Attacks/Breaches
10/3/2013
09:03 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

CISO Shares Strategies For Surviving The Inevitability Of Attacks

Loop in application, network teams to help spot threats and attacks before they do harm

NEW YORK, N.Y. -- Interop New York 2013 -- Chief information security officer Jay Leek says today's reality that you can't stop all cyberattacks means security teams must double down on smarter detection of threats and attacks rather than the traditional approach of mainly trying to prevent them.

Click here for more articles from Dark Reading.

Leek, who is the CISO at financial services and asset management firm Blackstone, says the more you know about your attackers and their M.O., the better chance you have in thwarting any real damage. That entails three main mindset and strategic shifts that security pros need to make, he says, to handle threats and attacks today: better visibility into threats and attacks, better intelligence about them, and a planned response rather than merely reacting to the latest threat, vulnerability, or incident.

"The reality is that bad guys have much more time on their hands than we do," says Leek, who gave a presentation from the CISO's perspective here at Interop yesterday. "If you're focused on prevention and not much on detection, you are flying blind sometimes because you don't necessarily know where you're headed."

Blackstone is adopting what John Pironti, president of IP Architects, says is a prime example of a risk-based model for security -- one where security pros serve as advisers to the business on the real risks facing their firms, rather than as the naysayers they sometimes appear to the business side.

"Security is the output" of what the business' risk profile defines, Pironti says.

Meanwhile, Leek estimates that most organizations spend about 70 percent of their capital, resources, and processes on prevention, but that model is no longer viable in today's threat landscape. "Our programs, generally speaking, largely reflect the vendor landscape" of mainly prevention-based tools, he says. "Why is this? Because it's sexier to sell prevention," he says.

Security teams need to change up their strategy, he says.

1. Better visibility into attacks.
That means investing more in watching what's happening not just on the network, but in the applications as well, Leek says. "You also need visibility into what's happening at the host," he says.

Leek has done this by working with other groups outside of the security team: He has been reaching out to Blackstone's application developers and network teams to assist, he says. "It's not just within the security organization. It's amazing how much your application developers and network guys see."

Leek says this cross-team collaboration can pay off quickly: A network alert from its IT team's SolarWinds product discovered a 2-megabit-per-second connection from Shanghai to Bangkok, he says. "Why the hell did that happen?" he says. "Having this kind of visibility and collaboration" can thwart damage from attacks, he says.

"You can train application people to watch" for threats as well, he says. "I don't have enough people, and I can't find ones to hire, so I'm trying to figure out how to scale my organization outside the traditional security team," he says.

2. Get more in-depth threat and attack intelligence.
Leek says security teams need to gather more useful intelligence. "It's very important that we understand what's happening in our own environment and in the world around us," he says.

At the heart of this more drilled-down approach to threats and attacks is the goal of identifying the type of attacker targeting your organization, he says. "It's very important to understand who the adversary is because this changes the way we respond," Leek says. "You respond differently if you know it's a targeted attack," for example, and not a random one.

If you spot an attack group known for targeting your industry, then that likely means it's going after your intellectual property, according to Leak, so you can lock down accordingly. "Attribution is key," he says.

If you know who's targeting you, you can respond more intelligently and efficiently, he says. If it's just a random cybercrime attack aimed at stealing financial credentials or other information, you can take the infected machine offline and reimage it. "But if the targeted user is an executive [in the company] and the attack is cyberespionage, maybe you don't want to take that machine offline or reimage it right away" so you can track the attacker's movements and glean more intel, he says.

That's how better intelligence can shape your response, he says.

Blackstone also now is patching only for actively exploited vulnerabilities rather than each and every vulnerability out there, Leak says. With some 5,000 new bugs per year exposed, there's no way to keep up, he says. "You're just chasing a number, and you never get to zero," he says.

[Companies need to focus on, not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less .]

"It used to be a knee-jerk that 'this is high risk.' Now we know there's exploit code [out there] and the adversary is using it," and we patch for it, Leek says.

3. Shift from react to respond.
"Response is planned," Blackstone's Leek says.

A member of his team recently wrote an application that automates the integration of alerts for response and forensics, Leek says. It basically reports on an alert generated by, say, its FireEye system, where that suspicious traffic got through, and which indicators of compromises it includes.

"This is an example of allowing us to automate a lot of processes we have put in place," Leek says. "We're planning for [attacks] to happen. We know it's going to happen."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/15/2013 | 4:21:36 PM
re: CISO Shares Strategies For Surviving The Inevitability Of Attacks
Great advice. As we all know its not a matter of if but when as people prepare to defend an organization from an attack. Education including how to address issues after attack is such a crucial component of a solid security strategy.

Peter Fretty, IDG blogger working on behalf of Sophos
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio