Attacks/Breaches
10/3/2013
09:03 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

CISO Shares Strategies For Surviving The Inevitability Of Attacks

Loop in application, network teams to help spot threats and attacks before they do harm

NEW YORK, N.Y. -- Interop New York 2013 -- Chief information security officer Jay Leek says today's reality that you can't stop all cyberattacks means security teams must double down on smarter detection of threats and attacks rather than the traditional approach of mainly trying to prevent them.

Click here for more articles from Dark Reading.

Leek, who is the CISO at financial services and asset management firm Blackstone, says the more you know about your attackers and their M.O., the better chance you have in thwarting any real damage. That entails three main mindset and strategic shifts that security pros need to make, he says, to handle threats and attacks today: better visibility into threats and attacks, better intelligence about them, and a planned response rather than merely reacting to the latest threat, vulnerability, or incident.

"The reality is that bad guys have much more time on their hands than we do," says Leek, who gave a presentation from the CISO's perspective here at Interop yesterday. "If you're focused on prevention and not much on detection, you are flying blind sometimes because you don't necessarily know where you're headed."

Blackstone is adopting what John Pironti, president of IP Architects, says is a prime example of a risk-based model for security -- one where security pros serve as advisers to the business on the real risks facing their firms, rather than as the naysayers they sometimes appear to the business side.

"Security is the output" of what the business' risk profile defines, Pironti says.

Meanwhile, Leek estimates that most organizations spend about 70 percent of their capital, resources, and processes on prevention, but that model is no longer viable in today's threat landscape. "Our programs, generally speaking, largely reflect the vendor landscape" of mainly prevention-based tools, he says. "Why is this? Because it's sexier to sell prevention," he says.

Security teams need to change up their strategy, he says.

1. Better visibility into attacks.
That means investing more in watching what's happening not just on the network, but in the applications as well, Leek says. "You also need visibility into what's happening at the host," he says.

Leek has done this by working with other groups outside of the security team: He has been reaching out to Blackstone's application developers and network teams to assist, he says. "It's not just within the security organization. It's amazing how much your application developers and network guys see."

Leek says this cross-team collaboration can pay off quickly: A network alert from its IT team's SolarWinds product discovered a 2-megabit-per-second connection from Shanghai to Bangkok, he says. "Why the hell did that happen?" he says. "Having this kind of visibility and collaboration" can thwart damage from attacks, he says.

"You can train application people to watch" for threats as well, he says. "I don't have enough people, and I can't find ones to hire, so I'm trying to figure out how to scale my organization outside the traditional security team," he says.

2. Get more in-depth threat and attack intelligence.
Leek says security teams need to gather more useful intelligence. "It's very important that we understand what's happening in our own environment and in the world around us," he says.

At the heart of this more drilled-down approach to threats and attacks is the goal of identifying the type of attacker targeting your organization, he says. "It's very important to understand who the adversary is because this changes the way we respond," Leek says. "You respond differently if you know it's a targeted attack," for example, and not a random one.

If you spot an attack group known for targeting your industry, then that likely means it's going after your intellectual property, according to Leak, so you can lock down accordingly. "Attribution is key," he says.

If you know who's targeting you, you can respond more intelligently and efficiently, he says. If it's just a random cybercrime attack aimed at stealing financial credentials or other information, you can take the infected machine offline and reimage it. "But if the targeted user is an executive [in the company] and the attack is cyberespionage, maybe you don't want to take that machine offline or reimage it right away" so you can track the attacker's movements and glean more intel, he says.

That's how better intelligence can shape your response, he says.

Blackstone also now is patching only for actively exploited vulnerabilities rather than each and every vulnerability out there, Leak says. With some 5,000 new bugs per year exposed, there's no way to keep up, he says. "You're just chasing a number, and you never get to zero," he says.

[Companies need to focus on, not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less .]

"It used to be a knee-jerk that 'this is high risk.' Now we know there's exploit code [out there] and the adversary is using it," and we patch for it, Leek says.

3. Shift from react to respond.
"Response is planned," Blackstone's Leek says.

A member of his team recently wrote an application that automates the integration of alerts for response and forensics, Leek says. It basically reports on an alert generated by, say, its FireEye system, where that suspicious traffic got through, and which indicators of compromises it includes.

"This is an example of allowing us to automate a lot of processes we have put in place," Leek says. "We're planning for [attacks] to happen. We know it's going to happen."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/15/2013 | 4:21:36 PM
re: CISO Shares Strategies For Surviving The Inevitability Of Attacks
Great advice. As we all know its not a matter of if but when as people prepare to defend an organization from an attack. Education including how to address issues after attack is such a crucial component of a solid security strategy.

Peter Fretty, IDG blogger working on behalf of Sophos
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.