While the adversary only has to be right once, the security industry and its customers need to be right all the time. Unfortunately, this is the world we live in and that’s why cyber resiliency is a mindset and objective that more organizations must adopt.

Rifai: A strategy solely based upon layered defenses will never match the effectiveness of an analytics-based one. It is not possible to triage 100,000 events per day on an incident-by-incident basis. By analyzing trends, patterns and behaviors, you will address and launch prioritized action on the real threats, while bulk-remediating the rest of the events. This helps separate the signal from the noise, and focus your resources on events that count. In doing so, you provide faster access to your own internal information stuck in silos, and to relevant external information for additional context. You leverage predictive analytics and behavior analysis algorithms with machine learning to unearth the most egregious alerts and the indicators of compromise. And you take prioritized action through a series of logical workflows for conducting multi-tier actions to remediate critical events.

STE: Attacks frequently target end-users via social engineering, often through social media channels. Is the “human factor” being adequately addressed when organizations race to harden their systems against shifting threats?

Pirc: No. Organizations must embrace awareness and continuous education: Don’t use the same passwords for everything. Educate users about not clicking on suspicious links in social media posts, email or shortened URLs. This isn’t an all-encompassing list. It’s just a start.

Amsler: Right. A chain is merely as strong as its weakest link. Even the most sensitive information is accessed by at least someone. If that someone has not been adequately trained to recognize social engineering attacks, even an extremely hardened system can be infiltrated. Many of the most recent compromises have been tracked to either human error, or the manipulation of a human who allowed the compromise to occur.

Ammon: The problem we have is that privileged users essentially broadcast their entitled role through social media and become targets for attackers. For example, it's simple for me to look through my LinkedIn contacts looking for individuals who are "security administrators" or "system administrators." I can target them through spear phishing, hoping I can gain control of their personal machine. Once I'm in, I begin looking for credentials and passwords for their privileged corporate enterprise accounts. The take away here is “Enforce Least Privilege.” While you can – and should – strengthen your authentication mechanisms, privileged users left with unbounded entitlements remain at high risk for human error and social engineering attacks.

STE: Organizations are beginning to recognize that, without monitoring and control, even the most basic attacks are becoming exponentially more effective with little effort. How much has the presence of the privileged user complicated this dynamic?

Ammon: Enterprise privileges represent both a technology and human challenge. Risk greatly increases when privileged user behavior isn't monitored and enforced. In many cases, privileged users aren't aware that their actions negatively impact enterprise security. A recent Ponemon study found that 73 percent of privileged users feel empowered to access systems/information, based upon the simple fact that the system permits access .This has always been the case for privileged users. What has changed is the attack landscape and highly targeted methods. Security controls enforcement by policy and post-mortem log analysis is not adequate to address the privileged user insider threat, which is the core weakness exploited by outsiders who are hell bent on high-jacking the privileged users' persona. 

STE: Managers have options: They can either launch and run their own cyber security operations centers or they can outsource. What are the basic, practical factors an organization should consider in determining which option – or both – is best for them?

Amsler: The answer depends primarily upon where the organization falls on the information security maturity spectrum. Finding, recruiting and retaining skilled analysts are major problems for all organizations. As a result, they typically do not have the manpower to process and contextualize intelligence feeds throughout their business units and information assets. Even when there is sufficient expertise in-house, it’s often difficult to retain those experts in such a rapidly expanding industry. On the other hand, many managed security service providers offer nothing more than “check box security,” doing minimal – if any – analysis of the alerts they receive. They simply get the alert, call the client and report the issue, which the client doesn’t have the expertise to investigate.

Also, consider the nature of the organization. Some are too high profile to outsource their security operations. Others are so unique that they can’t outsource, because the managed service provider won’t understand their business.

About the Panelist:

John Pirc -- Chief Technology Officer John Pirc is a noted security intelligence and cybercrime expert, an author and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, “Blackhatonomics: An Inside Look at the Economics of Cybercrime,” and “Cyber Crime and Espionage,” Pirc speaks at top tier security conferences worldwide. John prefers to share his Twitter instead of e-mail (https://twitter.com/jopirc).

David Amsler -- David Amsler is founder of Foreground Security, named by Inc. magazine as one of the nation’s fastest-growing private companies. He oversees the company’s overall customer-centric vision, industry-leading offerings and day-to-day operations. An industry thought leader, Amsler has presented at numerous prestigious conferences, including the Government Forum for Incident Response and Security Teams (GFirst), BlackHat, GovSec and RSA. He can be reached at [email protected].

 Ken Ammon -- A recognized expert in security issues and former NSA employee, Xceedium’s Chief Strategy Officer Ken Ammon has testified before the House Government Reform Committee on vulnerabilities affecting sensitive government information and infrastructure. Ken also has served as an adjunct faculty member at the National Cryptologic School, where he was recognized with the Scientific Achievement Award. Contact Ken at [email protected].

Feris Rifai -- As co-founder and CEO, Feris has been instrumental in launching Bay Dynamics’ solutions into the world’s largest organizations. Feris is an established authority on security, having presented at conferences such as Gartner Security and Risk Management Summit and SINET Innovation Summit, and published in media such as Network World. Feris’ contact is [email protected].

 [DM1]http://www.trustedcs.com/resources/whitepapers/Ponemon-RaytheonPrivilegedUserAbuseResearchReport.pdf