Attacks/Breaches
10/3/2013
09:03 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

CISO Shares Strategies For Surviving The Inevitability Of Attacks

Loop in application, network teams to help spot threats and attacks before they do harm

NEW YORK, N.Y. -- Interop New York 2013 -- Chief information security officer Jay Leek says today's reality that you can't stop all cyberattacks means security teams must double down on smarter detection of threats and attacks rather than the traditional approach of mainly trying to prevent them.

Click here for more articles from Dark Reading.

Leek, who is the CISO at financial services and asset management firm Blackstone, says the more you know about your attackers and their M.O., the better chance you have in thwarting any real damage. That entails three main mindset and strategic shifts that security pros need to make, he says, to handle threats and attacks today: better visibility into threats and attacks, better intelligence about them, and a planned response rather than merely reacting to the latest threat, vulnerability, or incident.

"The reality is that bad guys have much more time on their hands than we do," says Leek, who gave a presentation from the CISO's perspective here at Interop yesterday. "If you're focused on prevention and not much on detection, you are flying blind sometimes because you don't necessarily know where you're headed."

Blackstone is adopting what John Pironti, president of IP Architects, says is a prime example of a risk-based model for security -- one where security pros serve as advisers to the business on the real risks facing their firms, rather than as the naysayers they sometimes appear to the business side.

"Security is the output" of what the business' risk profile defines, Pironti says.

Meanwhile, Leek estimates that most organizations spend about 70 percent of their capital, resources, and processes on prevention, but that model is no longer viable in today's threat landscape. "Our programs, generally speaking, largely reflect the vendor landscape" of mainly prevention-based tools, he says. "Why is this? Because it's sexier to sell prevention," he says.

Security teams need to change up their strategy, he says.

1. Better visibility into attacks.
That means investing more in watching what's happening not just on the network, but in the applications as well, Leek says. "You also need visibility into what's happening at the host," he says.

Leek has done this by working with other groups outside of the security team: He has been reaching out to Blackstone's application developers and network teams to assist, he says. "It's not just within the security organization. It's amazing how much your application developers and network guys see."

Leek says this cross-team collaboration can pay off quickly: A network alert from its IT team's SolarWinds product discovered a 2-megabit-per-second connection from Shanghai to Bangkok, he says. "Why the hell did that happen?" he says. "Having this kind of visibility and collaboration" can thwart damage from attacks, he says.

"You can train application people to watch" for threats as well, he says. "I don't have enough people, and I can't find ones to hire, so I'm trying to figure out how to scale my organization outside the traditional security team," he says.

2. Get more in-depth threat and attack intelligence.
Leek says security teams need to gather more useful intelligence. "It's very important that we understand what's happening in our own environment and in the world around us," he says.

At the heart of this more drilled-down approach to threats and attacks is the goal of identifying the type of attacker targeting your organization, he says. "It's very important to understand who the adversary is because this changes the way we respond," Leek says. "You respond differently if you know it's a targeted attack," for example, and not a random one.

If you spot an attack group known for targeting your industry, then that likely means it's going after your intellectual property, according to Leak, so you can lock down accordingly. "Attribution is key," he says.

If you know who's targeting you, you can respond more intelligently and efficiently, he says. If it's just a random cybercrime attack aimed at stealing financial credentials or other information, you can take the infected machine offline and reimage it. "But if the targeted user is an executive [in the company] and the attack is cyberespionage, maybe you don't want to take that machine offline or reimage it right away" so you can track the attacker's movements and glean more intel, he says.

That's how better intelligence can shape your response, he says.

Blackstone also now is patching only for actively exploited vulnerabilities rather than each and every vulnerability out there, Leak says. With some 5,000 new bugs per year exposed, there's no way to keep up, he says. "You're just chasing a number, and you never get to zero," he says.

[Companies need to focus on, not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less .]

"It used to be a knee-jerk that 'this is high risk.' Now we know there's exploit code [out there] and the adversary is using it," and we patch for it, Leek says.

3. Shift from react to respond.
"Response is planned," Blackstone's Leek says.

A member of his team recently wrote an application that automates the integration of alerts for response and forensics, Leek says. It basically reports on an alert generated by, say, its FireEye system, where that suspicious traffic got through, and which indicators of compromises it includes.

"This is an example of allowing us to automate a lot of processes we have put in place," Leek says. "We're planning for [attacks] to happen. We know it's going to happen."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/15/2013 | 4:21:36 PM
re: CISO Shares Strategies For Surviving The Inevitability Of Attacks
Great advice. As we all know its not a matter of if but when as people prepare to defend an organization from an attack. Education including how to address issues after attack is such a crucial component of a solid security strategy.

Peter Fretty, IDG blogger working on behalf of Sophos
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.