09:03 AM
Connect Directly

CISO Shares Strategies For Surviving The Inevitability Of Attacks

Loop in application, network teams to help spot threats and attacks before they do harm

NEW YORK, N.Y. -- Interop New York 2013 -- Chief information security officer Jay Leek says today's reality that you can't stop all cyberattacks means security teams must double down on smarter detection of threats and attacks rather than the traditional approach of mainly trying to prevent them.

Click here for more articles from Dark Reading.

Leek, who is the CISO at financial services and asset management firm Blackstone, says the more you know about your attackers and their M.O., the better chance you have in thwarting any real damage. That entails three main mindset and strategic shifts that security pros need to make, he says, to handle threats and attacks today: better visibility into threats and attacks, better intelligence about them, and a planned response rather than merely reacting to the latest threat, vulnerability, or incident.

"The reality is that bad guys have much more time on their hands than we do," says Leek, who gave a presentation from the CISO's perspective here at Interop yesterday. "If you're focused on prevention and not much on detection, you are flying blind sometimes because you don't necessarily know where you're headed."

Blackstone is adopting what John Pironti, president of IP Architects, says is a prime example of a risk-based model for security -- one where security pros serve as advisers to the business on the real risks facing their firms, rather than as the naysayers they sometimes appear to the business side.

"Security is the output" of what the business' risk profile defines, Pironti says.

Meanwhile, Leek estimates that most organizations spend about 70 percent of their capital, resources, and processes on prevention, but that model is no longer viable in today's threat landscape. "Our programs, generally speaking, largely reflect the vendor landscape" of mainly prevention-based tools, he says. "Why is this? Because it's sexier to sell prevention," he says.

Security teams need to change up their strategy, he says.

1. Better visibility into attacks.
That means investing more in watching what's happening not just on the network, but in the applications as well, Leek says. "You also need visibility into what's happening at the host," he says.

Leek has done this by working with other groups outside of the security team: He has been reaching out to Blackstone's application developers and network teams to assist, he says. "It's not just within the security organization. It's amazing how much your application developers and network guys see."

Leek says this cross-team collaboration can pay off quickly: A network alert from its IT team's SolarWinds product discovered a 2-megabit-per-second connection from Shanghai to Bangkok, he says. "Why the hell did that happen?" he says. "Having this kind of visibility and collaboration" can thwart damage from attacks, he says.

"You can train application people to watch" for threats as well, he says. "I don't have enough people, and I can't find ones to hire, so I'm trying to figure out how to scale my organization outside the traditional security team," he says.

2. Get more in-depth threat and attack intelligence.
Leek says security teams need to gather more useful intelligence. "It's very important that we understand what's happening in our own environment and in the world around us," he says.

At the heart of this more drilled-down approach to threats and attacks is the goal of identifying the type of attacker targeting your organization, he says. "It's very important to understand who the adversary is because this changes the way we respond," Leek says. "You respond differently if you know it's a targeted attack," for example, and not a random one.

If you spot an attack group known for targeting your industry, then that likely means it's going after your intellectual property, according to Leak, so you can lock down accordingly. "Attribution is key," he says.

If you know who's targeting you, you can respond more intelligently and efficiently, he says. If it's just a random cybercrime attack aimed at stealing financial credentials or other information, you can take the infected machine offline and reimage it. "But if the targeted user is an executive [in the company] and the attack is cyberespionage, maybe you don't want to take that machine offline or reimage it right away" so you can track the attacker's movements and glean more intel, he says.

That's how better intelligence can shape your response, he says.

Blackstone also now is patching only for actively exploited vulnerabilities rather than each and every vulnerability out there, Leak says. With some 5,000 new bugs per year exposed, there's no way to keep up, he says. "You're just chasing a number, and you never get to zero," he says.

[Companies need to focus on, not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less .]

"It used to be a knee-jerk that 'this is high risk.' Now we know there's exploit code [out there] and the adversary is using it," and we patch for it, Leek says.

3. Shift from react to respond.
"Response is planned," Blackstone's Leek says.

A member of his team recently wrote an application that automates the integration of alerts for response and forensics, Leek says. It basically reports on an alert generated by, say, its FireEye system, where that suspicious traffic got through, and which indicators of compromises it includes.

"This is an example of allowing us to automate a lot of processes we have put in place," Leek says. "We're planning for [attacks] to happen. We know it's going to happen."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Apprentice
10/15/2013 | 4:21:36 PM
re: CISO Shares Strategies For Surviving The Inevitability Of Attacks
Great advice. As we all know its not a matter of if but when as people prepare to defend an organization from an attack. Education including how to address issues after attack is such a crucial component of a solid security strategy.

Peter Fretty, IDG blogger working on behalf of Sophos
Register for Dark Reading Newsletters
White Papers
Latest Comment: nice post
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

Published: 2015-07-01
Heap-based buffer overflow in libwmf allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

Published: 2015-07-01
IBM PowerVC Standard Edition through does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report